Recover from advanced malware attacks using the Snapshot feature - x360Sync

Written By Tami Sutcliffe (Super Administrator)

Updated at October 5th, 2022

Overview

The Snapshot feature allows administrators to easily copy a Team Share, backup, or a user’s personal data as it existed at a specific point in time, including content that was previously deleted, recreated, moved, or changed. This feature even recovers the revision history of restored content, starting from the selected date.

The Snapshot Feature and Ransomware

Ransomware is a type of malware that denies access to infected content, and demands that the user pay a ransom to remove the restriction.  In many instances, you can use x360Sync's Restore Deleted and Revision Rollback feature to restore affected files to their previous, healthy revisions.

Advanced ransomware attacks—such as Locky—might delete, recreate, then change file names, thereby affecting a file’s revision history, and preventing you from restoring to a previous revision. The Snapshot feature helps you recover from these advanced attacks, allowing you to restore data as it existed before infection. 

The Snapshot feature is one of many x360Sync features that help protect and restore data. For more information onx360Sync's data restore options, please reference the following Knowledgebase articles:

  • The Restore Revisions feature allows you to restore one file to a previous revision.
  • The Revision Rollback feature helps you recover from many variants of ransomware; the feature utilizes a file’s revision history to restore all currently-existing content to a healthy revision.
  • The Restore Deleted feature allows you to restore a file that has been previously marked as deleted.

Other Use Cases

In addition to ransomware recovery, you can also use the Snapshot feature for data management or archive purposes. For example, if an employee resigns from an organization, you might decide to clone his personal root folder as a Team Share and retain this content as a record or archive.

A Technical Note About Purged Files and Folders

Please note that purged files and folders cannot be recovered using this feature. Purged files and folders are defined as:

  • Files and folders that have been deleted and then purged
  • Files and folders that have been deleted, purged, and then manually recreated
  • Files and folders that have been moved from a folder location that is later deleted and purged; in these instances, the revisions captured in the original folder location will not be recovered

Purge settings can be managed as an organization policy.

A Technical Note About Snapshot's Point-In-Time Recovery

The Snapshot feature recovers data based on the timestamp of the revision stored on the x360Sync server, not the timestamp that displays in the Modified field in the web portal or the Date Modified field on the local file system. 

How to Restore a Personal Root Folder

When using the Snapshot feature to restore personal data, the system will copy the data into a new Team Share. Administrators can then subscribe appropriate users to this new Team Share.

  1. If recovering from ransomware, ensure you have completely removed the virus.
  2. In the affected user's web portal view, use the Activity Log tab to find the day and time the infection occurred. For instructions, please reference the Viewing Reports and Tracking Activity Knowledgebase article.



  3. In the administrative web portal, click the Accounts tab. 
  4. Find the affected personal root folder and click its Snapshot button.



    The Snapshot dialog box displays.


     
  5.  In the Snapshotdialog box, enter the following information:
    1. In the New Team Share Name field, enter the name of the new Team Share that will be created.
    2. Select the Only Include Data Up To The Following Point In Time checkbox if you need to capture files from a specific point in time. Then, select a date prior to when the data was affected.
    3. Click the OK button when you are finished. Or click, the Cancel button if you do not wish to proceed. Please note that this procedure might take several minutes.

      Confirm Snapshot dialog box displays, asking you to confirm or cancel the request.

       

    4. In the Confirm Snapshot dialog box, click the Yes button to confirm. Administrators will then have the ability to add appropriate subscribers to this newly created Team Share.

      Note: If Privacy Mode is enabled, you will be able to use the Snapshot feature to recover data in personal folders, team shares, and backups. However, you will not be able to browse the contents of the recovered data.

  6. Optionally, review the status indicator in the Team Share page, or review the Activity Log in the administrative web portal to confirm the completion of this process. You should also review the contents of the newly created Team Share to ensure the data exists as expected.

IMPORTANT: Please note that while the snapshot is in progress, any actions taken to delete the original source content will result in the cancellation of the snapshot's progress. Deletion of the source content prior to snapshot completion will result in an incomplete snapshot. 

How to Restore a Backup

When using the Snapshot feature to recover backups, the system will copy the data into a new Team Share. Administrators can then subscribe appropriate users to this new Team Share.

  1. If recovering from ransomware, ensure you have completely removed the virus.
  2. In the affected user's web portal view, use the Activity Log tab to find the day and time the infection occurred. For instructions, please reference the Viewing Reports and Tracking Activity Knowledgebase article.



  3. In the administrative web portal, click the Backups tab.
  4. Find the affected backup and click its Snapshot button.



    The Snapshot dialog box displays.


     
  5.  In the Snapshotdialog box, enter the following information:
    1. In the New Team Share Name field, enter the name of the new Team Share that will be created.
    2. Select the Only Include Data Up To The Following Point In Time checkbox if you need to capture files from a specific point in time. Then, select a date prior to when the data was affected.
    3. Click the OK button when you are finished. Or click, the Cancel button if you do not wish to proceed. Please note that this procedure might take several minutes.

      Confirm Snapshot dialog box displays, asking you to confirm or cancel the request.

       

    4. In the Confirm Snapshot dialog box, click the Yes button to confirm. Administrators will then have the ability to add appropriate subscribers to this newly created Team Share.

      Note: If Privacy Mode is enabled, you will be able to use the Snapshot feature to recover data in personal folders, team shares, and backups. However, you will not be able to browse the contents of the recovered data.

  6. Optionally, review the status indicator in the Team Share page, or review the Activity Log in the administrative web portal to confirm the completion of this process. You should also review the contents of the newly created Team Share to ensure the data exists as expected.
  7. Delete the original impacted backup.
  8. Delete the contents of the folder from the machine from which the backup originated.
  9. Subscribe the affected user to the Team Share and allow the sync down process to complete. The user will now have access to his or her original data in its last healthy state.

IMPORTANT: Please note that while the snapshot is in progress, any actions taken to delete the original source content will result in the cancellation of the snapshot's progress. Deletion of the source content prior to snapshot completion will result in an incomplete snapshot. 

How to Restore a Team Share

When using the Snapshot feature to restore a Team Share, the system will copy the data into a new Team Share. Administrators can then subscribe appropriate users to this new Team Share.

Note: If ransomware has impacted a Team Share that has been mapped through File Server Enablement, please skip to the How to Restore a Team Share that is Mapped Through File Server Enablement section listed below.

  1. If recovering from ransomware, ensure you have completely removed the virus.
  2. In the affected user's web portal view, use the Activity Log tab to find the day and time the infection occurred. For instructions, please reference the Viewing Reports and Tracking Activity Knowledgebase article.



  3. In the administrative web portal, click the Shares tab.
  4. Find the affected Team Share and click its Snapshot button.


    The Snapshot dialog box displays.


     
  5.  In the Snapshotdialog box, enter the following information:
    1. In the New Team Share Name field, enter the name of the new Team Share.
    2. Select the Only Include Data Up To The Following Point In Time checkbox if you need to capture files from a specific point in time. Then, select a date prior to when the data was affected.
    3. Click the OK button when you are finished. Or click, the Cancel button if you do not wish to proceed. Please note that this procedure might take several minutes.

      Confirm Snapshot dialog box displays, asking you to confirm or cancel the request.

       

    4. In the Confirm Snapshot dialog box, click the Yes button to confirm. Administrators will then have the ability to add appropriate subscribers to this newly created Team Share.

      Note: If Privacy Mode is enabled, you will be able to use the Snapshot feature to recover data in personal folders, team shares, and backups. However, you will not be able to browse the contents of the recovered data.

  6. Optionally, review the status indicator in the Team Share page, or review the Activity Log in the administrative web portal to confirm the completion of this process. You should also review the contents of the newly created Team Share to ensure the data exists as expected.

IMPORTANT: Please note that while the snapshot is in progress, any actions taken to delete the original source content will result in the cancellation of the snapshot's progress. Deletion of the source content prior to snapshot completion will result in an incomplete snapshot. 

 

How to Restore a Team Share that is Mapped Through File Server Enablement

When ransomware impacts a folder that has been mapped through File Server Enablement, the following restoration process will ensure that the Windows folder will still function as expected (including network share settings, permissions, and so forth). 

  1. If recovering from ransomware, ensure you have completely removed the virus.
  2. In the affected user's web portal view, use the Activity Log tab to find the day and time the infection occurred. For instructions, please reference the Viewing Reports and Tracking Activity Knowledgebase article.



  3. In the administrative web portal, click the Shares tab.
  4. Find the affected Team Share and click its Snapshot button.


    The Snapshot dialog box displays.


     
  5.  In the Snapshotdialog box, enter the following information:
    1. In the New Team Share Name field, enter the name of the new Team Share.
    2. Select the Only Include Data Up To The Following Point In Time checkbox if you need to capture files from a specific point in time. Then, select a date prior to when the data was affected.
    3. Click the OK button when you are finished. Or click, the Cancel button if you do not wish to proceed. Please note that this procedure might take several minutes.

      Confirm Snapshot dialog box displays, asking you to confirm or cancel the request.

       
    4. In the Confirm Snapshot dialog box, click the Yes button to confirm.
  6. After the Snapshot process completes, click the Machines tab. Find the affected machine and click its Mapped Folders link.

    IMPORTANT: Please note that while the snapshot is in progress, any actions taken to delete the original source content will result in the cancellation of the snapshot's progress. Deletion of the source content prior to snapshot completion will result in an incomplete snapshot. 




    The File Server Enablement page displays.
  7. In the File Server Enablement page, click the Delete button to remove the mapping.



    Removing this connection will ensure that data is available in the cloud if another restore attempt is required.
  8. In the file server, navigate to the affected folder location. Be sure to back up this affected folder; then, delete all files and subfolders within this folder.   

    IMPORTANT: We strongly recommend backing up this locally infected data in case you have excluded files that were never synchronized to the cloud. 

  9. In the administrative web portal, re-map the folder to the newly restored Team Share created in steps 1-3. For complete instructions on configuring File Server Enablement, please reference the Cloud-Enabling a Server Using File Server Enablement Knowledgebase article.