Recover from ransomware
Available in:
Overview
This tutorial provides best practices for a Code42 user to follow to recover from a ransomware attack. Ransomware is a form of malware that encrypts files on your computer and demands a ransom to decrypt these files. Instead of paying the criminals behind this attack, use the Code42 app to restore files to your device from a date and time before the infection.
This tutorial is a self-service set of instructions that you can follow to recover from ransomware on a single device.
Considerations
- The United States Federal Bureau of Investigation (FBI) urges ransomware victims to report attacks.
- Frequency and version settings enable you to download files from a date and time before the infection. However, if you have not properly prepared for a ransomware attack (for example, ensured all devices are backed up, set good frequency and version settings), it's possible that even the oldest version could be infected.
Recommended recovery process
The following describes a recommended process using Code42 software only; you might also use other security and forensic tools to assist in the recovery.
Work with your designated security team to quarantine the infected device and recover files. While this article provides best practices for using Code42 software to recover from ransomware, it does not account for your organization's defined recovery process.
Step 1: Determine the time of the infection
To recover from ransomware, you must restore files from a date before infection. Work with your security team to determine the time of the infection. Record when it occurred and what happened when the attack unfolded. This information can tell you at what time you can find the most recent uninfected files and what kind of ransomware attack you have experienced.
Step 2: Exclude known ransomware file types (optional)
As a precaution before restoring files, remove from existing archives the file that was the source of the infection as well as files with known ransomware file extensions. Removing these files helps ensure that you are not re-introducing infected files when you restore.
- Add file exclusions for the file that caused the original infection as well files of known ransomware file types.
- Apply the settings using Lock.
Lock is the only way to use exclusion settings to purge files from existing backups.
Step 3: Prepare a new device
Work with your security team to follow your organization's process for obtaining a new device after a ransomware attack.
Rather than attempting to remove the infection from the affected device, Code42 recommends that you quarantine the device and prepare a new device to replace the old device. As creators of ransomware become more adept at engineering their tools, ensure that the device you are restoring to is completely free of infection.
Use Windows USMT
If you are replacing a Windows device, and you used Microsoft's User State Migration Tool (USMT) to save Windows settings on the old device, you can ensure that the Windows settings are moved to the new device.
Step 4: Restore files from a time before the ransomware infection
Code42 app version 5.x and 6.x
Code42 app 5.x and 6.x users can download files to a new device from a date and time before the ransomware infection by following the device replacement process:
- Make sure the Code42 app is installed to the new device.
- Sign in to the Code42 app on the new device.
The first time you sign in to the Code42 app, it detects whether there are other devices on the account and prompts you to either Add New Device (which starts a new backup for this device) or Replace Existing (adopts the original backup archive). - Choose Replace Existing.
Only choose Add New Device if there are infected files still in the backup archive and you don't want to risk accidentally restoring infected files to the new device. - Click Start.
- Choose the device you want to replace and click Continue.
If you chose Replace Existing for a Windows device and had user profile backup enabled on the old device, the Code42 app prompts you to select which USMT profile settings you want to restore to the new device. - Click Select Files To Transfer to begin the process of transferring files to the new device.
The file browser opens.
- Click As Of Today.
The date and time selection dialog opens. - Select a date and time from before the time of the infection.
Restoring from the most recent date and time stamp may cause the new machine to be infected. Select a time and date before infection based on your testing to determine the time of the infection.
- Select files to restore to the new device.
- Click Get Files.
- Modify the Get Files options:
- From Save selected files to, select original location.
- From If file already exists, select overwrite.
- Click Go to download the files.
The download may take a long time. Do not cancel the restore job. - After files are downloaded, click Continue.
- On the Transfer files to new device dialog, click Continue.
- On the Transfer settings to new device page, click Continue.
- After files are transferred, a prompt to sign in to the new device appears. Sign in to the new device and click Finish on the Your device is ready! dialog to complete the device replacement.
Code42 app version 4.x
Code42 app 4.x users can download files to a new device from a date and time before the ransomware infection by restoring files from the backup archive:
- Ensure the Code42 app is installed to the new device.
- Sign in to the Code42 app on the new device. Select Existing Account from the sign in dialog.
After sign in, a message appears on the Backup tab prompting you to adopt the previous backup archive. Do not adopt the previous archive at this time. Adopting the previous archive could reintroduce infected files. You should adopt the previous archive only after you finish restoring files.
- Click the Restore tab.
- Click the Restore files for computer list to select the old device whose files you want to restore to the new device.
- If the selected device was backing up to multiple destinations, in From backup destination select the destination that you want to use for this restore.
- At the bottom of the dialog, click most recent and select a date and time from before the time of the infection.
Restoring from the most recent date and time stamp may cause the new machine to be infected. Select a time and date before infection based on your testing to determine the time of the infection.
- Select the folders and files you want to restore.
- Update the restore options:
- Select original location.
- Select overwrite.
- Click Restore.
Your download begins immediately. The download may take a long time. Do not cancel the restore job.
