Skip to main content

Who is this article for?

Incydr risk agent
Backup and legacy agents

Not sure which agent type you have? See the Organizations screen in the Code42 console.

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, no.

Incydr Basic, Advanced, and Gov F1, yes.

Code42 Support

Recover files infected by CryptoLocker or CryptoWall


CryptoLocker and CryptoWall are a form of malware that encrypts files on your device and demands that you pay a ransom to decrypt these files. Instead of paying the criminals behind this attack, use the Code42 agent to download your files from a date and time before the infection. This article describes how to use the Code42 agent to recover your files from a CryptoLocker or CryptoWall attack.


  • Known to affect Windows devices
  • Attacks files on any storage connected to an infected devices, including flash drives, external drives, or mapped network drives
  • Targets specific file types


This article assumes you are able to edit your file retention settings. Your administrator may prevent editing of this setting.

How the Code42 agent can help you recover from CryptoLocker or Cryptowall

If your device becomes infected by CryptoLocker or CryptoWall, your frequency and version settings enable you to download your files from a date and time before the infection. The version settings must allow backups frequently enough to give you a range of dates from which to choose. If these settings are too restrictive, it's possible that even your oldest version could be encrypted by CryptoLocker or CryptoWall.

To check how frequently versions of your files are backed up:

  1. Sign in to the Code42 console.
  2. Select Devices > Active.
  3. Click the name of your device.
  4. Select Edit from the the action menu.
  5. Click Backup or Backup Sets.
    If your administrator has enabled backup sets, this tab is named Backup Sets.
  6. Navigate to Frequency and Versions.
    Frequency and versions retention settings

Before you begin

The recommended solution below instructs you to download files from a date before infection. If you do not know the date of infection, you can download several file versions to determine the date of infection.

To download an earlier version of the file:

  1. Open the Code42 agent.
  2. Go to a list of your backed-up files:
  1. Click Restore Files.
  2. (Applies only if you have multiple devices) From the menu, select the device that originally backed up the files you want to restore.

Restore a file from the Code42 app

  1. If you back up to multiple destinations, select the destination from Restore files from.
    The backup set list appears after Restore files from if you have multiple backup sets that use the same destination. Select the backup set that contains the files you want.

  2. Click As Of Today.
    The date and time selection window opens.
  3. Select a date and time that you believe is close to the time of infection.
  4. Hover over an infected file, and click the download icon.
    Your download is added to the DownloadsDownload Activity displays the status of your download.
  5. Open the file.

If you are able to open the file, then you know that your device was not yet infected on the date and time you selected. If the downloaded file is encrypted, repeat the steps above and select an earlier date and time.

Time of infection
CryptoLocker and CryptoWall informs you of infection only after they have finished encrypting your files. This encryption process can take several hours or days, depending on your device and your files. You may want to test several files to further isolate the date and time of infection.

Recommended solution

If your device is infected by CryptoLocker or CryptoWall, follow the steps below to recover your files.

Step 1: Remove the CryptoLocker or Cryptowall infection

If you have not already done so, the first step is to remove the infection from the affected device. Many sites offer tutorials on removing CryptoLocker or CryptoWall. See External Resources for more information.

Note: Code42 Technical Support Engineers cannot help you remove CryptoLocker or CryptoWall from your device. Consult a specialist if you have additional questions about removing the infection.

Removing infected files
Some variants of CryptoLocker and CryptoWall may rename your files. Check for any renamed files and remove them before continuing.

Step 2: Download files from a time before the infection

You can now download your files from a date before the infection.

  1. After selecting the files you want to recover
  1. Click Restore Files.
  2. (Applies only if you have multiple devices) From the menu, select the device that originally backed up the files you want to restore.
  1. Modify the options:

Alternative solution

If you replaced or reformatted the infected device, follow our Downloading All Files On A New Device guide.

Downloading your files
You must download your files from a date and time before the infection.
  • Was this article helpful?