Ransomware Protection
We catch ransomware mid-attack.
Not after.
Decoy files. Hashed every backup. Tamper triggers an alert and freezes the backup chain to protect your last clean image. Deterministic — no ML training, no false positives, free in every paid plan.
Canary Mismatch Detected
Backups frozen. Last clean image: protected.
Active alert · Device DR-LAB-04The Problem
Modern ransomware encrypts in 30 to 120 minutes. Your backup runs every 24 hours. The math is bad.
Most ransomware doesn't slam your data instantly. It encrypts files quietly over an hour or two, then drops the ransom note. By then your daily backup may have already captured encrypted data — overwriting the last clean version.
The only defense is detecting tamper before the next backup runs. That's what canary files do.
T+0
Ransomware lands
T+30m
Starts encrypting
T+90m
Daily backup captures encrypted data
T+24h
Ransom note · TOO LATE
How It Works
Deploy decoys. Hash them. Verify every backup. Alert on tamper.
Decoy files deployed
We place decoy files in your protected folders. They look like normal documents to ransomware. They're invisible to your users.
Hashed at install
Every decoy is hashed with SHA-256 and the manifest is locked.
Verified every backup
Each backup re-hashes the decoys and compares against the manifest. Mismatch = tamper.
Alert + freeze
On tamper, we surface an alert in your dashboard, freeze the backup chain to protect the last clean image, and notify your admin (Plus and above).
Why Deterministic
Hash mismatches don't need a 30-day training period.
ML-based detection
30-day training period before reliable baseline.
After training, false positives still happen — and one false positive at 3am is enough to make admins ignore alerts.
Deterministic detection
Works on day one, endpoint one.
Hashes don't drift. A decoy is either intact or it's not. Zero false positives in 6+ weeks of internal testing on 40+ devices.
Competition
Druva charges $3–8 per endpoint per month for the worse version. We ship ours free.
| BigMind | Druva | Veeam | Acronis | |
|---|---|---|---|---|
| Detection method | Deterministic (hash-based) | ML-based | None | Heuristic |
| Training period | None — works at install | 30–60 days | n/a | Weeks |
| False positives in testing | 0 in 6+ weeks | Documented | n/a | Documented |
| Cost per endpoint | Free in every paid plan | $3–8/mo extra | n/a | Bundled |
| Mid-attack detection | ✓ | ✓ | ✗ | partial |
Response
Detection is half the job. Containment is the other half.
Dashboard alert
Visible immediately on Recovery Shield. Email notification (Plus and above).
Backup chain frozen
We stop new backups to that machine. The last clean image is protected from being overwritten.
Last clean image surfaced
Recovery Shield "Escape" view shows the pre-tamper image at the top of recovery options.
Audit trail
Every alert is logged with timestamp, device, and what tripped it. Useful for incident response and compliance.
Honesty
We complement antivirus and EDR. We don't replace them.
Canary detection works at the backup layer, not the endpoint layer. It tells you ransomware is encrypting your files. It doesn't stop the encryption (that's EDR's job) and it doesn't remediate (that's incident response). What it does is make sure you have a clean backup to recover from — which is the only thing that matters after an attack.
Availability
Free in every paid plan. Including DR Free.
The canary is included at every tier — including BigMind DR Free. Email alerts on tamper require Plus and above (Resilience or DR).
BigMind Resilience
DR-Only $5 · Standard $10 · Pro $24 · Enterprise — all include canary
See Resilience pricingBigMind DR
Free $0 · Plus $59/yr · Pro $119/yr — all include canary; email alerts on Plus+
Try BigMind DR FreeFrequently asked questions
Does canary detection slow down backups?+
No. The decoy hashing adds milliseconds per backup. Compared to a full block-level image, the overhead is statistical noise.
Can ransomware evade canary detection by skipping certain folders?+
Some can — but to skip our decoys, the ransomware would need to know exactly which files to skip. Sophisticated targeted ransomware might attempt this; commodity ransomware won't. Either way, even partial detection still saves the bulk of your data and surfaces the attack.
What's the false positive rate?+
Zero in 6+ weeks of internal testing across 40+ devices. Hash mismatches happen only when files are tampered with — they don't randomly trip from normal activity.
Does it work offline / air-gapped?+
Yes. Detection runs locally during the backup. The alert reaches the dashboard whenever the agent next connects.
Will it stop the ransomware attack?+
No — that's antivirus or EDR's job. We detect the attack, freeze your backup chain, and protect the last clean image so recovery is fast and reliable. We're the recovery layer; AV/EDR is the prevention layer.
Ready to make ransomware your problem, not your bankruptcy?
Start in 5 minutes. 14-day free trial. Or try BigMind DR Free with canary included — $0, no credit card.