Ransomware detection overview

Ransomware detection alerts admins to potentially suspicious activity early and helps to prevent malicious ransomware from spreading. It helps identify when a ransomware attack is in progress and sends admins a notification.

How to take action when ransomware is detected

When suspected ransomware is detected, you’ll receive an email notification. Click Open alert to be taken to details about the alert. From the Alerts page, you can see the following:

• What happened: A short description of what activity was detected.
• What’s at risk: Any possible risks to your account or data.
• Ransomware extension: The extension of the suspected malicious software detected.
• Ransomware type: The type of suspected malicious software detected.
• Members affected: Who on your team might be affected.
• Number of files affected: The number of files in your Dropbox account that may be affected.
• Potentially affected files: A list of individual files in your Dropbox account that may be affected.

You can take the following actions on a ransomware alert:

• Take action: Review a series of recommended actions you can take on the alert, including determining if the alert is valid, recovering content, and suspending members.
• Suspend member: Suspend any member whose files were affected by the suspected ransomware. Suspending the member’s account may prevent possible further spread of malicious activity.
• Exclude/include extension: Exclude or include alerts from suspected ransomware with the extension type detected. You can manage excluded extensions in Alert policies.
• Contact support: Submit a help request for further assistance with your account.
• Manage this policy: Adjust the settings for all ransomware detection alerts, including managing email notifications.

How to manage your ransomware detection policy

To manage your ransomware detection policy:

1. Log in to dropbox.com with your admin credentials.
2. Click Admin console.
3. Click Security.
   • Note: Only certain types of admins can access the Security page.
4. Click Alert policies.
5. Click the “…” (ellipsis) next to Suspected ransomware detected.
   • In the General information section, you can toggle ransomware alerts On or Off.
   • In the Extension section, you can add extensions for ransomware alerts that you’d like to exclude by typing the extension name. Click X next to any extension name that you’d like to remove from the excluded section.
   • In the Notifications section, you can check or uncheck the box next to Send email notifications to receive email notifications. You can also specify which admins receive notifications under Send notifications to.
6. Click Save in the bottom right to save any changes to your ransomware detection policy.