Skip to main content
Code42 Support

Recover from ransomware

Applies to:
  • Code42 CrashPlan (previously CrashPlan PROe)

Overview

This tutorial provides best practices for a Code42 user to follow to recover from a ransomware attack. Ransomware is a form of malware that encrypts files on your computer and demands a ransom to decrypt these files. Instead of paying the criminals behind this attack, use the CrashPlan app to restore files to your device from a date and time before the infection.

This tutorial is a self-service set of instructions that you can follow to recover from ransomware on a single device. 

Considerations

Recommended recovery process

The following describes a recommended process using Code42 software only; you might also use other security and forensic tools to assist in the recovery.

Work with your security team
Work with your designated security team to quarantine the infected device and recover files. While this article provides best practices for using Code42 software to recover from ransomware, it does not account for your organization's defined recovery process.

Step 1: Determine the time of the infection

To recover from ransomware, you must restore files from a date before infection. Work with your security team to determine the time of the infection. Record when it occurred and what happened when the attack unfolded. This information can tell you at what time you can find the most recent uninfected files and what kind of ransomware attack you have experienced.

Step 2: Exclude known ransomware file types (optional)

As a precaution before restoring files, remove from existing archives the file that was the source of the infection as well as files with known ransomware file extensions. Removing these files helps ensure that you are not re-introducing infected files when you restore.

  1. Add file exclusions for the file that caused the original infection as well files of known ransomware file types.
  2. Apply the settings using Lock.
    Lock is the only way to use exclusion settings to purge files from existing backups.

Step 3: Prepare a new device

Work with your security team to follow your organization's process for obtaining a new device after a ransomware attack.

Rather than attempting to remove the infection from the affected device, Code42 recommends that you quarantine the device and prepare a new device to replace the old device. As creators of ransomware become more adept at engineering their tools, it is best to ensure that the device you are restoring to is completely free of infection.

Use Windows USMT

If you are replacing a Windows device, and you used Microsoft's User State Migration Tool (USMT) to save Windows settings on the old device, you can ensure that the Windows settings are moved to the new device.

Step 4: Restore files from a time before the ransomware infection

CrashPlan app version 5.x

CrashPlan app version 4.x

  • Was this article helpful?