Ransomware Circuit Breaker


What is Ransomware

When ransomware infects a computer, it encrypts all of the files on the infected computer that likely contain user-generated content, like Microsoft Office and PDF documents, and then demands a ransom to decrypt those files and allow the user regain access to their content.  Also, Ransomware may rename the encrypted files and changes their file extensions.  Finally, ransomware may lock a user’s computer until the ransom is paid.

File-syncing software like ndSync acts by detecting changes made to locally synced files and then syncing those changes to the server (and, in turn, syncing those changes to other computers that are configured to sync the same content).  From the perspective of file-syncing software, all file changes are treated the same way regardless of the source of those changes.  When encrypted ransomware files are synced, this can result in a great inconvenience to users and administrators, as it takes a significant effort by both the customer and the file-syncing service to restore the original files, and in the meantime end users’ productivity will be impacted, because they may lose access to their files until the issue is resolved.

How the Circuit Breaker Feature Works

In order to mitigate the risk associated with ransomware, version 2.2 of ndSync for Windows includes a Ransomware “Circuit Breaker” feature.  This feature is enabled by default, but it can be disabled by a user, or a firm can use registry settings to require that the Circuit Breaker be and remain enabled.

The Circuit Breaker tracks most local activity that changes synced content on a user’s computer, like:

  • existing documents being updated, renamed and deleted, and
  • new documents being added. 

Then the Circuit Breaker compares this activity to the behavior that is typical of ransomware.  When the Circuit Breaker determines that the local activity resembles the activity of ransomware, the Circuit Breaker suspends the continued syncing of changes from the user's computer to the server, tracks future changes that are made to synced content on that computer, and alerts the user about what has happened.

There are two common behavior patterns of ransomware that will trigger the Circuit Breaker:

  • A large number of existing synced files are updated on the computer in a short period of time (and the files also may be renamed).  Ransomware typically encrypts hundreds of files (if not more) in a few minutes.
  • A large number of synced files are deleted (or attempted to be deleted) in a short period of time, and during the same time period, a large number of new files are added to the same synced folder, because ransomware may delete original files and replace them with new, encrypted copies.

A typical user would not commonly engage in either type of behavior.  For example, a user will edit (and save) at most only a few documents at a time.  And while a typical user may delete several documents at once or add several documents at once, a typical user is unlikely to perform both actions in a short period of time and in the same folder.

As noted above, the Circuit Breaker will track all activity of this kind, which most of the time will be intentional, innocuous behavior and these changes will be synced without issue.  But when the activity that meets this suspicious pattern reaches a designated threshold, the Circuit Breaker will be triggered, and all syncing will be stopped.  Because ndSync is waiting for a threshold to be reached, a small number of changes will likely be synced to the server before the Circuit Breaker is triggered.

When the Circuit Breaker is triggered, the user will be notified that suspicious activity was detected (along with a list of the suspicious activity) and also that syncing has been suspended.  The user is then responsible for determining how to proceed.  If the activity was innocuous, then the user can respond accordingly and simply choose to continue syncing.  However, if the activity was, in fact, malicious, then the user can choose to “quarantine” any malicious changes that have not yet been synced.  Quarantining will have a different impact on different types of changes:

  • An updated, synced document will be moved out of its current synced location to a new Quarantined Items folder so that the updated document will not be synced when syncing resumes.  Also, because the document has been moved, when syncing resumes, the original document on the server will be synced back to the computer, restoring the document with its content before it was encrypted.
  • A renamed, synced document will be renamed back to its prior name so that the new name will not be propagated to the server when syncing resumes.
  • For a deleted document, ndSync will not send the deletion request to the server when syncing resumes, but instead when syncing resumes the original document on the server will be synced back to the computer, restoring the document from before it was deleted locally.
  • A document newly added by ransomware will be moved out of its current location to the Quarantined Items folder so that it will not be synced to the server when syncing resumes.

Assuming the user makes the appropriate decisions, the end result will be that any malicious changes that have not yet been synced will never be synced to the server and any quarantined, unsynced changes will be restored from the server after syncing resumes.

It is important to recognize that after the Circuit Breaker has been tripped and syncing has been stopped, ransomware may continue to encrypt synced files on the user's computer, all of which activity will be tracked.  The Circuit Breaker does nothing to interfere with the working of ransomware; it only stops changes applied by the ransomware from being synced to NetDocuments.  Therefore, a user also has the option to export a list of all of the suspicious activity – both synced and unsynced – which is particularly useful to assist with the recovery of any encrypted files that had been synced to the server.

Also, sometimes ransomware causes a user to lose access to their computer, in which case the user would not see the Circuit Breaker dialog that appears, which warns the user about the possibility of ransomware infection and informs the user that syncing has been suspended.  (This dialog is described in detail below.)  As a result, when the Circuit Breaker is triggered, ndSync will also create a CSV file with a list of the synced files and save that file to NetDocuments, so that the user will be able to determine which files were synced before syncing was suspended, in case the user cannot access their computer directly. 

How to Respond to Ransomware

A user’s computer being infected with ransomware should be considered an extraordinary event, to be handled jointly by the affected user and their firm’s IT department.  The affected user should immediately contact their IT department and determine the appropriate course of action, which should include the following actions:

  • If a user is unable to regain access to their computer, it is suggested that a Repository Administrator remove that computer from their repository by using the “Remove” feature on the device management page in NetDocuments, to ensure that content is no longer synced from that computer.
  • If a user retains or regains access to their computer, then
    • The user should:
      • download the CSV file from the Circuit Breaker dialog that tracks all of the changes made by the ransomware,
      • make copies of the ndSync log files,
      • quarantine any suspicious activity, and
      • quit the ndSync application.
    • The Repository Administrator should remove the computer from the repository on the device management page and then fully uninstall the ndSync application from the computer.  (Contact NetDocuments Support to determine how to fully uninstall all remaining ndSync application files from the user’s computer.)  Then take all appropriate actions to fully remove the ransomware from the user’s computer.  Only after taking all of those steps is it safe to reinstall ndSync.

Regarding content that was encrypted, renamed, deleted or added by ransomware and synced to the server before the Circuit Breaker was tripped, identify the affected documents from the CSV file that was saved to NetDocuments (the CSV file lists the DocumentID for each synced document, to make this easier), and take the following actions:

  • A Cabinet Admin for the cabinet in which a document was encrypted can perform a rollback of the document to its earlier state.
  • The user can rename the document back to its prior name, if necessary.
  • If a document had been deleted by ransomware, the affected user or a Cabinet Admin should be able to undelete the deleted document.  Note that a document may not have been successfully deleted if the repository had been configured to restrict deletions made by ndSync.  See the discussion below.
  • If any new documents were created by ransomware and synced to the server, the user show account was used to create those documents can simply delete those documents from the server. 

Enabling and Configuring the Circuit Breaker

The Circuit Breaker can be enabled and configured from the ndSync Settings dialog, which has a new “Circuit Breaker” section:


The Circuit Breaker feature can be enabled or disabled with the checkbox.  There are two other settings as well:

  • Number of activities.  This determines the number of activities that must be tracked in a certain period of time to trigger the Circuit Breaker.  The default is 5 activities, the minimum is 2, and the maximum is 25.
  • Number of minutes.  This determines the rolling period of time, in minutes, during which the amount of activity being tracked can trigger the Circuit Breaker.  The default is 2 minutes, the minimum is 1 minute, and the maximum is 10 minutes.

For example, assuming the default settings are being used, if five currently synced documents are updated on the computer in a rolling 2-minute period, that will trigger the Circuit Breaker.  The user can choose to increase or decrease each threshold.

A firm can use the registry to automatically enable and configure the Circuit Breaker for all of its users.  There are three such settings:

  • CircuitBreakerEnabled=True|False
  • CircuitBreakerActivities=# (minimum 2; maximum 25)
  • CircuitBreakerMinutes=# (minimum 1; maximum 10)

If these values are set in HKEY_CURRENT_USER, they will simply be treated as defaults, but the user can override them.  If these values are set in HKEY_LOCAL_MACHINE, then the user cannot override the settings.

The Circuit Breaker Dialog and Other User-Facing Elements

The Circuit Breaker dialog looks like this:


with these key features:

  1. Warning language at the top.  A user can click to see the full language.
  2. A list of the documents that have already been synced that have been affected by the suspicious activity, and how the documents have been affected.  There is also a link to the CSV file that was saved to NetDocuments that contains the same list of documents.
  3. A list of the documents on the user’s computer that were changed AFTER the Circuit Breaker was triggered, but which changes have not yet been synced to NetDocuments.  These are the changes that the user can choose to approve or quarantine.
  4. A button to approve any selected documents in the second list.
  5. A button to quarantine any selected documents in the second list.
  6. A button to export a list of all of the affected documents – both synced and unsynced – to CSV.
  7. A button to Resume Syncing, which can be clicked ONLY if every document in the second list has been approved or quarantined.

In the System Tray, after the Circuit Breaker has been tripped, the ndSync icon is shown as suspended (red icon with the horizontal line):


And in the ndSync application itself, after the Circuit Breaker has been tripped, there will be:

  • a message about "Suspicious Activity Detected" (clicking on that link will display the Circuit Breaker dialog),
  • syncing is shown as suspended at the bottom, and
  • if documents have been quarantined, a “Quarantined Items” menu item is displayed that will open the Quarantined Items folder


Finally, quarantined items are placed in the Quarantined Items folder, which is a child of the ndSync folder.  The content in this folder will NOT be synced:


NetDocuments Server Setting to Restrict Deletions from ndSync

It is strongly recommended that you use the Circuit Breaker feature in conjunction with the repository-level, server-side setting introduced in version 17.2 of NetDocuments, to restrict deletions from being applied on the server when synced documents are deleted on a local device, except in limited circumstances:


With that setting enabled, if ransomware acts by deleting synced documents on the local device, then those deletions will never be applied on the server, and there will be no risk of lost data and a minimal impact on productivity.

It is also important to emphasize that, even without the Circuit Breaker feature enabled, syncing encrypted documents will not cause ransomware to infect NetDocuments’ servers, where the documents are securely stored.  At worst, individual documents that have been encrypted on a user’s local machine will be synced to the server, but the ransomware virus itself will not infect the servers.