Skip to main content

Encrypted backup infected with Caleb ransomware encryption.

Thread needs solution
Beginner
Posts: 3
Comments: 1

Hi Guys Got a bit of a problem, I've been hit with the .caleb ransomware virus and all but two of my encrypted backups have been encrypted by the virus, one that survived is a full backup dating 28th Aug 2019, the other partial backup the 2nd Sep, every other volume has been encrypted, can you offer any advice on a course of action? I'm glad I haven't lost 15 years of client info, but the last month has a lot of work.

0 Users found this helpful
Legend
Posts: 113
Comments: 31105

Mark, sorry to read of your malware infection.

Did you have Acronis Active Protection (AAP) running for your ATI 2018 application?  If so, then I would recommend contacting Acronis direct to request their help if this ransonware got past AAP.

If you have a good full backup image to recover from, then that is going to be your best solution to avoid either having to pay the ransom to possibly have your data decrypted (no guarantee that this will be done even after paying!), or running further risks by downloading other software that claims to be able to decrypt or remove the Caleb malware (at the cost of the application), but which could bring in other malware if not genuine!

Personally, the actions that I would be considering in this situation are:

  1. Power off the infected computer a.s.a.p!  If you keep it running, the greater the degree of encryption of your data!
  2. Remove the infected disk drive(s) and put aside.
  3. Purchase replacement disk drive(s) and install in place of those removed.
  4. Boot from your Acronis Rescue Media and recover your most recent good backup image to get back to a known working state.
  5. Update your Windows OS and all other applications, including / especially your security software.
  6. Make a further new full disk backup of your updated system.

At this point you will be in the situation of having a working computer where the key impact will be any missing data that was encrypted by the ransomware.

Your choices from here are whether to try to find a genuine ransomware removal application for the infected disks you removed, and try to disinfect these yourself, or else to identify a genuine company who could do this for you where you could take or send the infected disks to?

Beyond the above, you will also need to consider your backup approach and ensure that you do not find yourself in the same situation ever again by always making multiple different backups on different drives and stored in different places, including offline from any possible virus attack.