CryptoLocker and CryptoWall are a form of malware that encrypts files on your computer and demands that you pay a ransom to decrypt these files. Instead of paying the criminals behind this attack, you can use CrashPlan to restore your files from a date and time prior to the infection. This article describes how to use CrashPlan to recover your files from a CryptoLocker or CryptoWall attack.
- Known to affect Windows computers
- Attacks files on any storage connected to an infected computer, including flash drives, external drives, or mapped network drives
- Targets specific file types
How CrashPlan can help you recover from CryptoLocker or Cryptowall
Code42 has always believed that comprehensive version retention of files is essential to a good backup. That's why CrashPlan's default frequency and version settings let you restore files from a date and time in the past. If your computer becomes infected by CryptoLocker or CryptoWall, this enables you to restore your files from a date and time prior to the infection. To check how frequently versions of your files are backed up:
- Open the CrashPlan app
- Go to Settings > Backup
- Click Configure for frequency and versions
Your version settings must allow backups frequently enough to give you a range of dates from which to choose should your computer become infected. If your frequency and version settings are too restrictive, it's possible that even your oldest version could be encrypted by CryptoLocker or CryptoWall. At a minimum, we recommend the default settings shown below.
Before you begin
The recommended solution below instructs you to restore files from a date before your computer was infected. If you do not know the precise date of infection, you can do a test restore on several infected files to determine the date of infection.
In CrashPlan app version 4.8.4 and later, the Restore tab is updated. For instructions, see Restore files from the CrashPlan app version 4.8.4 and later.
To restore an earlier version of the file:
- Open the CrashPlan app and go to Restore
- If there are multiple computers on your account, select the infected computer
- If you are backing up to multiple destinations, choose the destination from which you want to restore in the backup destination list
- Click most recent to open the options for restoring from a previous date and time
- Select a date and time that you believe is close to the time of infection
- Select an infected file from the list of files
- Click Restore
- Open the file
If you are able to open the file, then you know that your computer was not yet infected on the date and time you selected. If the restored file is encrypted, repeat the steps above and select an earlier date and time.
CryptoLocker and CryptoWall informs you of infection only after they have finished encrypting your files. This encryption process can take several hours or days, depending on your computer and your files. You may want to test several files to further isolate the date and time of infection.
If your computer is infected by CryptoLocker or CryptoWall, follow the steps below to recover your files.
Step 1: Remove the CryptoLocker or Cryptowall infection
If you have not already done so, the first step is to remove the infection from the affected computer. Many sites offer tutorials on removing CryptoLocker or CryptoWall. See External Resources for more information.
Note: Code42 Customer Champions cannot help you remove CryptoLocker or CryptoWall from your computer. Consult a computer specialist if you have additional questions about removing the infection.
Some variants of CryptoLocker and CryptoWall may rename your files. Check for any renamed files and remove them before continuing.
Step 2: Restore files from a time prior to infection
- Select a date and time that you have verified occurred prior to infection
- Select original location
- Select the option to overwrite any existing files
If you replaced or reformatted the infected computer, follow our Restoring Your System guide.
You must restore your files from a date and time prior to infection.