Cryptoguard detects when a business file is opened for write, and a temporary copy is made on the local drive. Later, if the original is maliciously encrypted, the copy is restored. The copies are purged when it is determined that the originals have not been encrypted by ransomware.