Ransomware/Cryptovirus/Malware Attacks

Ransomware is a type of malware that restricts access to the infected computer system in some way, and requires payment of the ransom to the malware operators to remove the restriction on the machine.


When Box Sync is being used on a machine, each file is downloaded and a hard copy of the content marked for sync is available locally.  If a machine has Ransomware on it, then the content being synced is susceptible to encryption and the encrypted content may be uploaded into Box.


In the event encrypted content was uploaded into Box, there are several options available in order to restore content to the unencrypted version.


You can determine which folders the user synced and which files were altered using the admin reporting tool. To do this, go to Admin Console > Reports (graph icon) - if you have access to the computer or account, you can also open Box Sync and the Box web app to see which folders are marked for Sync.


Screen Shot 2016-05-11 at 9.15.59 AM.png


Using the ability to specify action types, you can use run a report to see which files were uploaded by the user while the computer was infected. You can also export these reports as a CSV file.

Screen Shot 2016-05-11 at 9.16.28 AM.png

These reports will also show you which files were uploaded with Box Sync. You can then restore the previous, unencrypted version of the file using Box's Version History.


Additionally, you can write a custom program that rolls back all files to an unaffected version via API.

You'll need to inspect each file for its versions:

And promote the second newest version to the top (assuming you didn't modify anything after the crypto locker hit):


If you have have any further questions or would like further assistance, please don't hestiate to submit a case with our User Services team for further investigation.

Version history
Revision #:
4 of 4
Last update:
‎05-16-2017 10:09 AM
Updated by:
Labels (4)