Recover from ransomware

Last updated

11:08, 5 Jun 2017
Save as PDF
Share
1. Share
2. Share
3. Tweet

Available in:

CrashPlan PRO

Standard
Premium
Enterprise

Applies to:

Overview

This tutorial provides best practices for Code42 administrators to follow to recover from a ransomware attack.

Ransomware is a form of malware that encrypts files on a user's computer and demands a ransom to decrypt these files. Instead of paying the criminals behind this attack, you can use Code42 software to restore the user's files from a date and time prior to the infection.

Considerations

The United States Federal Bureau of Investigation (FBI) urges ransomware victims to report attacks.
Frequency and version settings enable you to download files from a date and time before the infection. However, if you have not properly prepared for a ransomware attack (for example, ensured all devices are backed up, set good frequency and version settings), it's possible that even the oldest version could be infected.

Recommended recovery process

The following describes a recommended process using Code42 software only; you might utilize other security and forensic tools to assist in the recovery.

Work with your security team
Work with your designated security team to quarantine the infected device and recover files. While this article provides best practices for using Code42 software to recover from ransomware, it does not account for your organization's defined recovery process.

Step 1: Determine the time of the infection

To recover from ransomware, you must restore files from a date before infection. Work with your security team to determine the time of the infection. Ask the end users involved in the attack when it occurred and what they were doing when the attack unfolded. This can tell you at what time you can find the most recent uninfected files and what kind of ransomware you are dealing with.

Step 2: Prepare a new device

Work with your security team to follow your organization's process for providing a new device to a user after a ransomware attack.

Rather than attempting to remove the infection from the affected device, Code42 recommends that you quarantine the device and prepare a new device to replace the old device. As creators of ransomware become more adept at engineering their product, it is best to err on the side of ensuring that the device you are restoring to is completely free of infection.

Use Windows USMT

If you are replacing a Windows device, and you used Microsoft's User State Migration Tool (USMT) to save Windows settings on the old device, you can ensure that the user's Windows settings are moved to the new device.

Step 3: Restore files from a time before the ransomware infection

Exclude known ransomware file types (optional)

As a precaution before restoring files, you can remove files with known ransomware file extensions from existing archives. This can ensure that you are not re-introducing infected files when you restore.

Add file exclusions of known ransomware file types.
Apply the settings using Lock.
Lock is the only way to use exclusion settings to purge files from existing backups.

Restore uninfected files with the Code42 app

Code42 app version 4.x

Code42 app 4.x users can download files to a new device from a date and time before the ransomware infection by restoring files from the backup archive:

Ensure the Code42 app is installed to the new device.
Ask the user to log on to the Code42 app on the new device. Select Existing Account on the login dialog.

Do not adopt the previous archive
After login, the Backup tab displays a message prompting you to adopt the previous backup archive. Do not adopt the previous archive at this time. Doing so could reintroduce infected files. You should adopt the previous archive only after you finish restoring files.

Click the Restore tab.
Click the dropdown list to the right of Restore files for computer to select the old device whose files you want to restore to the new device.
If the selected device was backing up to multiple destinations, in From backup destination select the destination that you want to use for this restore.
At the bottom of the dialog, click most recent and select a date and time from before the time of the infection.

Important
Restoring from the most recent date and time stamp may cause the new machine to be infected. Select a time and date before infection based on your testing to determine the time of the infection.

Select the checkboxes for the folders and files you want to restore.
Update the restore options:

Select original location.
Select overwrite.

Click Restore.
Your download begins immediately. The download may take a long time. Do not cancel the restore job.

Code42 app version 5.x and 6.x

Code42 app 5.x and 6.x users can download files to a new device from a date and time before the ransomware infection by following the device replacement process:

Make sure the Code42 app is installed to the new device.
Ask the user to sign in to the Code42 app on the new device.
The first time you sign in to the Code42 app, it detects whether there are other devices on the account and prompts you to either Add New Device (which starts a new backup for this device) or Replace Existing (adopts the original backup archive).
Choose Replace Existing. (Only choose Add Device if there are infected files still in the backup archive and you don't want to risk accidentally restoring infected files to the new device.)
Click Start.
Choose the device you want to replace and click Continue.
If you choose Replace Existing for a Windows device and had user profile backup enabled on the old device, there is an additional screen asking which USMT profile settings you want to restore to the new device.
Click Select Files To Transfer to begin the process of transferring files to the new device.
The file browser opens.
Click As Of Today.
The date and time selection dialog opens.
Select a date and time from before the time of the infection.

Select files to restore to the new device.
Click Get Files.
Modify the Get Files options:

From Save selected files to, select original location.
From If file already exists, select overwrite.

Click Go to download the files.
The download may take a long time. Do not cancel the restore job.
After files are downloaded, click Continue.
On the Transfer files to new device dialog, click Continue.
On the Transfer settings to new device page, click Continue.
After files are transferred, you are prompted to log in to the new device. Log in to the new device and click Finish on the Your device is ready! dialog to complete the device replacement.

External resources

Ransomware (Wikipedia)
Ransomware Victims Urged To Report Infections To Federal Law Enforcement (Alert Number I-091516-PSA) (FBI)
ISTR Insights Special Report: Ransomware and Business 2016 (Symantec)
Use These Five Backup and Recovery Best Practices to Protect Against Ransomware (Gartner Group)