Recover files infected by CryptoLocker or CryptoWall
Overview
CryptoLocker and CryptoWall are a form of malware that encrypts files on your device and demands that you pay a ransom to decrypt these files. Instead of paying the criminals behind this attack, use the Code42 agent to download your files from a date and time before the infection. This article describes how to use the Code42 agent to recover your files from a CryptoLocker or CryptoWall attack.
Affects
- Known to affect Windows devices
- Attacks files on any storage connected to an infected devices, including flash drives, external drives, or mapped network drives
- Targets specific file types
Considerations
This article assumes you are able to edit your file retention settings. Your administrator may prevent editing of this setting.
How the Code42 agent can help you recover from CryptoLocker or Cryptowall
If your device becomes infected by CryptoLocker or CryptoWall, your frequency and version settings enable you to download your files from a date and time before the infection. The version settings must allow backups frequently enough to give you a range of dates from which to choose. If these settings are too restrictive, it's possible that even your oldest version could be encrypted by CryptoLocker or CryptoWall.
To check how frequently versions of your files are backed up:
- Sign in to the Code42 console.
- Select Devices > Active.
- Click the name of your device.
- Select Edit from the the action menu.
- Click Backup or Backup Sets.
If your administrator has enabled backup sets, this tab is named Backup Sets. - Navigate to Frequency and Versions.
Before you begin
The recommended solution below instructs you to download files from a date before infection. If you do not know the date of infection, you can download several file versions to determine the date of infection.
To download an earlier version of the file:
- Open the Code42 agent.
- Go to a list of your backed-up files:
- Click As Of Today.
The date and time selection window opens. - Select a date and time that you believe is close to the time of infection.
- Hover over an infected file, and click the download icon.
Your download is added to the Downloads. Download Activity displays the status of your download. - Open the file.
If you are able to open the file, then you know that your device was not yet infected on the date and time you selected. If the downloaded file is encrypted, repeat the steps above and select an earlier date and time.
CryptoLocker and CryptoWall informs you of infection only after they have finished encrypting your files. This encryption process can take several hours or days, depending on your device and your files. You may want to test several files to further isolate the date and time of infection.
Recommended solution
If your device is infected by CryptoLocker or CryptoWall, follow the steps below to recover your files.
Step 1: Remove the CryptoLocker or Cryptowall infection
If you have not already done so, the first step is to remove the infection from the affected device. Many sites offer tutorials on removing CryptoLocker or CryptoWall. See External Resources for more information.
Note: Code42 Technical Support Engineers cannot help you remove CryptoLocker or CryptoWall from your device. Consult a specialist if you have additional questions about removing the infection.
Some variants of CryptoLocker and CryptoWall may rename your files. Check for any renamed files and remove them before continuing.
Step 2: Download files from a time before the infection
You can now download your files from a date before the infection.
- After selecting the files you want to recover
- Modify the options:
- From Save selected files to, select original location.
- From If file already exists, select overwrite.
Alternative solution
If you replaced or reformatted the infected device, follow our Downloading All Files On A New Device guide.
You must download your files from a date and time before the infection.