How To Use Shadow Copies For Ransomware Data Restoration

by

Ransomware attacks can be devastating, locking you out of critical data and demanding payment for its release. Fortunately, Windows offers a built-in feature called Shadow Copies, also known as Previous Versions, which can help you restore your files without paying a ransom. This guide explains how to use Shadow Copies to recover your data effectively.

Understanding Shadow Copies

Shadow Copies are snapshots of files or entire volumes taken automatically by Windows at scheduled intervals or manually by users. These copies enable you to restore previous versions of files or folders if they are modified, deleted, or encrypted by ransomware.

Prerequisites for Using Shadow Copies

  • Windows operating system (Windows 7, 8, 10, or 11)
  • Administrative privileges on the computer
  • Sufficient disk space allocated for shadow copies
  • Regularly enabled System Protection on the drive containing your data

Enabling System Protection

Before you can access previous versions, ensure System Protection is enabled on your drive:

Steps to Enable System Protection

  • Open the Control Panel and navigate to System and Security.
  • Select System, then click on System Protection in the sidebar.
  • In the System Properties window, find your drive under Protection Settings.
  • Select the drive and click Configure.
  • Choose Turn on system protection and set the maximum disk space for shadow copies.
  • Click OK to save your settings.

Restoring Files Using Shadow Copies

If your files have been encrypted or deleted by ransomware, follow these steps to restore previous versions:

Steps to Restore Files

  • Navigate to the folder containing the affected files.
  • Right-click on the file or folder and select Restore previous versions.
  • A list of available previous versions will appear. Select the version you want to restore.
  • Click Restore to replace the current file with the selected version.

Alternatively, you can restore the file to a different location by clicking Copy instead of Restore.

Restoring Shadow Copies Manually

You can also create manual shadow copies using the Command Prompt or PowerShell:

Using Command Prompt

  • Open Command Prompt as an administrator.
  • Type the command: vssadmin list shadows and press Enter.
  • Review available shadow copies.
  • To create a manual shadow copy, type: vssadmin create shadow /for=C:.

Using PowerShell

  • Open PowerShell as an administrator.
  • Type: Get-ComputerRestorePoint and press Enter.
  • Review available restore points.
  • Use the Restore-Computer cmdlet to revert to a previous restore point if necessary.

Limitations and Best Practices

While Shadow Copies are a useful tool, they have limitations:

  • Shadow Copies are not a substitute for regular backups.
  • They may not be available if System Protection was disabled before the attack.
  • Ransomware may delete shadow copies if it has sufficient permissions.
  • Ensure you regularly enable and configure System Protection for critical drives.

Best practices include maintaining regular backups on external or cloud storage, enabling System Protection, and promptly restoring affected files using Shadow Copies when needed.

Conclusion

Shadow Copies provide a valuable method for recovering data affected by ransomware. By enabling System Protection and knowing how to restore previous versions, you can minimize data loss and avoid paying ransom. Always combine Shadow Copies with comprehensive backup strategies for optimal data security.