Ransomware is a type of malware that restricts access to the infected computer system in some way, and requires payment of the ransom to the malware operators to remove the restriction on the machine.
When Box Sync is being used on a machine, each file is downloaded and a hard copy of the content marked for sync is available locally. If a machine has Ransomware on it, then the content being synced is susceptible to encryption and the encrypted content may be uploaded into Box.
In the event encrypted content was uploaded into Box, there are several options available in order to restore content to the unencrypted version.
You can determine which folders the user synced and which files were altered using the admin reporting tool. To do this, go to Admin Console > Reports (graph icon) - if you have access to the computer or account, you can also open Box Sync and the Box web app to see which folders are marked for Sync.
Using the ability to specify action types, you can use run a report to see which files were uploaded by the user while the computer was infected. You can also export these reports as a CSV file.
These reports will also show you which files were uploaded with Box Sync. You can then restore the previous, unencrypted version of the file using Box's Version History.
Additionally, you can write a custom program that rolls back all files to an unaffected version via API.
You'll need to inspect each file for its versions: