Ransomware is a type of malicious virus that infects a system in order to block access to files stored on the system by encrypting them. A ransom must be paid to decrypt the files and restore access, often in the form of cryptocurrency, unless the user has an external backup available. Users typically introduce malware to their system by clicking on malicious attachments in emails or visiting malicious or compromised websites.


Ransomware comes in hundreds of varieties that all have different effects on a system. Users may see files deleted, over-written, encrypted, renamed, or any combination of these. The primary defense against ransomware is a sufficiently protected computer that prevents ransomware from running. 


Understanding How Ransomware Impacts Box

Ransomware can only affect files via the Box Sync or Box Drive applications on a user's computer. If Box Sync is enabled, only those files set to Sync will be affected. 


Ransomware cannot be spread through Box. Encrypted files may be synced to other users, but the ransomware cannot spread further within Box's cloud storage as all files are encrypted at rest and do not have an executable environment to run from. 

Recovering from Ransomware 

When a user's machine is infected with ransomware, the encrypted content may sync up to Box if they are using Box Drive or Box Sync. If this happens, we have resources available that will assist you in recovering your content. Please contact Box Support for assistance as soon as possible or read below on how to use the Box API for self-remediation. 


If you have confirmed that a user's system has been compromised we recommend that you quit Box Drive or Box Sync and ensure the malware is removed before taking any additional steps.


To determine the scope of impact, an Admin can confirm which files were altered by running the User Activity report. To do this, navigate to the Admin Console > Reports (graph icon/reporting tab shown below) 





In the Users and Groups field specify the infected user(s) and select the following file management actions for the time of impact: 

  • Edit 
  • Moved to Trash 
  • Renamed 
  • Uploaded


Select the Export option and access the report from your Box Reports folder. 


In the service column, the report will show you which files were uploaded via Box Sync or Box Drive. By identifying which files were impacted, you can use Box's Version History to manually restore the previous, unencrypted version, or use Trash to restore deleted items. Please see the limitations below before taking any actions. 


Using the Box API for Remediation

If you have developer resources available, you can write a custom script that rolls back all infected files to an unaffected version using our API. The approach you take depends on how the particular strain behaved.


Encryption In Place 

If the infected files were changed "in place", i.e. edits to the existing file, then you can use version history to restore affected files to a prior version.


At a high level, your goal should be to:

  1. Look at upload/modify from the impacted time frame (upload/modify events), and filter for actions done by the affected user. Since the endpoint does not allow for filtering by user as a parameter to the request, this filtering for a user must be done after the initial results are returned.
  2. From the affected file IDs returned, revert to the version whose modified date was most recent before having a new version uploaded.
  3. If the files were renamed, revert to the name of the previous version



File "work.docx" was uploaded May 1, 2018

User was affected May 2, 2018

New versions of "work.docx" were uploaded to the same file


Resolution: Revert back to the version uploaded on May 1, 2018



Encryption + Deletion

If the malware's behavior was to delete the original file and then upload/replace it with an encrypted version, then the goal should be to restore the original files from the trash on Box and delete the encrypted files.


  1. Similar to step 1 above, identify the files uploaded and deleted by the affected user in the time frame. 
  2. Verify the file is still in the trash (i.e. hasn't been manually restored by the user)
  3. Recursively restore items from the trash
  4. If there is a name conflict, decide how you wish to handle the name conflict (rename/overwrite). Alternatively, you can delete the encrypted files from the beginning before restoring items from the trash.



File "work.docx" was uploaded on May 1, 2018 with File ID 14785

User was affected May 2, 2018

File ID 14785 was deleted, and another file was uploaded in its place with ID 96321 (i.e., not as a new version)


Resolution: Delete file ID 96321 and restore file ID 14785 from the trash.


Recommendations & Limitations

  • To expedite recovery, we recommend submitting the User Activity report, along with as much information as possible about the type of ransomware and what exactly took place, with your initial request
  • In order to restore an encrypted file, a previous version must have existed on Box prior to the event.
  • Some less common types of ransomware will delete content and replace it with completely new content. While we can recover deleted content, we're unable to delete any new content. This can be done manually or by using our API. We recommend that any deletions are completed prior to content recovery. 
  • Box's revision system is based on each individual file, versus a point in time, which does not currently allow for a point-in-time-based restoration. Instead, we can use native features of Box such as Trash and Version History to help restore files.
Version history
Revision #:
7 of 7
Last update:
‎06-19-2018 07:27 AM
Updated by:
Labels (4)