Skip to main content

This article applies to Code42 for Enterprise version 5.

Other available versions:

Version 6 | Version 4icon.qnmark.png

Code42 Support

Recover files infected by CryptoLocker or CryptoWall

This article applies to Code42 for Enterprise version 5.

Other available versions:

Version 6 | Version 4icon.qnmark.png


CryptoLocker and CryptoWall are a form of malware that encrypts files on your device and demands that you pay a ransom to decrypt these files. Instead of paying the criminals behind this attack, use Code42 CrashPlan to download your files from a date and time before the infection. This article describes how to use CrashPlan to recover your files from a CryptoLocker or CryptoWall attack.


  • Known to affect Windows devices
  • Attacks files on any storage connected to an infected devices, including flash drives, external drives, or mapped network drives
  • Targets specific file types


This article assumes you are able to edit your file retention settings. Your administrator may prevent editing of this setting.

How CrashPlan can help you recover from CryptoLocker or Cryptowall

If your device becomes infected by CryptoLocker or CryptoWall, your frequency and version settings enable you to download your files from a date and time before the infection. The version settings must allow backups frequently enough to give you a range of dates from which to choose. If these settings are too restrictive, it's possible that even your oldest version could be encrypted by CryptoLocker or CryptoWall. To check how frequently versions of your files are backed up:

  1. Sign in to the administration console.
  2. Choose Devices.Frequency and versions
  3. From Device Overview, click on the name of the device.
  4. Select the action menu.
  5. Choose Edit.
  6. Select Backup.
  7. Navigate to Frequency and Versions.

Before you begin

The recommended solution below instructs you to download files from a date before infection. If you do not know the date of infection, you can download several file versions to determine the date of infection.

To download an earlier version of the file:

  1. Sign in to the CrashPlan app.
  2. From the list of your devices, select Get Files for the infected device.
  3. If you are backing up to multiple destinations, you can select the arrow next to the destination shown to choose a destination.
    Download file
  4. Click As Of Today.
    The date and time selection window opens.
  5. Select a date and time that you believe is close to the time of infection.
  6. Hover over an infected file, and click the download icon.
    Your download is added to the downloads manager.
  7. Open the file.

If you are able to open the file, then you know that your device was not yet infected on the date and time you selected. If the downloaded file is encrypted, repeat the steps above and select an earlier date and time.

Time of infection
CryptoLocker and CryptoWall informs you of infection only after they have finished encrypting your files. This encryption process can take several hours or days, depending on your device and your files. You may want to test several files to further isolate the date and time of infection.

Recommended solution

If your device is infected by CryptoLocker or CryptoWall, follow the steps below to recover your files.

Step 1: Remove the CryptoLocker or Cryptowall infection

If you have not already done so, the first step is to remove the infection from the affected device. Many sites offer tutorials on removing CryptoLocker or CryptoWall. See External Resources for more information.

Note: Code42 Customer Champions cannot help you remove CryptoLocker or CryptoWall from your device. Consult a specialist if you have additional questions about removing the infection.

Removing infected files
Some variants of CryptoLocker and CryptoWall may rename your files. Check for any renamed files and remove them before continuing.

Step 2: Download files from a time before the infection

You can now download your files from a date before the infection. After selecting the files you want to recover, click Get Files. Then, modify the Get Files options:

Alternative solution

If you replaced or reformatted the infected device, follow our Downloading All Files On A New Device guide.

Downloading your files
You must download your files from a date and time before the infection.