Ransomware Detection with SyncBack

Author: Swapna Naraharisetty, 2BrightSparks Pte. Ltd.

What is Ransomware?

Ransomware is a type of malicious program that encrypt user’s files (personal or business documents, photos, videos, data), make them inaccessible and demands a payment to provide a decryption key (or a program) to remove ransomware from the infected computer. Paying a ransom does not guarantee victim’s access to his data or stop hackers from triggering the ransomware again. It's very important to understand the threat and take precautions to protect yourself from being a victim of ransomware.

Fortunately, SyncBack offers several effective solutions to save your files and money from ransomware attacks. The best solution is to use SyncBack to perform regular backups of your data to an offsite location (e.g. cloud server or FTP), as ransomware cannot easily find or encrypt files stored offline. You can refer to our Ransomware - how to protect yourself article for guidelines to guard against ransomware.

However, in some cases, especially when backups are run unattended (e.g. scheduled backups, periodic backups), the infected files from your source may overwrite backup files (including version files or multiple backup copies) without the user’s notice, resulting in a complete loss of your data.

To avoid such situations, SyncBack V8 introduced two new features to detect a ransomware infection on your host system and stop it infecting your backup storage.

Ransomware Detection

The ransomware detection feature checks to see if a file (of your choice) has been modified, and if so, SyncBack will stop the backups (including automated backups) and prevents copying the infected files to your backup copies.

To use this feature, go to the Preferences main menu (from SyncBack main window) > Options > Expert > Ransomware Detection. There are two ways to enable it:

  1. Under the Filename option, you can select an existing file (as a ransomware detection file) from your local drive. Choose an existing file which is likely to be encrypted by ransomware (if your computer is affected by virus), e.g. a word processing document from your My Documents folder. You must choose a file that won’t be modified by any user or process.

  2. Alternatively, click the Create button to have SyncBack create a random file (with a .RTF extension) in your My Documents folder.

SyncBack will then calculate the hash value of that random file and keep a record of it.

When a backup is next run, SyncBack will check to see if that ransomware detection file has been changed, and if so, it will stop the backups.

SyncBack V10 introduced two more methods of ransomware detection: at the profile level and with SyncBack Touch. In V10 you can configure the profile to detect ransomware on your source and/or destination, e.g. on your FTP server. You can also configure SyncBack Touch to detect ransomware on the device it is installed on.

Additional protection - warn/abort if too many files are going to be changed

Another feature raises a warning message to the user, or aborts an automated backup, when a given percentage (or more) files are going to be updated during a profile run. You can enable this option under:

Modify > Expert > Copy/Delete > Warning setting page

  • Warn me (abort profile if unattended) if X% or more of my source/left files are going to be updated due to my settings
  • Warn me (abort profile if unattended) if X% or more of my destination/right files are going to be updated due to my settings

For instance, you have configured the setting as “Warn me if 20% or more of my destination files are going to be updated due to my settings" (as you know you won’t modify more than 20% of files prior to a profile run).

When the profile is next run, SyncBack will calculate the total number of files that will be updated by the actions of the profile. If 20% or more files are going to be updated, you will be prompted if you want to continue or stop the profile execution. At that stage, you can analyse the list of changed files on source and decide to continue the profile run if those changes are valid or stop the profile run if you are attacked by virus. In case, your backups are automated, the profile run will be aborted, and no file will be copied to your destination.


In conclusion, ransomware attacks are expected to develop further and become more common in the future. Therefore, 2BrightSparks aims at providing additional security features to our users to safeguard your data from ransomware attacks of today and in the future.

Noted Customers

© 2003-2024 2BrightSparks Pte. Ltd.  | Home | Support | Privacy | Terms | Affiliate Program

Home | Support | Privacy | Terms
© 2003-2024 2BrightSparks Pte. Ltd.

Back to top