Skip to main content
CrashPlan Support

Recovering Files Infected By CryptoLocker Or CryptoWall

Applies to:
  • CrashPlan for Home
Need enterprise or small business documentation?
This article is intended for CrashPlan for Home users. For Code42 CrashPlan and CrashPlan for Small Business documentation, read this page on our enterprise support site.

Overview

CryptoLocker and CryptoWall are a form of malware that encrypts files on your computer and demands that you pay a ransom to decrypt these files. Instead of paying the criminals behind this attack, you can use CrashPlan to restore your files from a date and time prior to the infection. This article describes how to use CrashPlan to recover your files from a CryptoLocker or CryptoWall attack.

Affects

  • Known to affect Windows computers
  • Attacks files on any storage connected to an infected computer, including flash drives, external drives, or mapped network drives
  • Targets specific file types

How CrashPlan can help you recover from CryptoLocker or Cryptowall

Code42 has always believed that comprehensive version retention of files is essential to a good backup. That's why CrashPlan's default frequency and version settings let you restore files from a date and time in the past. If your computer becomes infected by CryptoLocker or CryptoWall, this enables you to restore your files from a date and time prior to the infection. To check how frequently versions of your files are backed up:

  1. Open the CrashPlan app
  2. Go to Settings > Backup
  3. Click Configure for frequency and versions
Frequency And Version Settings
Your version settings must allow backups frequently enough to give you a range of dates from which to choose should your computer become infected. If your frequency and version settings are too restrictive, it's possible that even your oldest version could be encrypted by CryptoLocker or CryptoWall. At a minimum, we recommend the default settings shown below.

CrashPlan Default Versioning Settings

CrashPlan for Home Without A Subscription
Backup frequency is limited to once every 24 hours for CrashPlan Free users. Upgrade to a CrashPlan for Small Business subscription for more flexibility.

Before you begin

The recommended solution below instructs you to restore files from a date before your computer was infected. If you do not know the precise date of infection, you can do a test restore on several infected files to determine the date of infection.

To restore an earlier version of the file:

  1. Open the CrashPlan app and go to Restore
  2. If there are multiple computers on your account, select the infected computer
  3. If you are backing up to multiple destinations, choose the destination from which you want to restore in the backup destination list
  4. Click most recent to open the options for restoring from a previous date and time
  5. Select a date and time that you believe is close to the time of infection

    Select Date And Time

  6. Select an infected file from the list of files
  7. Click Restore
  8. Open the file

If you are able to open the file, then you know that your computer was not yet infected on the date and time you selected. If the restored file is encrypted, repeat the steps above and select an earlier date and time.

Time Of Infection
CryptoLocker and CryptoWall informs you of infection only after they have finished encrypting your files. This encryption process can take several hours or days, depending on your computer and your files. You may want to test several files to further isolate the date and time of infection.

Recommended solution

If your computer is infected by CryptoLocker or CryptoWall, follow the steps below to recover your files.

Step 1: Remove the CryptoLocker or Cryptowall infection

If you have not already done so, the first step is to remove the infection from the affected computer. Many sites offer tutorials on removing CryptoLocker or CryptoWall. See External Resources for more information.

Note: Code42 Customer Champions cannot help you remove CryptoLocker or CryptoWall from your computer. Consult a computer specialist if you have additional questions about removing the infection.

Removing Infected Files
Some variants of CryptoLocker and CryptoWall may rename your files. Check for any renamed files and remove them before continuing.

Step 2: Restore files from a time prior to infection

You can now restore your files from a date prior to infection. Modify the restore options at the bottom of the Restore tab to:

For example:
Restore options

Alternative solution

If you replaced or reformatted the infected computer, follow our Restoring Your System guide.

Restoring Your Files
You must restore your files from a date and time prior to infection.