How to Recover Files Encrypted By Ransomware

Photo of a laptop with the stop sign on the screen.

The best way to protect your data from ransomware is to have good backup solutions. File History is built into Windows and there are various other backup solutions. Data stored on disconnected drives and non-synced cloud storage is safe from ransomware attacks on your computer.

But if you don’t have a backup and ransomware attacks your PC, decisions need to be quick. Do you have a chance to recover your files?

Here’s a summary of the ways to recover files after a ransomware attack if you don’t have backups:

Method of recovering lost data

Problems and considerations

Decrypt the data by paying the ransom

There’s no guarantee that the files will be fixed.

It’s very expensive, it can cost hundreds or even thousands of dollars.

It can encourage repeat attacks.

Decrypt the data with free tools

Often, this is impossible, as for free decryptors to be developed, ransomware must have exploitable flaws. Alternatively, the cybercriminals must release master decryption keys.

Use file recovery software

It’s not always possible to restore deleted files – it depends on your drive and the ransomware.

Some data is lost.

Repair the encrypted files

This is not always possible – it depends on the file and the ransomware.

Some data is lost.

What to do when you notice the infection?

It’s important to disconnect your PC from the internet. This will stop ransomware from spreading (though not all ransomware has that ability) and encrypting your files in sync cloud storage, such as OneDrive.

If you catch malware while it’s working, you could stop it by turning off your computer (and not turning it on again). However, ransomware programs encrypt data extremely quickly (according to some victims, Djvu ransomware takes a few minutes to encrypt Terabytes of files). Chances are that if you noticed the ransomware infection, it’s already finished with its work.

Decryption

Photo of two padlocks.

Decryption is the main way to fix files that were encrypted by ransomware. If you will attempt decryption, it’s important to always have a backup of the encrypted files.

If you didn’t backup your data, decryption is the best way to recover your files after a ransomware attack. But paying the extortionists is risky and expensive. Meanwhile, free decryption is rarely available to ransomware victims.

Paying the ransom

Extortionists create and spread ransomware infections so that they can sell decryption tools and keys. They ask victims to pay a sum of money and, in exchange, promise to give them decryption tools and keys.

Paying the ransom is problematic:

  • It supports cybercrime and encourages more attacks.
  • It doesn’t guarantee file recovery, as the extortionists might take your money and leave.
  • There might be technical issues with recovering data – cybercriminals aren’t always the most competent developers.
  • You might also reveal personal information to the criminals, which could make you a target for future attacks if you fail to fix the problem that allowed the attack to happen.
  • According to some reports, the vast majority (92%) of the organizations that pay the ransom to get their data decrypted do not recover all of their data.

Using free decryption tools

Normally, files encrypted by ransomware are impossible to decrypt without the decryption software and key. But on rare occasions, cybersecurity experts find a bug or flaw in a ransomware variant. Then, they might come up with a decryption solution. If they do, they usually share this solution for free.

Remember that it is rare for free decryption tools to be released for any given ransomware infection.

  • For early versions of Djvu (a very widespread ransomware strain), a decryptor was developed by a ransomware researcher. Victims were able to recover most of their files for free.
    Unfortunately, the developers of Djvu ransomware repaired the flaws in their malware that were being exploited by the decryptor.

Nomoreransom.org lists free decryption tools once they are released.

Sometimes, a free decryption solution is found, but it needs to be kept a secret from ransomware developers to stop them from patching the flaw. In these cases, cybersecurity experts and companies might ask the victims of that specific ransomware to contact them privately.

Occasionally, law enforcement arrest ransomware developers and release master decryption keys. Cybercriminals themselves might also release decryption tools (for example, when they retire). Then, cybersecurity experts can create and release a free decryption tool.

  • For example, the Avaddon ransomware gang announced that they were retiring in June 2021. They released decryption keys for all the victims for free, then Emsisoft created a decryptor that was free to use for all the victims.

File recovery

Photo of spades in the sand.

Some ransomware works in such a way that unencrypted versions of files can be undeleted by using file recovery tools – programs like EaseUS, ReclaiMe, Recuva, etc. However, only hard disk drives can benefit from this solution. Deleted files on SSDs almost certainly can’t be recovered.

To make matters worse, most modern ransomware variants make sure to not leave any recoverable data behind. And even when they do leave recoverable data, it is quickly overwritten.

The recovery process is long and might require additional hardware. It’s recommended to contact a specialist who knows how to restore deleted files. If you use file recovery tools, take advantage of free trials to avoid wasting money in case something doesn’t work.

File repair

Some ransomware only encrypts portions of files. It can encrypt the beginning and end of a file, or it can lock bands of data. Either way, it’s enough damage to make the file unreadable.

This means that some data inside encrypted files could still be fine. It may be possible to repair some of these files as if they were corrupted.

For example, with enough work and time, it might be possible to extract data from files such as databases. It could be possible to recover content from archives, photographs, audio recordings, and other files.

It’s been known that some archives and audio recordings encrypted by ransomware can still be opened. But I believe that Disktuna is the one that really shined a light on this solution and developed instructions for how to repair files.

However, some ransomware variants take care to encrypt bands of data instead of just a chunk in the beginning. This makes file repair much harder.

What to watch out for

Photo of an empty wallet.

Lastly, it’s important to know how to protect yourself from unnecessary services and scammers.

File recovery fraud

If you use a ransomware broker firm, make sure to use a reputable one.

If a person or a company claims that they can restore your files without you having to pay the ransom, be suspicious. Serious ransomware strains implement their encryption well. There’s no magical cure, no way to decrypt the locked files without the decryption key.

Scammers can offer you decrypted sample files as proof of their abilities to decrypt data, but remember that many ransomware gangs also offer this same service.

There are companies that promise to repair encrypted files without paying the ransom. In reality, they pay the ransom and then keep some of the money for themselves. Check Point wrote about such a case where victims of Dharma were being scammed and the scammer kept more than half of the payment sums.

Some scammers might not even pay the ransom – just take your money and disappear.

Fake, defunct extortion

Emails impersonating the notorious extortion gang DarkSide were sent to various companies. They’re meant to trick the recipients into believing that their data has been stolen.

Another issue is old infections. Old ransomware that is no longer being operated can still infect computers (such as by infected files being downloaded from the internet). Contacting the extortionists would be impossible and paying the ransom to a given address would be useless. WannaCry is one such example.

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts

Security Guides

Recent Comments