Javascript must be enabled to download our products and perform other essential functions.

Buy Now Download Free Trial

Ransomware Protection

PA File Sight can detect and protect against ransomware attacks caused by infected client computers that encrypt server files.

Detection happens via simple detection methods used by other products, as well as more advanced options. Once a ransomware attack is detected, the server is protected and information is shared with other servers so they are protected as well.

Executive Summary


ionicons-v5-e Behavior analytics / activity monitoring


ionicons-v5-eKnown filenames


ionicons-v5-e Real-time alerts, including IP address

ionicons-v5-eAutomatically block infected users

ionicons-v5-eServers forward warnings to other servers


Read the step-by-step guide for setting up ransomware detection and protection using PA File Sight.

Setup Guide for Server Ransomware Protection

Defense in Depth

PA File Sight is a key piece of a layered security model. Servers need anti-virus and other products to protect them from direct attacks from software running on the server. PA File Sight adds a layer of protection by protecting server files from infected client computers that may attempt to encrypt or delete those files.

Ransomware Detection Techniques

Simple Detection - Honeypot

Some simple products create hidden folders with specific files that users should not touch. Anything that touches those files is considered a threat and alerted on. If the hackers that write the ransomware decide to not encrypt hidden files and folders, this detection method will fail. PA File Sight can support this simple method, but it also supports more robust detection methods.

Simple Detection - Filenames

Sometimes ransom notes with particular file names will be saved to the folder during a ransomware attack. Sometimes the files will be encrypted with a specific file extention (like Resume.docx.encrypted). Simple ransomware detectors watch for these cases, but this won't catch new variants of ransomware that come out later. PA File Sight supports this method, but it can also do better.

Robust Detection - Activity Monitoring

Ransomware attacks occur when a compromised client computer:

  • Reads files from the server
  • Saves the files back in an encrypted form

PA File Sight's advanced monitoring technology watches for a client computer doing reads and writes of many files in a short period of time, and runs alerts when the pattern is seen.

This feature is only available in the Ultra Edition. Compare Ultra vs Lite to see the differences.

Ransomware Server Protection

Automatically Block Infected Clients

PA File Sight can block the client account so it cannot access any more files on the server using the Add to Blocked User List action. This will prevent the compromised client account from accessing files on the server, without affecting other legitimate users still using the server.

Alert Other Servers Automatically

The Blocked Users List is actively shared among servers protected by the same PA File Sight installation, so other servers can be protected from the compromised client before it even attacks them.

Real Time Alerts

PA File Sight can alert system administrators about the attack with critical information such as the user account involved, and the client's IP address/computer name, giving system administrators a quickly respond and investigate.

Learn more about PA File Sight

In the last 10 years I have worked with many monitoring solutions like [list of well-known competitors], and I can say that your solution is the best.

Marcel S., Nettrust it-Services AG, Switzerland ionicons-v5-b