Data Recovery Pit

The Data Recovery Expert

How to Recover Ransomware Encrypted Data

How to Recover Ransomware Encrypted Data

Ransomware, a type of malware, intends to cause harm to you by deleting, hiding, or encrypting your files. Unless you decide to pay to “maybe” regain access to your files by whoever was behind the scenes, of course. But, should you trust someone that had no problems creating and spreading the malicious code? He, she, or they don’t care if you have the money to pay, or whether they will destroy sentimental files or even ruin your business. This will be a crucial question that will help you decide how to proceed. You might also want to look at the best data recovery software for ransomware.

How does ransomware spread?

Or… how did I get ransomware? The true answer could be one of these, but can also be something else altogether. Let’s list some things that come to mind first – downloading torrents, infected e-mail attachments, fake .exe files, fake Android applications. phishing, social engineering, fraudulent phone calls that require you to install fake software or visit malicious websites, and much more.

How can I be sure if I have ransomware?

A ransomware attack starts slowy. You will first notice sluggishness in performance, followed by files that suddenly won’t open. This is, presumably, because it is slowly encrypting data in the background, which takes time and a toll on your computer. But a definitive sign will be a changed background or an application that notifies you of what happened. You can also recognize some of the ransomware programs by names – WannaCry, Petya Ransomware, CryptoLocker, and Wana Decrypt0r. Also, the ransomware’s signature color is red, so either the letters or the background will be of that color.

What is the threat of ransomware?

Ransomware promises to encrypt all of your files – photos, videos, documents, and all it can find on your hard drive. And not only that. If your computer is connected to a local network, all of the computers are also in danger, if not already infected. Furthermore, the ransomware often promises to immediately delete your decryption key if it spots you trying to meddle with your files.

Locked File

You will also be asked to pay between $200 and $900 to the Bitcoin address they provided, often within two to three days. That means the recipient will stay anonymous but will send you a decrypt key and thus allow you to get your files back. However, in most cases, the person or group simply takes your money and runs with it, never to be heard from again. Don’t expect them to feel compassion for you after they threatened you in the first place.

How to restore ransomware-encrypted data

Since the majority of victims of ransomware attacks are Windows users, we decided to dedicate this article to them. Ransomware exists on Linux and Mac OS but is rarer.

Isolate the computer

As we mentioned, ransomware has no problems spreading through LAN (Local Area Network) which means all of your computers are in jeopardy. Immediately disconnect it from the Internet, and do not plug any removable devices such as your smartphone, USB drives, SD cards, or external hard disk drives.

Check if the files were only hidden

It isn’t uncommon for ransomware creators to be bluffing. After all, not all of them are master coders, but they are all looking to get a quick buck from terrified and desperate users. Some of them use a clever trick – making all of your files hidden, then changing the setting to hide hidden files. Here’s how to do a quick check.

  1. Open the Start bar.
  2. Begin typing ‘hidden’ and click on the option Show hidden files.
  3. Make sure the box in front of Change settings to show file extensions is checked.
  4. Choose Show settings next to it.
  5. Make sure the circle in front of Show hidden files, folders, and drives is chosen.
  6. Click OK.
  7. Open My Computer (This PC).
  8. Choose one of the hard drives that used to be empty. If the files are back but look greyed out, you’re in luck.
  9. Press CTRL + A on your keyboard to highlight all of the files.
  10. Right-click, then choose Properties.
  11. Uncheck the box in front of Hidden.
  12. The files should back to their normal “opacity”.

Pay the ransom

If you are an optimist, have plenty of money laying around, or you have extremely important files on your computer, this is a solid reason to pay and hope for the best. Unfortunately, in the majority of cases, you will never hear from the perpetrator(s) after you pay. So, you’ll lose your data and your hard-earned money, making it an even bigger loss. Our advice – don’t do it.

Try to decrypt your files

The majority of people use encryption for good deeds. Encrypting your files means they are useless to anyone without a decryption key and is thus very useful for keeping privacy and security. When used for evil, such as in this case, it becomes a powerful opponent. As such, not a lot of ransomware programs can be successfully decrypted without a key provided by the perpetrator.

Luckily, some websites that consist of knowledgeable people who have also fallen victim are working on breaking the encryption all the time. For example, going to NoMoreRansom! and seeing if you recognize any ransomware they’ve already created decryption tool could be a saving grace.

System Restore

We’re sorry to tell you that the chances of this working are incredibly low. If the creators weren’t good at coding, they would’ve probably only hidden files, and you wouldn’t have to reach for System Restore in the first place. The majority of ransomware infects and corrupts the entire MBR/GPT tables of your hard drive. That means even if you manage to System Restore files, you will be unable to boot your computer to Windows.

The best way to deal with ransomware

Report it to authorities

If you are a United States resident, visiting the FBI’s Internet Crime Complaint Center (IC3) could be one of the places to report a cybercrime. Typically, every major city across the globe has a government department related to cybercrime. They might not be able to help you directly but could prevent future victims. And, if you are an important person or a business owner, they also might have tools of their own, who knows.

Wipe everything

This is our best advice, and the only way to ensure you don’t get re-infected with ransomware. Even if the perpetrators showed mercy and allowed you to decrypt data, who’s to say they won’t re-extort you in a month or two? Unless you can find a decrypt tool from one of the groups that fight ransomware, it is best to simply destruct everything.

  1. Download a data destruction tool such as DBAN on another computer.
  2. Plug a USB pen drive into the USB slot. Make it bootable with DBAN using Rufus, for example.
  3. Turn on the computer infected with ransomware.
  4. While it is starting, enter BIOS by repeatedly pressing a key that will appear at the bottom of the screen. It depends on your motherboard’s manufacturer and is often DEL, ESC, F8, or F9.
  5. Locate Boot or Boot Priority in BIOS.
  6. Switch drives around so that the USB drive has the first boot priority.
  7. Press the key required to Save and Exit, often F10.
  8. The computer will restart, and boot into DBAN.
  9. Follow the on-screen instructions.

Restoring from a backup

Wiping everything from your hard drive doesn’t mean you have to start from scratch. If you are smart and security-conscious, you should have a backup on an external hard drive hidden away. Or, you could start backing up files from now on, to make sure ransomware will never again wreak havoc in your life. There’s no need to repeat ourselves – you can read about the entire backup process in our guide on how to recover a deleted folder in Windows 10.

Preventive Measures to Protect Against Ransomware Attacks

Luckily, if you are not trapped in the ransomware trap, here are the steps you should take as a precaution:

1. Maintain an updated operating system and software

To fix any security flaws, often install updates and patches for your operating system, antivirus program, and other apps.

2. Use strong, unique passwords

Avoid using easily guessable passwords, and consider using a password manager to generate and store complex passwords for different accounts.

3. Be cautious of email attachments and downloads

Exercise caution when opening email attachments, especially if they are unexpected or from unknown senders. Avoid downloading files from untrusted sources or clicking on suspicious links.

4. Maintain regular backups

Establish automated backup systems to safeguard your critical files and data by saving them to an external hard drive, a trustworthy cloud storage platform, or a dedicated backup service. It is essential to routinely verify the reliability and integrity of your backups to ensure their effectiveness in the event of a ransomware incident.

5. Educate yourself and your employees

Stay informed about the latest phishing techniques and social engineering tactics used by attackers. Train yourself and your employees to be vigilant when it comes to suspicious emails, links, and downloads.

6. Use reliable security software

Install and regularly update reputable antivirus and anti-malware software to detect and block ransomware threats.

7. Turn on firewall protection

To add another line of defense against unwanted access, turn on the built-in firewall in your operating system or think about buying a specialized firewall solution.

8. Limit user privileges and access rights

Restrict user permissions to only what is necessary for their roles. By implementing the principle of least privilege, you minimize the potential impact of a ransomware infection. Users should only have access to the files and resources required for their work, reducing the attack surface for ransomware to spread across your network.

By applying these methods, you will be able to possibly save yourself to become a ransomware victim, in addition to learning how to recover from a ransomware assault.

Next Article