If CryptoDrop finds suspicious activity on your computer, it will trigger an alert. You will see a window like the one pictured below:
At this point, you have a few options. If this is activity that you don't recognize, for maximum security you should click the Lockdown button. When you do this, CryptoDrop will enter Lockdown mode.
In Lockdown mode, all files protected by CryptoDrop become read-only immediately. This allows you to save your unencrypted files to other media (e.g., network drive, USB flash drive, etc.) We recommend that if you are in Lockdown mode, you immediately shut down the system and perform a re-installation of your computer to ensure that ransomware has been wiped out.
In addition, rules will be added to block the suspected ransomware processes from writing. More information about rules and how to customize these further in the article on Rules.
In some cases, you may see multiple alerts pop up after you have entered Lockdown mode, because of how files are accessed. You can ignore these - once you are in Lockdown mode, you are fully protected.
Ignoring an alert
We only recommend that you ignore an alert if you are very sure that the process triggering the alert is performing activities such as opening and writing a lot of files, or encrypting a large number of files, as this activity is also consistent with how ransomware operates. If you are not sure, you should choose Lockdown instead. If you choose to ignore the alert, we recommend that you be very careful with these processes and keep an eye on their activity to ensure that they are not acting maliciously. If in doubt, enter Lockdown mode.
Recover Your Files (Fast Recovery Version)
If you have purchased the Fast Recovery version of CryptoDrop, then you are protected by our DropSafe(TM) technology. You should enter Lockdown mode as described above if ransomware activity is suspected on your computer, which will protect your files from further writes by suspected ransomware. With DropSafe, though, you have the ability to recover any files that have been overwritten or encrypted by ransomware.
To use this functionality, click the Recover Files button while you are in Lockdown mode. The Recovery Window will be shown.
This window contains a list of files that can be recovered through DropSafe. For each file, the first column indicates where the file was located. The second column shows that the file has been recovered and its current location. The third column shows when the file was put into the recovery directory, and the last column shows the process that caused the file to be moved to the recovery area. Select the files that you want to recover and click the Recover button at the bottom of the window.
There is additional information in the file name that helps us ensure that this is the correct file; this extra data will go away if the file is recovered. Please note that the recovery path is not accessible to malware or ransomware - your data is safe from tampering when it is recovered.