Recover from ransomware

Last updated
Save as PDF
Share
1. Share
2. Tweet

Who is this article for?

CrashPlan for Small Business

Incydr, no.

CrashPlan for Enterprise, yes.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to on-premises authority servers.

Other available versions:

Cloud

Overview

This tutorial provides best practices for a Code42 user to follow to recover from a ransomware attack. Ransomware is a form of malware that encrypts files on your computer and demands a ransom to decrypt these files. Instead of paying the criminals behind this attack, use the Code42 app to restore files to your device from a date and time before the infection.

This tutorial is a self-service set of instructions that you can follow to recover from ransomware on a single device.

Considerations

Recommended recovery process

Step 1: Determine the time of the infection

Step 2: Exclude known ransomware file types (optional)

As a precaution before restoring files, remove from existing archives the file that was the source of the infection as well as files with known ransomware file extensions. Removing these files helps ensure that you are not re-introducing infected files when you restore.

Add file exclusions for the file that caused the original infection as well files of known ransomware file types.
Apply the settings using Lock.
Lock is the only way to use exclusion settings to purge files from existing backups.

Step 3: Prepare a new device

Use Windows USMT

Step 4: Restore files from a time before the ransomware infection

Code42 app version 5.x, 6.x and later

Code42 app 5.x and 6.x and later users can download files to a new device from a date and time before the ransomware infection by following the device replacement process:

Make sure the Code42 app is installed to the new device.
Sign in to the Code42 app on the new device.
The first time you sign in to the Code42 app, it detects whether there are other devices on the account and prompts you to either Add New Device (which starts a new backup for this device) or Replace Existing (adopts the original backup archive).
Choose Replace Existing.
Only choose Add New Device if there are infected files still in the backup archive and you don't want to risk accidentally restoring infected files to the new device.
Click Start.
Choose the device you want to replace and click Continue.
If you chose Replace Existing for a Windows device and had user profile backup enabled on the old device, the Code42 app prompts you to select which USMT profile settings you want to restore to the new device.
Click Select Files To Transfer to begin the process of transferring files to the new device.
The file browser opens.
Click As Of Today.
The date and time selection dialog opens.
Select a date and time from before the time of the infection.

Important
Restoring from the most recent date and time stamp may cause the new machine to be infected. Select a time and date before infection based on your testing to determine the time of the infection.

Select files to restore to the new device.
Click Get Files.
Modify the Get Files options:

From Save selected files to, select original location.
From If file already exists, select overwrite.

Click Go to download the files.
The download may take a long time. Do not cancel the restore job.
After files are downloaded, click Continue.
On the Transfer files to new device dialog, click Continue.
On the Transfer settings to new device page, click Continue.
After files are transferred, a prompt to sign in to the new device appears. Sign in to the new device and click Finish on the Your device is ready! dialog to complete the device replacement.

Code42 app version 4.x

Code42 app 4.x users can download files to a new device from a date and time before the ransomware infection by restoring files from the backup archive:

Ensure the Code42 app is installed to the new device.
Sign in to the Code42 app on the new device. Select Existing Account from the sign in dialog.

Do not adopt the previous archive
After sign in, a message appears on the Backup tab prompting you to adopt the previous backup archive. Do not adopt the previous archive at this time. Adopting the previous archive could reintroduce infected files. You should adopt the previous archive only after you finish restoring files.

Click the Restore tab.
Click the Restore files for computer list to select the old device whose files you want to restore to the new device.
If the selected device was backing up to multiple destinations, in From backup destination select the destination that you want to use for this restore.
At the bottom of the dialog, click most recent and select a date and time from before the time of the infection.

Select the folders and files you want to restore.
Update the restore options:

Select original location.
Select overwrite.

Click Restore.
Your download begins immediately. The download may take a long time. Do not cancel the restore job.

Code42 app restore data