To prevent data encryption, leakage, or loss from ransomware attacks on servers and databases, Security Center provides a defense-in-depth system that integrates pre-attack interception, in-attack trapping, and post-attack recovery. As the last line of defense for data security, Anti-ransomware (data backup) is deeply integrated with Cloud Backup. It lets you quickly restore core data from historical backups, minimizing business disruption and data loss.
Core features
The Anti-ransomware feature is divided into Anti-ransomware for servers and Anti-ransomware for databases based on the type of asset being protected.
Comparison | Anti-ransomware for Servers | Anti-ransomware for Databases |
Protected objects | Business files and directories on a server. Important Do not use Anti-ransomware for Servers to back up database files. This mode cannot guarantee data consistency for databases. | Self-managed databases deployed on servers, such as MySQL, Oracle, or SQL Server installed on an ECS instance. |
Protection mechanism | Periodically backs up specified critical files and directories. | Uses native database API calls to perform backups, ensuring application-level consistency for the backup data. |
Key benefits | Protects unstructured data such as critical business files, applications, and configuration files. | Provides reliable, consistent backup and recovery for self-managed databases. This is a best practice for protecting core transactional data. |
Key limitations | Does not support protecting mounted paths, such as OSS or NAS directories mounted to an ECS instance. |
|
How it works
The Anti-ransomware (data backup) workflow consists of four stages:
Enable and authorize the service
Purchase anti-ransomware capacity and complete the service authorization. The system automatically enables the associated Cloud Backup service. For detailed instructions, see Enable and purchase the service.
NoteThe cost of Cloud Backup storage is included in your anti-ransomware capacity. No extra fees apply.
Configure a backup policy
Create a protection policy for the target servers or databases, setting the backup schedule and scope. For detailed instructions, see Create an anti-ransomware policy.
NoteAlibaba Cloud ECS instances: The system automatically identifies the region where the server is located and displays only server assets within a supported region, ensuring precise service matching.
Servers outside Alibaba Cloud (e.g., in data centers or from other cloud providers): You must manually select the server's actual region when you configure the protection policy.
Run backups automatically
After configuration, the anti-ransomware client automatically and securely transfers data to the Cloud Backup service according to the schedule you set.
NoteThe backup process consumes a small amount of server resources.
Restore data in an emergency
If a ransomware attack occurs, create a restore job from the most recent backup to quickly restore your data.
Limitations
General limitations
Region availability: The service is not available in all regions. For a list of supported regions, see Supported regions.
Backup and recovery: The service cannot decrypt files that ransomware has already encrypted.
Anti-ransomware for Databases limitations
Cloud database services: The service does not support managed cloud database products like RDS or PolarDB.
Network environment: The service does not support ECS instances deployed in a Classic Network environment.
Anti-ransomware for Servers limitations
Deployment environment: The service does not directly support protecting directories within a container. To protect them, you must first map the container directories to the host server.
Operating system: The service is only supported on specific operating system versions. For a list of supported versions, see Supported operating systems (Anti-ransomware for servers).
Resource consumption and planning
Resource consumption overview:
Anti-ransomware for databases: Resource consumption is negligible.
Anti-ransomware for servers: The backup process consumes some CPU and memory. Consumption varies with the number and size of files but typically does not affect core business operations.
Minimum configuration recommendations:
Backup data size
CPU
Memory
100,000 files
2-core
4 GB
1 million files, 8 TB total
2-core
8 GB
10 million files
4-core
16 GB
Resource control optimization: If you need to strictly control resource consumption during backup tasks, you can use the following methods.
Adjust backup speed: Balance backup speed with resource usage. For detailed instructions, see Backup and restoration speeds.
Limit memory usage: To prevent out-of-memory (OOM) issues, set a memory limit for the backup client. For detailed instructions, see How to resolve OOM issues for the backup client.
Billing
Your cost is based on the anti-ransomware capacity you purchase. This capacity depends on the volume of data you back up and your chosen retention period, not the number of servers.
The cost of Cloud Backup storage is included in this capacity; no extra fees apply.
Recommendations
Build a multi-layered recovery system
Recommendation: For core business servers, configure both ECS Snapshot and Anti-ransomware (data backup).
Explanation: Ransomware can corrupt a server's operating system, which can damage the anti-ransomware client or take it offline, causing data restore jobs to fail. In this extreme scenario, the best recovery path is:
Restore the system with a snapshot: Immediately use the most recent available ECS Snapshot to roll back the server. This restores the server's operating system and runtime environment to a healthy state. This action also restores the anti-ransomware client to normal operation.
Restore data with the anti-ransomware service: After the system is restored, use the Anti-ransomware (data backup) feature to restore your core business files from the most recent backup version, which may be newer than the snapshot.
Avoid backup tool conflicts
Recommendation: Do not run this product at the same time as any other backup tools, such as third-party software or custom scripts.
Explanation: Concurrent operations can cause file read/write conflicts, which are highly likely to cause backup failures or produce corrupted, unrecoverable data.
Protect network paths (such as OSS/NAS)
Recommendation: Do not add mounted network paths, such as OSS or NAS directories mounted on a server, to the anti-ransomware protection policy.
Explanation: Backing up these paths involves frequent access to the source service (OSS/NAS), which can result in high additional fees for traffic or requests. For these scenarios, use the relevant Cloud Backup features directly. For detailed instructions, see Getting Started with OSS Backup and Getting Started with On-premises NAS Backup.
Use dedicated protection for database files
Recommendation: Use the Anti-ransomware for Databases feature to protect database files on your server (such as
.mdf,.ibd, etc.).Explanation: Directly backing up database files cannot guarantee data consistency or recoverability. The Anti-ransomware for databases feature uses native database APIs to ensure application-consistent, valid backups.
Configure container protection
Recommendation: If you need to protect a directory within a container, you must map that directory to the host server.
Explanation:
The Anti-ransomware (data backup) feature works by protecting host directories. Therefore, it does not directly support backing up unmapped databases or files located inside a container.
You can use the
-vparameter of thedocker runcommand to create a link between a host directory and a container directory.Command format:
docker run -v <host-directory>:<container-directory> <image-name>Example:
Map the
/app/datadirectory inside the container to the/home/user/datadirectory on the host:docker run -v /home/user/data:/app/data your-image-name
Appendix
Supported regions
Feature | Area | Supported region |
Anti-ransomware for servers | Chinese mainland |
|
Asia Pacific | Indonesia (Jakarta), Japan (Tokyo), Malaysia (Kuala Lumpur), China (Hong Kong), Singapore, Philippines (Manila) | |
Europe & Americas | US (Silicon Valley), US (Virginia), Germany (Frankfurt), UK (London) | |
Middle East | SAU (Riyadh - Partner Region) | |
Anti-ransomware for databases | Chinese mainland |
|
Asia Pacific | China (Hong Kong), Singapore |
Supported operating systems (Anti-ransomware for servers)
The Anti-ransomware for Servers feature only supports installing the client on the operating systems listed in the table below.
System | Supported versions |
Windows | 7, 8, 10, 11 |
Windows Server | 2008 R2, 2012, 2012 R2, 2016, 2019, 2022 |
RHEL | 7.0, 7.2, 7.4, 7.5, 7.6, 7.7, 7.8, 8.0, 8.1, 8.2 |
CentOS | 6.5, 6.9, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 7.9, 8.2, 8.3 |
Ubuntu | 14.04, 16.04, 18.04, 20.04 |
SUSE Linux Enterprise Server | 11, 12, 15 |
Rocky Linux | 8.7 |
Network endpoints
Endpoint type descriptions:
Management plane: Used to transmit control signals between the anti-ransomware client and the Cloud Backup service.
Data plane: Used to transmit backup data.
Alibaba Cloud servers
Protection policy v2.0 endpoints
Region | Type | Public endpoint | VPC endpoint |
China (Hangzhou) | Management plane | post-cn-mp90rcien05.mqtt.aliyuncs.com | post-cn-mp90rcien05-internal.mqtt.aliyuncs.com |
Data plane | *.oss-cn-hangzhou.aliyuncs.com | *.oss-cn-hangzhou-internal.aliyuncs.com | |
China (Shanghai) | Management plane | post-cn-4590rcihm02.mqtt.aliyuncs.com | post-cn-4590rcihm02-internal.mqtt.aliyuncs.com |
Data plane | *.oss-cn-shanghai.aliyuncs.com | *.oss-cn-shanghai-internal.aliyuncs.com | |
China (Qingdao) | Management plane | post-cn-n6w1oj5j506.mqtt.aliyuncs.com | post-cn-n6w1oj5j506-internal-vpc.mqtt.aliyuncs.com |
Data plane | *.oss-cn-qingdao.aliyuncs.com | *.oss-cn-qingdao-internal.aliyuncs.com | |
China (Beijing) | Management plane | post-cn-mp90rcibd04.mqtt.aliyuncs.com | post-cn-mp90rcibd04-internal.mqtt.aliyuncs.com |
Data plane | *.oss-cn-beijing.aliyuncs.com | *.oss-cn-beijing-internal.aliyuncs.com | |
China (Zhangjiakou) | Management plane | post-cn-45917akja09.mqtt.aliyuncs.com | post-cn-45917akja09-internal.mqtt.aliyuncs.com |
Data plane | *.oss-cn-zhangjiakou.aliyuncs.com | *.oss-cn-zhangjiakou-internal.aliyuncs.com | |
China (Hohhot) | Management plane | post-cn-0pp1epkb50h.mqtt.aliyuncs.com | post-cn-0pp1epkb50h-internal.mqtt.aliyuncs.com |
Data plane | *.oss-cn-huhehaote.aliyuncs.com | *.oss-cn-huhehaote-internal.aliyuncs.com | |
China (Shenzhen) | Management plane | post-cn-v0h0rcijv04.mqtt.aliyuncs.com | post-cn-v0h0rcijv04-internal.mqtt.aliyuncs.com |
Data plane | *.oss-cn-shenzhen.aliyuncs.com | *.oss-cn-shenzhen-internal.aliyuncs.com | |
China (Chengdu) | Management plane | post-cn-st21piid30e.mqtt.aliyuncs.com | post-cn-st21piid30e-internal-vpc.mqtt.aliyuncs.com |
Data plane | *.oss-cn-chengdu.aliyuncs.com | *.oss-cn-chengdu-internal.aliyuncs.com | |
China (Hong Kong) | Management plane | mqtt-cn-v0h1cmss401.mqtt.aliyuncs.com | mqtt-cn-v0h1cmss401-internal.mqtt.aliyuncs.com |
Data plane | *.oss-cn-hongkong.aliyuncs.com | *.oss-cn-hongkong-internal.aliyuncs.com | |
Singapore | Management plane | post-cn-4590unarx01.mqtt.aliyuncs.com | post-cn-4590unarx01-internal.mqtt.aliyuncs.com |
Data plane | *.oss-ap-southeast-1.aliyuncs.com | *.oss-ap-southeast-1-internal.aliyuncs.com | |
Malaysia (Kuala Lumpur) | Management plane | mqtt-cn-v0h1k5d7707.mqtt.aliyuncs.com | mqtt-cn-v0h1k5d7707-internal.mqtt.aliyuncs.com |
Data plane | *.oss-ap-southeast-3.aliyuncs.com | *.oss-ap-southeast-3-internal.aliyuncs.com | |
Indonesia (Jakarta) | Management plane | post-cn-4591ee94i03.mqtt.aliyuncs.com | post-cn-4591ee94i03-internal.mqtt.aliyuncs.com |
Data plane | *.oss-ap-southeast-5.aliyuncs.com | *.oss-ap-southeast-5-internal.aliyuncs.com | |
Japan (Tokyo) | Management plane | post-cn-mp91kij0p01.mqtt.aliyuncs.com | post-cn-mp91kij0p01-internal-vpc.mqtt.aliyuncs.com |
Data plane | *.oss-ap-northeast-1.aliyuncs.com | *.oss-ap-northeast-1-internal.aliyuncs.com | |
Germany (Frankfurt) | Management plane | post-cn-mp91ki6sl0k.mqtt.aliyuncs.com | post-cn-mp91ki6sl0k-internal.mqtt.aliyuncs.com |
Data plane | *.oss-eu-central-1.aliyuncs.com | *.oss-eu-central-1-internal.aliyuncs.com | |
US (Silicon Valley) | Management plane | mqtt-cn-mp91j6gou03.mqtt.aliyuncs.com | mqtt-cn-mp91j6gou03-internal.mqtt.aliyuncs.com |
Data plane | *.oss-us-west-1.aliyuncs.com | *.oss-us-west-1-internal.aliyuncs.com | |
US (Virginia) | Management plane | post-cn-oew1qqlw309.mqtt.aliyuncs.com | post-cn-oew1qqlw309-internal-vpc.mqtt.aliyuncs.com |
Data plane | *.oss-us-east-1.aliyuncs.com | *.oss-us-east-1-internal.aliyuncs.com | |
UAE (Dubai) | Management plane | post-cn-oew1tb52204.mqtt.aliyuncs.com | post-cn-oew1tb52204-internal-vpc.mqtt.aliyuncs.com |
Data plane | *.oss-me-east-1.aliyuncs.com | *.oss-me-east-1-internal.aliyuncs.com | |
SAU (Riyadh - Partner Region) | Management plane | mqtt-cn-7pp2urf8g04.mqtt.aliyuncs.com | mqtt-cn-7pp2urf8g04-internal-vpc.mqtt.aliyuncs.com |
Data plane | *.oss-me-central-1.aliyuncs.com | *.oss-me-central-1-internal.aliyuncs.com |
Protection policy v1.0 endpoints
Region | Type | Public endpoint | VPC endpoint |
China (Hangzhou) | Management plane | post-cn-mp90rcien05.mqtt.aliyuncs.com | post-cn-mp90rcien05-internal.mqtt.aliyuncs.com |
hbr.cn-hangzhou.aliyuncs.com | hbr-vpc.cn-hangzhou.aliyuncs.com | ||
Data plane | *.oss-cn-hangzhou.aliyuncs.com | *.oss-cn-hangzhou-internal.aliyuncs.com | |
China (Shanghai) | Management plane | post-cn-4590rcihm02.mqtt.aliyuncs.com | post-cn-4590rcihm02-internal.mqtt.aliyuncs.com |
hbr.cn-shanghai.aliyuncs.com | hbr-vpc.cn-shanghai.aliyuncs.com | ||
Data plane | *.oss-cn-shanghai.aliyuncs.com | *.oss-cn-shanghai-internal.aliyuncs.com | |
China (Qingdao) | Management plane | post-cn-n6w1oj5j506.mqtt.aliyuncs.com | post-cn-n6w1oj5j506-internal-vpc.mqtt.aliyuncs.com |
hbr.cn-qingdao.aliyuncs.com | hbr-vpc.cn-qingdao.aliyuncs.com | ||
Data plane | *.oss-cn-qingdao.aliyuncs.com | *.oss-cn-qingdao-internal.aliyuncs.com | |
China (Beijing) | Management plane | post-cn-mp90rcibd04.mqtt.aliyuncs.com | post-cn-mp90rcibd04-internal.mqtt.aliyuncs.com |
hbr.cn-beijing.aliyuncs.com | hbr-vpc.cn-beijing.aliyuncs.com | ||
Data plane | *.oss-cn-beijing.aliyuncs.com | *.oss-cn-beijing-internal.aliyuncs.com | |
China (Zhangjiakou) | Management plane | post-cn-45917akja09.mqtt.aliyuncs.com | post-cn-45917akja09-internal.mqtt.aliyuncs.com |
hbr.cn-zhangjiakou.aliyuncs.com | hbr-vpc.cn-zhangjiakou.aliyuncs.com | ||
Data plane | *.oss-cn-zhangjiakou.aliyuncs.com | *.oss-cn-zhangjiakou-internal.aliyuncs.com | |
China (Hohhot) | Management plane | post-cn-0pp1epkb50h.mqtt.aliyuncs.com | post-cn-0pp1epkb50h-internal.mqtt.aliyuncs.com |
hbr.cn-huhehaote.aliyuncs.com | hbr-vpc.cn-huhehaote.aliyuncs.com | ||
Data plane | *.oss-cn-huhehaote.aliyuncs.com | *.oss-cn-huhehaote-internal.aliyuncs.com | |
China (Shenzhen) | Management plane | post-cn-v0h0rcijv04.mqtt.aliyuncs.com | post-cn-v0h0rcijv04-internal.mqtt.aliyuncs.com |
hbr.cn-shenzhen.aliyuncs.com | hbr-vpc.cn-shenzhen.aliyuncs.com | ||
Data plane | *.oss-cn-shenzhen.aliyuncs.com | *.oss-cn-shenzhen-internal.aliyuncs.com | |
China (Chengdu) | Management plane | post-cn-st21piid30e.mqtt.aliyuncs.com | post-cn-st21piid30e-internal-vpc.mqtt.aliyuncs.com |
hbr.cn-chengdu.aliyuncs.com | hbr-vpc.cn-chengdu.aliyuncs.com | ||
Data plane | *.oss-cn-chengdu.aliyuncs.com | *.oss-cn-chengdu-internal.aliyuncs.com | |
China (Hong Kong) | Management plane | mqtt-cn-v0h1cmss401.mqtt.aliyuncs.com | mqtt-cn-v0h1cmss401-internal.mqtt.aliyuncs.com |
hbr.cn-hongkong.aliyuncs.com | hbr-vpc.cn-hongkong.aliyuncs.com | ||
Data plane | *.oss-cn-hongkong.aliyuncs.com | *.oss-cn-hongkong-internal.aliyuncs.com | |
Singapore | Management plane | post-cn-4590unarx01.mqtt.aliyuncs.com | post-cn-4590unarx01-internal.mqtt.aliyuncs.com |
hbr.ap-southeast-1.aliyuncs.com | hbr-internal.ap-southeast-1.aliyuncs.com | ||
Data plane | *.oss-ap-southeast-1.aliyuncs.com | *.oss-ap-southeast-1-internal.aliyuncs.com | |
Malaysia (Kuala Lumpur) | Management plane | mqtt-cn-v0h1k5d7707.mqtt.aliyuncs.com | mqtt-cn-v0h1k5d7707-internal.mqtt.aliyuncs.com |
hbr.ap-southeast-3.aliyuncs.com | hbr.ap-southeast-3.aliyuncs.com | ||
Data plane | *.oss-ap-southeast-3.aliyuncs.com | *.oss-ap-southeast-3-internal.aliyuncs.com | |
Indonesia (Jakarta) | Management plane | post-cn-4591ee94i03.mqtt.aliyuncs.com | post-cn-4591ee94i03-internal.mqtt.aliyuncs.com |
hbr.ap-southeast-5.aliyuncs.com | hbr-vpc.ap-southeast-5.aliyuncs.com | ||
Data plane | *.oss-ap-southeast-5.aliyuncs.com | *.oss-ap-southeast-5-internal.aliyuncs.com | |
Japan (Tokyo) | Management plane | post-cn-mp91kij0p01.mqtt.aliyuncs.com | post-cn-mp91kij0p01-internal-vpc.mqtt.aliyuncs.com |
hbr.ap-northeast-1.aliyuncs.com | hbr.ap-northeast-1.aliyuncs.com | ||
Data plane | *.oss-ap-northeast-1.aliyuncs.com | *.oss-ap-northeast-1-internal.aliyuncs.com | |
Germany (Frankfurt) | Management plane | post-cn-mp91ki6sl0k.mqtt.aliyuncs.com | post-cn-mp91ki6sl0k-internal.mqtt.aliyuncs.com |
hbr.eu-central-1.aliyuncs.com | hbr.eu-central-1.aliyuncs.com | ||
Data plane | *.oss-eu-central-1.aliyuncs.com | *.oss-eu-central-1-internal.aliyuncs.com | |
US (Silicon Valley) | Management plane | mqtt-cn-mp91j6gou03.mqtt.aliyuncs.com | mqtt-cn-mp91j6gou03-internal.mqtt.aliyuncs.com |
hbr.us-west-1.aliyuncs.com | hbr.us-west-1.aliyuncs.com | ||
Data plane | *.oss-us-west-1.aliyuncs.com | *.oss-us-west-1-internal.aliyuncs.com | |
US (Virginia) | Management plane | post-cn-oew1qqlw309.mqtt.aliyuncs.com | post-cn-oew1qqlw309-internal-vpc.mqtt.aliyuncs.com |
hbr.us-east-1.aliyuncs.com | hbr.us-east-1.aliyuncs.com | ||
Data plane | *.oss-us-east-1.aliyuncs.com | *.oss-us-east-1-internal.aliyuncs.com | |
UAE (Dubai) | Management plane | post-cn-oew1tb52204.mqtt.aliyuncs.com | post-cn-oew1tb52204-internal-vpc.mqtt.aliyuncs.com |
hbr.me-east-1.aliyuncs.com | hbr-vpc.me-east-1.aliyuncs.com | ||
Data plane | *.oss-me-east-1.aliyuncs.com | *.oss-me-east-1-internal.aliyuncs.com | |
SAU (Riyadh - Partner Region) | Management plane | mqtt-cn-7pp2urf8g04.mqtt.aliyuncs.com | mqtt-cn-7pp2urf8g04-internal-vpc.mqtt.aliyuncs.com |
hbr.me-central-1.aliyuncs.com | hbr-vpc.me-central-1.aliyuncs.com | ||
Data plane | *.oss-me-central-1.aliyuncs.com | *.oss-me-central-1-internal.aliyuncs.com |
Servers outside Alibaba Cloud
Region | Type | Endpoint |
China (Hangzhou) | Management plane | 100.103.8.175 |
post-cn-mp90rcien05-internal.mqtt.aliyuncs.com | ||
Data plane | *.oss-cn-hangzhou-internal.aliyuncs.com | |
China (Shanghai) | Management plane | 100.103.83.79 |
post-cn-4590rcihm02-internal.mqtt.aliyuncs.com | ||
Data plane | *.oss-cn-shanghai-internal.aliyuncs.com | |
China (Qingdao) | Management plane | 100.100.0.111 |
post-cn-n6w1oj5j506-internal-vpc.mqtt.aliyuncs.com | ||
Data plane | *.oss-cn-qingdao-internal.aliyuncs.com | |
China (Beijing) | Management plane | 100.103.83.105 |
post-cn-mp90rcibd04-internal.mqtt.aliyuncs.com | ||
Data plane | *.oss-cn-beijing-internal.aliyuncs.com | |
China (Zhangjiakou) | Management plane | 100.100.1.236 |
post-cn-45917akja09-internal.mqtt.aliyuncs.com | ||
Data plane | *.oss-cn-zhangjiakou-internal.aliyuncs.com | |
China (Hohhot) | Management plane | 100.100.0.123 |
post-cn-0pp1epkb50h-internal.mqtt.aliyuncs.com | ||
Data plane | *.oss-cn-huhehaote.aliyuncs.com | |
China (Shenzhen) | Management plane | 100.103.31.50 |
post-cn-v0h0rcijv04-internal.mqtt.aliyuncs.com | ||
Data plane | *.oss-cn-shenzhen-internal.aliyuncs.com | |
China (Chengdu) | Management plane | 100.100.0.12 |
post-cn-st21piid30e-internal-vpc.mqtt.aliyuncs.com | ||
Data plane | *.oss-cn-chengdu-internal.aliyuncs.com | |
China (Hong Kong) | Management plane | 100.103.30.213 |
mqtt-cn-v0h1cmss401-internal.mqtt.aliyuncs.com | ||
Data plane | *.oss-cn-hongkong-internal.aliyuncs.com | |
Singapore | Management plane | 100.103.10.114 |
post-cn-4590unarx01-internal.mqtt.aliyuncs.com | ||
Data plane | *.oss-ap-southeast-1-internal.aliyuncs.com | |
Malaysia (Kuala Lumpur) | Management plane | 100.100.0.225 |
mqtt-cn-v0h1k5d7707-internal.mqtt.aliyuncs.com | ||
Data plane | *.oss-ap-southeast-3-internal.aliyuncs.com |
FAQ
Product selection
What is the difference between Anti-ransomware (data backup) and ECS Snapshot? How should I choose?
Comparison:
ECS Snapshot: Performs block-level backups of an entire cloud disk. It is suitable for full-machine disaster recovery (such as for system crashes or disk corruption), offers coarse-grained recovery, and has a longer recovery time.
Anti-ransomware (data backup): Focuses on file- and database-level backups. It offers fine-grained recovery (you can restore a single file or database), supports application-level data consistency, and provides faster restores.
How to choose: The two are complementary, not alternatives. We recommend you use them together to achieve the most comprehensive protection.
Use ECS Snapshot as a system-level disaster recovery solution.
Use the anti-ransomware feature for fine-grained, high-frequency protection of core business files and databases.
What is the Honeypot feature? Can I manually delete the bait files?
Honeypot is a proactive defense feature available in higher editions of Security Center. It protects your real data by deploying "honeypot" files on your server to identify and block new types of ransomware in advance.
How it works
Deploy bait: The honeypot feature creates hidden "bait files" in several key directories on the server, such as
/home,/root, and the root of the C: and D: drives.Identify attacks: When a new type of ransomware scans and attempts to encrypt these honeypot files, Security Center immediately identifies the malicious behavior.
Block in real time: Security Center immediately blocks the malicious process, preventing it from continuing to damage real files.
Important: These are normal security protection files. Do not delete them manually. For more information, see Host protection settings.
Feature support
Does the Anti-ransomware for Databases feature support Alibaba Cloud RDS databases?
No. The Anti-ransomware for databases feature is designed specifically for self-managed databases deployed in IaaS environments, such as on ECS instances. For cloud database services like RDS and PolarDB, use their built-in, highly reliable backup and recovery features.
Does the anti-ransomware feature proactively defend against viruses, or does it only perform backup and recovery?
The Anti-ransomware feature focuses on the post-attack recovery stage, which is data backup and restore. A complete ransomware protection strategy also includes proactive defense (pre-attack interception and in-attack trapping). Together, these three elements form a defense-in-depth system.
Proactive defense
NoteProactive defense features require you to upgrade Security Center to the Anti-virus edition or higher. For more information, see Host protection settings.
Pre-attack interception: Malicious host behavior prevention
Based on cloud-native Threat Intelligence, this feature identifies and blocks known ransomware families in real time before they can infect a server.
In-attack trapping: Honeypot
By deploying trap files (bait) on a server, this feature captures and blocks unknown ransomware in real time. As soon as it detects an attempt to encrypt the bait, the system immediately terminates the suspicious process to protect the real data on the server.
Passive recovery
Anti-ransomware (data backup) is the final safeguard. It ensures that core data can be quickly recovered in extreme situations, such as when defense systems are bypassed.
Capacity and billing
What is the purchased "anti-ransomware capacity"? What happens if I exceed the capacity?
Definition: Anti-ransomware capacity is the storage space you purchase for the
Anti-ransomware (data backup)feature to store backup data. Its billing is related to the total amount of data you need to back up and the backup retention period, not the number of servers.Consequences of exceeding capacity: You will receive an alert when your capacity usage exceeds 80%. If the capacity is completely full, new backup jobs will fail, leaving newly generated data unprotected. You can still use existing backup versions for recovery.
Recovery and performance
What is the Recovery Time Objective (RTO)?
The Recovery Time Objective (RTO) depends on factors such as total data volume, network bandwidth, and server performance. A small number of files can typically be restored in minutes, while terabytes of data may take several hours.
NotePerform regular recovery drills to determine a realistic RTO for your business environment.
Can the anti-ransomware service recover encrypted files?
The service restores files from historical, unencrypted backups. It cannot decrypt files that are already encrypted. The recommended approach is:
Back up your files regularly to maintain the latest backup versions.
Use the host protection features of Security Center to block ransomware.