Symptoms
Folder C:\Acronis Active Protection Storage contains files with .ENCRYPTED extension. Files are related to custom or hand-written programs on the computer.
Cause
When hand-written programs modify files on the computer, Acronis Active Protection may have a false positive and detect that program as ransomware, especially if some files or databases are modified quickly.
When ransomware is detected, Active Protection stops the suspicious program, reverts the changes made by the program and puts copies of the modified files in C:\Acronis Active Protection Storage folder. Extension .ENCRYPTED is added to these files to indicate that they are the copies of original encrypted files.
These copies can be used for forensic purposes (investigate the encryption in order to learn more about the ransomware) or in case user pays the ransom and has the opportunity to decipher them. This is "plan B" for rare cases when Acronis Active Protection cannot restore the original non-encrypted files or they get corrupted during recovery.
Solution
Whitelist the custom application that causes a false-positive ransomware detection and triggers file recovery.
- Acronis Cyber Backup 12.5: see product documentation
- Acronis True Image: see Acronis True Image: Active Protection blocks legitimate applications for instructions.
If the blocked application is trusted, contents of C:\Acronis Active Protection Storage folder can be safely deleted.