Welcome to
Help Desk

Product Updates
Training
Support
Ideas Contact Support

Snapshot-Based Ransomware Recovery

Follow

Within the past few years, the focus of many security teams has been shifting from pure prevention of cyber-attacks to richer detection and response/recovery capabilities. With the Snapshot-Based Ransomware Recovery tool, domain administrators can access their data on a snapshot within 15-30 minutes and recover them within minutes (for small folders) or hours (for very large folders). The snapshots of the domain's data are taken according to the following schedule:

  • 0-7 days, every 4 hours (6 snapshots per day)
  • 8-15 days, every 12 hours (2 snapshots per day)
  • 16-30 days, every 24 hours (1 snapshot per day)

The Snapshot-Based Ransomware Recovery is included with the Platform Enterprise plan and GxP with Governance Plan. The feature is also available as an add-on for Platform Business and Enterprise Lite plans. Contact your account manager or Egnyte Sales team to learn more on how to get access to this feature.

 

Skip Ahead to...

Mounting a Snapshot

Remounting a Snapshot

Browsing Files on the Mounted Snapshot

File Preview or Download

Restoring Folders and Files From a Snapshot

Frequently Asked Questions

 

Mounting a Snapshot

A domain admin can mount a snapshot by selecting one of the available snapshots and then clicking on Mount snapshot.

image1.png

On the next pop-up, the admin can specify the name of the preview and the reason for it (the most common cause is Recovery from Ransomware attack) and then click the Mount button.

WebUI_Snapshot Ransomware_2.png

Although rare, sometimes links and permissions may not be available in the snapshot to restore. If users plan to move existing files to a different location before restoring content from the snapshot, they can mount it but may lose links and permissions. This constraint doesn't apply if restoring content to the same location. However, it's recommended not to mount such a snapshot

It will take 15-30 minutes (and usually less than that) to mount the snapshot - the status will change from Mounting to Mounted. Also, the system will send emails when the mounting process begins and the snapshot is ready for preview.

WebUI_Snapshot Ransomware_3.png

Remounting a Snapshot

The user will also have an option to remount an already unmounted snapshot provided no other snapshot is already mounted or being mounted.  From the history table, the user can click on the three dots and then the Remount option from the context menu.  

WebUI_Snapshot Ransomware_4.png

Browsing Files on the Mounted Snapshot

One can click on the Preview button from the currently mounted snapshot tile.

WebUI_Snapshot Ransomware_5.png

That will open a Snapshot Preview that looks similar to a regular Web UI preview, but it will have a blue border around it as a reminder that it is a snapshot preview, not the regular domain preview:

image7.png

File Preview or Download

An admin can preview or download files on a snapshot to double-check that these are the file versions that are needed to be restored:

image6.pngWebUI_Snapshot Ransomware_8.png

Restoring Folders and Files From a Snapshot

To restore folders and files from a snapshot, the admin can select specific folders and then select Restore in the context menu for the folder (file):

WebUI_Snapshot Ransomware_9.png

Based on the reason selected at the time of mounting the snapshot, the mechanics of restoration will be slightly different. 

When restoring the content from the snapshot that was mounted with the reason Recovery from Accidental deletion, the latest version of the deleted file will be restored along with the associated links and permissions. The user will be informed accordingly, as shown below before they choose to restore the content.

WebUI_Snapshot Ransomware_6.png

When restoring the content from the snapshot that was mounted with the reason Recovery from Ransomware attack or Other, the user will have two options as shown below.  

image12.png

In case of a ransomware attack, depending on the ransomware type, the admin might have experienced a situation when the existing files are encrypted by ransomware. For that situation, the default and recommended option is to "Restore files to the same location." The links to the files, comments, folder permissions, etc., are kept intact with this option.

There might be a situation when ransomware deletes the existing files (so that the files are in Trash now) and creates new files (with cryptic names) in the folder. In this case, it is better to select the option to move all the existing files to a different location before restoring them. That will rename the original folder and restore the files into a folder under the original path.

Currently, the snapshots do not contain comments, custom metadata, workflows, etc. They will not be restored when the "Move all the existing files to a different location before restoring them to the same location" option is selected. The files, folders, links, and permissions will be restored.

Once the restoration begins, the user will be presented with the confirmation as shown below.

image10.png

Users can track the restoration jobs as shown below. 

image11.png

Users can also get more details about a specific restoration job by clicking on the restoration job as shown below.

image13.png

Sometimes while restoring the files using the option “Restore files to the same location”, it may happen that after restoring the files the number of files exceeds the limitation of 200k files per folder. In this case, the user will receive the following error message.  

"The total number of files selected for restoration exceeds the current limit of 200,000 files. Please reduce your selection and try again.”

In such occurrences, the user can select the other option as “Move all the existing files to a different location before restoring them to the same location”. 

Note that you may not see this option "Move all the existing files to a different location before restoring them to the same location” to restore the content if you had mounted the snapshot with the reason “Recovery from Accidental deletion."  In this case, you will need to unmount the snapshot and then mount it again for a different reason.

 

Frequently Asked Questions

Can I create a snapshot at a particular time?

Can the snapshots be kept for longer than the 30-day window?

Is there a limit to the number of files that can be restored?

Which file version is restored from the snapshot?

Are the encrypted versions/files deleted during the restoration process?

Can I have multiple mounted snapshots at the same time?

How long can I keep the snapshot mounted?

How do I know which snapshot to mount?

How do I know which files or folders to restore?

Can I recover data even when they are purged from the Trash?

When the admin previews or downloads files using the snapshot, is it recorded in the audit?

When the files are restored by a Restoration Job, is it recorded in the audit?

When the admin mounts a snapshot, is it recorded in the audit?

When the admin starts a Recovery Job, is it recorded in the audit?

 

Can I create a snapshot at a particular time?

No, currently, all the snapshots are created automatically according to the following schedule:

  • 0-7 days, every 4 hours (6 snapshots per day)
  • 8-15 days, every 12 hours (2 snapshots per day)
  • 16-30 days, every 24 hours (1 snapshot per day)

Can the snapshots be kept for longer than the 30-day window?

Not right now. The focus of Snapshot-based Ransomware Recovery is to allow recovery from a ransomware attack. Usually, the encrypted ransomware files are discovered within 1-3 days of the attack. Hence, the 30-day window should be large enough. In the future, product capabilities may allow larger time windows.

Is there a limit to the number of files that can be restored?

Yes, there is currently a limit of 200,000 files per restoration job. If the user needs to restore more than 200,000 files, they should split the task into multiple restoration jobs. This limit is in place to ensure a smooth and fail-safe restoration process.

Which file version is restored from the snapshot?

The latest version of a file from a snapshot will be added to the existing version of the file in the domain. If the destination file does not exist in the domain, the latest version of the file on the snapshot will be restored.

Are the encrypted versions/files deleted during the restoration process?

No, the restoration job will restore the files (versions). It does not delete the encrypted files/versions . Admin can delete the files that are not needed after the restoration.

Can I have multiple mounted snapshots at the same time?

Only one snapshot can be mounted at a time . If it is needed to mount another snapshot, it is necessary to unmount the currently mounted snapshot.

How long can I keep the snapshot mounted?

If no restoration jobs are running for a mounted snapshot, the snapshot will be unmounted after some time (usually, 1-3 days since it was mounted) .

How do I know which snapshot to mount?

The file Audit Report contains records of the file activity of users, so it is possible to identify when a user uploads many files starting from a specific point in time. If it happens to be the ransomware activity, a snapshot created before that specific point in time should be mounted for recovery.

How do I know which files or folders to restore?

The file Audit Report contains records of the file activity of users, so it is possible to identify when a user uploads many files starting from a specific point in time. If it happens to be the ransomware activity,  then files and folders impacted by the action should be restored from the snapshot.

Can I recover data even when they are purged from the Trash?

Yes, when the feature is turned on for a domain, it is possible to recover the data deleted from Trash - if they were deleted within the sliding 30-day window for which the snapshots are kept.

When the admin previews or downloads files using the snapshot, is it recorded in the audit?

Yes, there will be records in the File Audit Report:

  • "Access": "Web UI - Snapshot Preview"
    • This tells the user that these audit entries result from snapshot preview action from the Web UI. 
  • "Action":
    • "Preview on Snapshot"
      • This tells the user that the file was previewed from the snapshot.
    • "Download from Snapshot"
      • This tells the user that the file was downloaded from the snapshot. 

WebUI_Snapshot Ransomware_17.png

When the files are restored by a Restoration Job, is it recorded in the audit?

Yes, there will be records in the File Audit Report:

  • "Access": "Restoration Job"
    • This tells the user that these audit entries result from initiating a restoration process from the Web UI. 
  • "Action":  "Restore from Snapshot" OR "Restore from Snapshot – Download Link" OR "Restore from Snapshot – Upload Link"
    • Restore from Snapshot: This tells the user that the file was restored from the snapshot.
    • Restore from Snapshot - Download Link: This tells the user that the download link for the file was restored from the snapshot.
    • Restore from Snapshot - Upload Link: This tells the user that the upload link for the folder was restored from the snapshot.

WebUI_Snapshot Ransomware_19.png

When the admin mounts a snapshot, is it recorded in the audit?

Yes, there is a separate Snapshot Recovery Audit Report, where users see information about who initiated the mounting of a snapshot when the snapshot was unmounted.

webui_redesign_report_center.png

When the admin starts a Recovery Job, is it recorded in the audit?

Yes, in the Snapshot Recovery Audit Report, users see information about  who initiated the restoration job.

 

Learn more about Snapshot Based Ransomware Recovery by watching a Quick Tip on Egnyte University:  Snapshot-Based Ransomware Recovery.

 

Was this article helpful?
3 out of 4 found this helpful

For technical assistance, please contact us.