This tutorial provides instructions for users to recover from a ransomware attack. Ransomware is a form of malware that encrypts files on your computer and demands a ransom to decrypt these files. Instead of paying the criminals behind this attack, use the CrashPlan app to restore files to your device from a date and time before the infection.
This tutorial is a self-service set of instructions that you can follow to recover from ransomware on a single device.
- The United States Federal Bureau of Investigation (FBI) urges ransomware victims to report attacks.
- Frequency and version settings enable you to download files from a date and time before the infection. However, if you have not properly prepared for a ransomware attack (for example, ensured all devices are backed up, set good frequency and version settings), it's possible that even the oldest version could be infected.
- See the Use CrashPlan to defend against ransomware for guidance on how to prepare your organizations to withstand ransomware attacks.
The following describes a process using CrashPlan; you might also use other security and forensic tools to assist in the recovery.
Work with your internal teams and processesWork with your designated security team or follow your security processes to quarantine the infected device and recover files. While this article provides instructions for using CrashPlan to recover from ransomware, it does not account for your organization's defined recovery process.
Step 1: Determine the time of the infection
To recover from ransomware, you must restore files from a date before infection. Work with your security team or follow your security processes to determine the time of the infection. Record when it occurred and what happened when the attack unfolded. This information can tell you at what time you can find the most recent uninfected files and what kind of ransomware attack you have experienced.
Step 2: Exclude known ransomware file types (optional)
CrashPlan Enterprise and MSPs only
As a precaution before restoring files, remove from existing archives the file that was the source of the infection as well as files with known ransomware file extensions. Removing these files helps ensure that you are not re-introducing infected files when you restore.
- Add file exclusions for the file that caused the original infection as well files of known ransomware file types.
Apply the settings using Lock.
Lock is the only way to use exclusion settings to purge files from existing backups.
Step 3: Prepare a new device
Work with your security team or follow your organization's process to obtain a new device after a ransomware attack.
Rather than attempting to remove the infection from the affected device, quarantine the device and prepare a new device to replace the old device. As creators of ransomware become more adept at engineering their tools, it is best to ensure that the device you are restoring to is completely free of infection.
Use Windows USMT
CrashPlan Enterprise and MSPs only
If you are replacing a Windows device, and you used Microsoft's User State Migration Tool (USMT) to save Windows settings on the old device, you use CrashPlan to migrate Windows user profiles and data.
Step 4: Restore files from a time before the ransomware infection
Use the CrashPlan app to download files to a new device from a date and time before the ransomware infection by following the device replacement process:
- Make sure the CrashPlan app is installed on the new device.
- Sign in to the CrashPlan app on the new device.
The first time you sign in to the CrashPlan app, it detects whether there are other devices on the account and prompts you to either Add New Device (which starts a new backup for this device) or Replace Existing (adopts the original backup archive).
- Choose Replace Existing.
Only choose Add New Device if there are infected files still in the backup archive and you don't want to risk accidentally restoring infected files to the new device.
- Click Start.
- Choose the device you want to replace and click Continue.
If you chose Replace Existing for a Windows device and had user profile backup enabled on the old device, the CrashPlan app prompts you to select which USMT profile settings you want to restore to the new device.
- Click Select Files To Transfer to begin the process of transferring files to the new device.
The file browser opens.
- Click As Of Today.
The date and time selection dialog opens.
- Select a date and time from before the time of the infection.
Restore from a date prior to the infection
Restoring from the most recent date and time stamp may cause the new machine to be infected. Select a time and date before infection based on your testing to determine the time of the infection.
- Select files to restore to the new device.
- Click Get Files.
- Modify the Files options:
- From Save selected files to, select original location.
- From If file already exists, select overwrite.
- Click Go to download the files.
The download may take a long time. Do not cancel the restore job.
- After files are downloaded, click Continue.
- On the Transfer files to new device dialog, click Continue.
- On the Transfer settings to new device page, click Continue.
- After files are transferred, a prompt to sign in to the new device appears. Sign in to the new device and click Finish on the Your device is ready! dialog to complete the device replacement.