How Syncthing will act if ransom encrypt files

Let’s assume that we have synced folder between 2 Co-Servers, a ransom is affect one of the servers that have synced folder and the files is encrypted.

The encrypted files will synced and encrypt the other backup server files, how to prevent transferring the encrypted files? Assume that ransom transferred as Worm through Sync folder, how Sync will prevent and execute those malicious files through sync service?


It is called Syncthing for a reason :wink:
A solid backup strategy is always recommended to prevent problems like in your example


You cannot prevent transferring the files. Versioning could possibly let you recover the original ones on a remote device. Please see

Still, it will likely be a mess without a solid off-site or online backup.

1 Like

I set up my systems with this and other calamities in mind. My Sync dirs are not the master copies of anything; they are manually backed up copies of my master dirs, and I have a nightly cron job which compares master and Sync dirs to report discrepancies. All it has ever found is times I have forgotten to update Sync after changing a master file. If it ever does report massive differences because some blackmailer has cracked into one of my nodes and encrypted files, I’d consider that node to be absolutely untrusted and drop it off line for a fresh install and restore from backup. Meanwhile, I’d restore the Sync dirs from the matser and reverse propagate the proper data to all other Sync nodes, except the corrupted one of course.

Yes, kind of a pain. But life comes with drawbacks.

Sorry dear, but the language used is somehow hard to understand, What I got is you write a script to backup the files to the synology daily. what If ransom encrypt that files and the script backup and replace the original files thu? Does the Synology support file version to retrieve the original data before the encryption happened?

No script. The primary copies of all my Syncthing data are kept elsewhere. When I change them, I manually copy the new version to Syncthing’s dir.

If some ransomware crackers were to infiltrate one of my nodes and change the Syncthing data, those encrypted copies would end up on all Syncthing nodes, but it would only be in the Syncthing directories. It could not copy backwards to my master non-Syncthing directories unless they crackers also broke into the master system.

I would recover by disabling the original corrupted node, then restoring the correct data from the primary source to the Syncthing copy, and let Syncthing propagate the original data back to all other nodes.

If the crackers broke into my primary system, and corrupted both the primary data and the Syncthing copy, I have offline backups which are made with the system offline. It would be more work to restore because I would have to wipe the corrupted system entirely and re-install the OS from scratch before restoring the backup data. But it could be done.

Thanks for the great description, I would ask more about offline backup, does that mean to plug manual HDD external one, copy and paste the data, or use Backup software such as Veam, Acronis to make system image backup to the offline store?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.