Ransomware. CryptoLocker. CryptoWall. Crypto-whatever. In the world of IT, there are few words more dreaded than these. Ask any admin about the moment one of their end-users came up to them and said, “I can’t open my documents. Something says they’re encrypted. What’s going on?” and they’ll all tell you about that sinking pit in their stomach, followed by panic and a mad rush to unplug the power from the PC and remove all network connections.
At this point, any IT admin would no longer trust this machine, and for good reason. Once the PC is powered on and left to run, the ransomware will boot up again and alphabetically work through all documents and encrypt them, followed by placing instructions on how to pay and get a decryption key inside of each folder. At this point, the IT admin has a choice: image the machine, or pay the ransom.
However, PCs with RollBack Rx (the PC time machine) on them are different. If a PC is infected with ransomware, simply powering down the machine, disconnecting it from all networks, and rebooting it, and going into the RollBack Rx subconsole will let the user choose a clean, older snapshot to boot into and have their PC back online and safe again.
But this idea doesn’t sit well with many IT admins. Why? Because it defies conventional wisdom, and it feels too easy. Allow me to explain.
If a machine is infected with ransomware, more often than not the advice offered is that that machine needs to be nuked from orbit. You don’t want to chance to have any leftovers from nasty ransomware and have it infect more machines, so most likely you’ll put on your shades and blast away.
But here’s why rolling back to an older snapshot is not only practical and quick but completely safe as well.
Each snapshot RollBack Rx takes exists independently of each other on the sector-level of the hard drive and then is encrypted by our instant recovery software. This part is perhaps the most important because understanding that the software at this point exists entirely outside of Windows is what protects it.
To this day all ransomware that exists is Windows-level viruses. They work only on the file level of the OS, and therefore do not touch the sectors of the hard drive. And why would they? There’s nothing specific that can be written in a code to attack particular sectors that would benefit the criminal.
This means that RollBack Rx snapshots are not touched by the virus, and therefore any malicious encryption code that would attempt to run on it. If someone were to have a major Crypto-whathaveyou infection on their machine, simply reverting to an older snapshot is quick and entirely safe. It’s that simple.
This part is often the most uncomfortable to believe since it almost sounds like a snake-oil pitch. “Come over here and find the software that won’t be beaten! Ransomware! Malware! It doesn’t matter! You’ll be safe no matter what!”
But looking at the cold hard facts, the logic of code, and the way our software functions, it is true. No ransomware will infect the older snapshots. Reverting to an older state is safe, and removing the corrupted snapshots afterward does eliminate any trace of the virus on that local machine.
For additional reading, please check out this how-to remove ransomware guide with RollBack Rx, or about Cryptowall infections and their history.