Ransomware detection overview

Ransomware detection helps alert admins to suspicious activity early, dentifying when a potential ransomware attack is in progress. It sends a notification to admins so they can take action before the threat spreads.

How to take action when ransomware is detected

When suspected ransomware is detected, you’ll receive an email notification in the admin console. Click Open alert in the email to view the alert details. From the Security alerts tab, you can view the following:

• What happened: A short description of what activity was detected.
• What’s at risk: Any possible risks to your account or data.
• Ransomware extension: The extension of the suspected malicious software detected.
• Ransomware type: The type of suspected malicious software detected.
• Members affected: Who on your team might be affected.
• Number of files affected: The number of files in your Dropbox account that may be affected.
• Potentially affected files: A list of individual files in your Dropbox account that may be affected.

You can take the following actions on a ransomware alert in the admin console:

• Take action: Review a series of recommended actions you can take on the alert, including determining if the alert is valid, recovering content, and suspending members.
• Suspend member: Suspend any member whose files were affected by the suspected ransomware. Suspending the member’s account may prevent possible further spread of malicious activity.
• Create report: Generate a summary of files affected by suspected ransomware, which will be saved to your Dropbox Reports folder.
• Exclude/include extension: Exclude or include alerts from suspected ransomware with the extension type detected. You can manage excluded extensions in Alert policies.
• Contact support: Submit a help request for further assistance with your account.
• Manage this policy: Adjust the settings for all ransomware detection alerts, including managing email notifications.

How to manage your ransomware detection policy

To manage your ransomware detection policy:

1. Log in to dropbox.com with your admin credentials.
2. Click Admin console in the left sidebar.
3. Under Products, click the dropdown to the left of Dropbox.
4. Click Security.
   • Note: Only certain types of admins can access the Security page.
5. Click Alerts. 
6. Click ☑ (more options) next to Ransomware suspected.
7. Click Edit.
   • In the General information section, you can toggle ransomware alerts On or Off.
   • In the Extension section, you can add extensions for ransomware alerts that you’d like to exclude by typing the extension name. Click X next to any extension name that you’d like to remove from the excluded section.
   • In the Notifications section, you can check or uncheck the box next to Send email notifications to receive email notifications. You can also specify which admins receive notifications under Send notifications to.
8. Click Save in the bottom right to save any changes to your ransomware detection policy.