All Products
Search

This Product

    Elastic Compute Service:Enhance anti-ransomware capabilities for instances

    Document Center

    Elastic Compute Service:Enhance anti-ransomware capabilities for instances

    Last Updated:Jun 24, 2026

    Ransomware is malware that encrypts your business data, causing service disruptions, data leakage, and data loss. These attacks pose significant risks to your business. This topic describes how to enhance the anti-ransomware capabilities of your instances.

    Background

    As technology evolves, new types of malware emerge, and ransomware has become a common threat. Alibaba Cloud uses its extensive experience in cloud security and cutting-edge security technologies to provide comprehensive security solutions. For more information about how to defend against ransomware, see Overview of the anti-ransomware service.

    Symptoms

    When your instance is attacked by ransomware, its system files are encrypted, and you will find a ransom note in the user's working directory. For example, on a Windows-based instance, a ransom note like the one below typically appears.

    image

    Note

    After ransomware encrypts or locks system files, the instance may fail to start or you may be unable to connect to it remotely. This is often one of the first signs of an anomaly. If you are suddenly unable to connect to your instance, investigate a potential ransomware attack.

    Solution overview

    Although preventive measures can reduce the risk of infection, they cannot entirely eliminate it. For ransomware, data backup is your last line of defense. However, when you restore data from a backup or a snapshot, any data generated between the snapshot creation and the disk rollback is lost. Therefore, you must develop a data backup strategy suitable for your business to protect your critical data.

    The following are common strategies to protect against ransomware.

    You can implement these protection strategies in parallel and select the ones that best suit your business needs. For example, if your business has high requirements for business continuity, you can apply all three strategies. However, this may incur charges for backups or snapshots.

    Strategy 1: Use Security Center for anti-ransomware

    Workflow

    image

    Procedure

    1. Enable the anti-ransomware service and purchase anti-ransomware capacity.

      To use the anti-ransomware feature in Security Center, you must enable the service and purchase anti-ransomware capacity. For more information, see Enable and purchase the anti-ransomware service.

      Note

      You can purchase anti-ransomware services based on your business requirements.

    2. Create a protection policy.

      After you enable the service, follow these steps to create a protection policy.

      Create a protection policy

      Before you create a policy, make sure that your server's operating system is supported. Backups cannot be performed on servers with unsupported operating systems. For more information about the operating systems that the anti-ransomware feature supports, see Overview of the anti-ransomware service.

      1. Log on to the Security Center console.

      2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Anti-ransomware. In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.

      3. On the Anti-ransomware page, click the Anti-ransomware for Servers tab and then click Create Anti-ransomware Policy.

      4. In the Create Anti-ransomware Policy panel, enter a policy name, and select a server type and assets.

        Parameter

        Description

        Policy Name

        The name of the protection policy.

        Server Type

        The type of server to which the protection policy applies.

        Backup Route

        This parameter is required only when you set Server Type to Server Not Deployed on Alibaba Cloud. Specify the communication method for data backup. The valid values are:

        • Internet: Backs up data over the public network. This may incur data transfer fees.

        • Internal Network: Backs up data over a private network. You must use services such as VPC, Express Connect, or CEN to establish a connection between your non-Alibaba Cloud server and the anti-ransomware network access point in the selected region.

        Region

        This parameter is required only when you set Server Type to Server Not Deployed on Alibaba Cloud. Select the region where your server is located or a region that has a stable network connection to the anti-ransomware network access point. The selected region determines the network access point for the anti-ransomware service. To ensure successful data backup, you must make sure that your server can communicate with the network access point in the selected region. For more information, see Network access points.

        Select Asset

        Select the assets to protect. You can select a single asset, multiple assets across different groups, or an entire asset group. Perform the following steps to select the assets you want to protect:

        • In the Asset Group section, select an asset group. All assets within that group are automatically selected. You can then deselect any assets that you do not want to protect in the Asset section on the right.

        • In the Assets section, enter an asset name (fuzzy search is supported) and click the search icon. The relevant assets are displayed. Select the assets you want to protect.

        Note

        • For Alibaba Cloud servers, a single policy can include servers from multiple regions. For non-Alibaba Cloud servers, a single policy can include only servers from the same region.

        • To ensure efficient use of your protection capacity, each server can be added to only one protection policy.

      5. In the Create Anti-ransomware Policy panel, configure the data backup policy and click OK.

        You can select either a recommended policy or a custom policy.

        • Recommended policy: An easy-to-configure, built-in, non-editable protection policy from Security Center. The rules are as follows:

          • Directory to Protect All directories (excluding system directories)

          • Directory to Exclude Displays a list of excluded directories.

          • Non-local Mount Path: Excludes non-local mount paths, such as OSS and NAS paths.

          • File Type to Protect All file types

          • First Backup Starts At: Any time between 00:00 and 03:00

          • Periodic Backup Interval: 1 day

          • Backup Data Retention Period 7 days

          • Maximum Backup Bandwidth

            • Alibaba Cloud server: 0 MB/s

              Note

              A value of 0 MB/s indicates that the backup bandwidth is not limited.

            • non-Alibaba Cloud server: 5 MB/s

        • Custom policy: Allows you to define specific policy rules with maximum flexibility. You can specify protected directories, excluded directories, protected file types, backup start time, backup interval, data retention period, and backup bandwidth limit. The following table describes the parameters.

          Parameter

          Description

          Directory to Protect

          Select the directories to back up. Valid values:

          • Specific Directory: Backs up specified directories on the selected assets. You must add the directory paths to the Protected Directory Paths list. Examples:

            • Windows: C:\Program Files (x86)\

            • Linux: /usr/bin/

            You can add up to 20 protected directory paths. Security Center runs backup tasks for each path sequentially. If a directory contains many files, the backup process can consume significant server resources (CPU and memory). You can split a large directory into multiple protected directory paths to run backup tasks sequentially, which reduces resource consumption.

          • All Directories: Backs up all directories on the selected assets.

          Directory to Exclude

          Specifies the directories that you do not want to back up. Security Center provides a default list of directories to exclude, which you can modify.

          Non-local Mount Path

          Specifies whether to exclude non-local mount paths, such as paths for Object Storage Service (OSS) and Apsara File Storage NAS (NAS).

          File Type to Protect

          Select the file types to protect. Valid values:

          • All File Types: Backs up all types of files.

          • Specific File Types: Backs up specified file types, such as documents and images.

            Important

            You can select multiple file types. Security Center backs up only the selected file types on your assets.

          First Backup Starts At:

          The start time for the first data backup.

          Important

          After you create a protection policy, the initial backup is a full backup of all data in the protected directories. This process can consume significant CPU and memory. To avoid affecting your business, we recommend that you schedule data backups during off-peak hours.

          Periodic Backup Interval:

          The interval at which the backup policy is executed. Default value: 1 day.

          Backup Data Retention Period

          The retention period for backup data. Default value: 7 days.

          Important

          Backup data is automatically deleted after the retention period expires. We recommend setting a retention period based on your business requirements.

          The following retention methods are supported:

          • Permanent: Backup data is retained until the Security Center service expires, or you delete the protection policy or the server from the policy.

          • Custom: You can specify a custom retention period from 1 to 65,535 days.

          Maximum Backup Bandwidth

          The maximum network bandwidth that can be used for data backup. The value can be from 0 MB/s to unlimited.

          For Alibaba Cloud servers, data backups use only private network bandwidth and do not affect public network bandwidth. For non-Alibaba Cloud servers, data backups consume either public or private network bandwidth. You can set a bandwidth limit to prevent backups from affecting your business.

          • The default value for Alibaba Cloud servers is 0 MB/s.

            Note

            A value of 0 MB/s indicates that the backup bandwidth is not limited.

          • The default value for non-Alibaba Cloud servers is 5 MB/s.

      6. After a protection policy is created, its status is enabled by default. Security Center automatically installs the anti-ransomware client on your server and backs up data in the protected directories based on the settings in the policy.

        Warning

        Monitor the status of the anti-ransomware client and resolve any exceptions promptly to ensure that backup and restoration tasks run correctly. For more information, see View the status of the anti-ransomware client.

    3. (Optional) Restore data from a valid backup in Security Center.

      1. Create a snapshot of the system disk and data disks of the infected instance. For more information, see Create a manual snapshot.

      2. If your instance is attacked by ransomware, you can use a backup from Security Center to quickly restore your services. Follow these steps to restore your data.

        Create a restoration task

        1. Log on to the Security Center console.

        2. In the navigation pane on the left, select Protection Configuration > Host Protection > Anti-ransomware. In the upper-left corner of the console, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland.

        3. On the Anti-ransomware for Servers tab, find the server for which you want to create a restore job in the policy list.

          Note

          Use the search box above the policy list to find the target server by policy name or server name.

        4. Click More actions to expand the drop-down list. Find the target server and click Restore in the Actions column.

        5. In the Create Restoration Task panel, configure the following parameters, and then click OK.

          Parameter

          Description

          Backup Version

          Select the backup version to restore. All recoverable files in the selected version are displayed in the file list. You can select files as needed.

          Files to Restore

          Select the files to restore.

          Destination Folder

          Enter the destination path on the target server. The folder must exist and have write permissions. Otherwise, the restore job fails.

          Target Server

          Select the server to restore data to. You can select any protected server in the same account, not limited to the originally attacked server.

        6. A Restoration task created. message appears. Log on to the target server and navigate to the destination folder to verify that the backup files are restored and accessible.

    Strategy 2: Use automatic snapshots

    Workflow

    image

    Procedure

    Creating backups for an instance by using snapshots allows you to recover data after a ransomware attack. Note that this strategy provides only post-incident recovery capabilities and is not a substitute for proactive protection measures.

    1. Create an automatic snapshot policy for the instance. For more information, see Create an automatic snapshot policy.

    2. (Optional) Restore data from a valid snapshot that was created before the instance was infected.

      1. Create a snapshot of the system disk and data disks of the infected instance. For more information, see Create a manual snapshot.

        Important

        A disk rollback is irreversible. Data generated between the snapshot creation and the rollback is lost. To prevent data loss from accidental operations, we recommend that you create a snapshot to back up your data before you roll back a disk.

      2. For more information about how to reinitialize the system disk of an instance, see Re-initialize a system disk (reset the OS).

      3. To learn how to use a snapshot to restore data to a system disk or a data disk, see Roll back a disk by using a snapshot.

    Strategy 3: Use security groups and firewalls

    Workflow

    image

    Procedure

    Security policies, such as those for security groups and firewalls, can enhance an instance's protection against ransomware. However, this requires you to have technical expertise in network security.

    1. For best practices for security group and firewall policies, see Best practices for ECS security groups (inbound rules) and Configuration guide for Windows Firewall policies.

    2. (Optional) Contact a third-party company to decrypt and restore data.

      1. Create a snapshot for the system disk and data disks of the instance that is infected with ransomware. For more information, see Create a manual snapshot.

      2. For more information about how to reinitialize the system disk of an instance, see Re-initialize a system disk (reset the OS).

      3. After you reinitialize the system disk of the compromised instance, if you have not backed up important data or created a snapshot, you can contact a third-party company to decrypt and restore the data.

        Warning

        The data decryption capabilities provided by third-party companies after a ransomware attack are independent of Alibaba Cloud. Alibaba Cloud is not responsible for the success of data recovery or any data corruption.

    Related documents