Recover from ransomware
Who is this article for?
Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business
CrashPlan for Small Business, no.
Code42 for Enterprise, yes.
Link: Product plans and features.
Overview
This tutorial provides best practices for a Code42 user to follow to recover from a ransomware attack. Ransomware is a form of malware that encrypts files on your computer and demands a ransom to decrypt these files. Instead of paying the criminals behind this attack, use the Code42 app to restore files to your device from a date and time before the infection.
This tutorial is a self-service set of instructions that you can follow to recover from ransomware on a single device.
Considerations
Recommended recovery process
Step 1: Determine the time of the infection
Step 2: Exclude known ransomware file types (optional)
Step 3: Prepare a new device
Use Windows USMT
Step 4: Restore files from a time before the ransomware infection
Code42 app version 5.x, 6.x, and 7x
Code42 app 5.x and 6.x and later users can download files to a new device from a date and time before the ransomware infection by following the device replacement process:
- Make sure the Code42 app is installed to the new device.
- Sign in to the Code42 app on the new device.
The first time you sign in to the Code42 app, it detects whether there are other devices on the account and prompts you to either Add New Device (which starts a new backup for this device) or Replace Existing (adopts the original backup archive). - Choose Replace Existing.
Only choose Add New Device if there are infected files still in the backup archive and you don't want to risk accidentally restoring infected files to the new device. - Click Start.
- Choose the device you want to replace and click Continue.
If you chose Replace Existing for a Windows device and had user profile backup enabled on the old device, the Code42 app prompts you to select which USMT profile settings you want to restore to the new device. - Click Select Files To Transfer to begin the process of transferring files to the new device.
The file browser opens.
- Click As Of Today.
The date and time selection dialog opens. - Select a date and time from before the time of the infection.
Important
Restoring from the most recent date and time stamp may cause the new machine to be infected. Select a time and date before infection based on your testing to determine the time of the infection.
Restoring from the most recent date and time stamp may cause the new machine to be infected. Select a time and date before infection based on your testing to determine the time of the infection.
- Select files to restore to the new device.
- Click Get Files.
- Modify the Get Files options:
- From Save selected files to, select original location.
- From If file already exists, select overwrite.
- Click Go to download the files.
The download may take a long time. Do not cancel the restore job. - After files are downloaded, click Continue.
- On the Transfer files to new device dialog, click Continue.
- On the Transfer settings to new device page, click Continue.
- After files are transferred, a prompt to sign in to the new device appears. Sign in to the new device and click Finish on the Your device is ready! dialog to complete the device replacement.
Code42 app version 4.x
Code42 app 4.x users can download files to a new device from a date and time before the ransomware infection by restoring files from the backup archive:
- Ensure the Code42 app is installed to the new device.
- Sign in to the Code42 app on the new device. Select Existing Account from the sign in dialog.
Do not adopt the previous archive
After sign in, a message appears on the Backup tab prompting you to adopt the previous backup archive. Do not adopt the previous archive at this time. Adopting the previous archive could reintroduce infected files. You should adopt the previous archive only after you finish restoring files.
After sign in, a message appears on the Backup tab prompting you to adopt the previous backup archive. Do not adopt the previous archive at this time. Adopting the previous archive could reintroduce infected files. You should adopt the previous archive only after you finish restoring files.
- Click the Restore tab.
- Click the Restore files for computer list to select the old device whose files you want to restore to the new device.
- If the selected device was backing up to multiple destinations, in From backup destination select the destination that you want to use for this restore.
- At the bottom of the dialog, click most recent and select a date and time from before the time of the infection.
Important
Restoring from the most recent date and time stamp may cause the new machine to be infected. Select a time and date before infection based on your testing to determine the time of the infection.
Restoring from the most recent date and time stamp may cause the new machine to be infected. Select a time and date before infection based on your testing to determine the time of the infection.
- Select the folders and files you want to restore.
- Update the restore options:
- Select original location.
- Select overwrite.
- Click Restore.
Your download begins immediately. The download may take a long time. Do not cancel the restore job.
