Ransomware Datto

Ransomware Detection

Datto RMM, a cloud platform that allows MSPs remote monitoring, management, and support of their endpoints. It also includes native Ransomware Detection. Ransomware Detection for Datto RMM monitors endpoints for crypto-ransomware using proprietary behavioral analysis of files. You will be notified if a device has been infected. Datto RMM detects ransomware and an attempt to stop it from spreading.

This topic gives an overview of Ransomware Detection at Datto RMM, and answers frequently asked questions by our partners.

VIDEO>VIDEO Find out how Datto RMM Ransomware Monitoring Detection can be a critical layer of security for your customer environment.

NOTE NOTE After a recent update by KnowBe4, you’ll notice that your Collector files now have a .ex_ extension. To make the simulation work properly, you will need to manually change it to .exe.

Key benefits

  • Be aware of ransomware infections immediately. Rather than waiting for users to report it, Datto RMM will notify technicians as soon as files are encrypted by ransomware. This will allow for quicker response and may even prevent further spread. Below is an example of a Datto RMM Alert that is generated when ransomware has been detected on a device.
  • Monitor targeted devices easily using policy-driven configuration. Datto RMM is a powerful policy-driven approach that allows MSPs easy monitoring of specific devices for ransomware. Integrating with important MSP tools like Autotask PSA and ConnectWise Manage as well as email notification options ensures that ransomware can be detected quickly and the appropriate resources are notified.
  • Stop ransomware spreading to other devices by preventing network isolation.
  • Remotely resolve issues. Devices that are automatically disconnected from the network can still call Datto RMM. This allows technicians to quickly and effectively address the problem.
  • Use Datto Continuity products to quickly recover from ransomware attacks.


  • An active Datto RMM subscription is required.
  • Ransomware detection must be turned on.

NOTE NOTE Ransomware monitoring requires an additional license to be used. Refer to Enable Ransomware Detection for more information and how to add licenses.

  • To add Ransomware monitoring to a device or a monitoring policy, you must have the appropriate permissions
  • Devices should be managed. Ransomware detection is not available on OnDemand devices.
  • Ransomware monitoring is only available in New UI.

Supported devices

All supported Windows devices can be used to apply the Ransomware Monitor. Refer to Windows.

Ransomware monitoring features

A Ransomware monitor can be added to any device or part of a Monitoring Policy. These features are included in the Ransomware monitor:

  • Alert details include options like configuring monitored locations, paths, exclusion of file extensions, and setting priority. These are the criteria that specify what the monitor is looking for before creating an alert.
  • Response details include options like isolating the device from the network, configuring a customized response component, trying to stop ransomware processes, and ticket creation.

You can find information on how to create a Ransomware Monitor in the New UI, and how to specify details for it, at Monitors – New UI.

You can find information on how to create a policy using the New UI as well as how to specify details for a Monitoring policy in Policies – New UI.