How to recover files after you encrypt? Use the Ransomware Removal Kit

Jada Cyrus engaged in casual network security in partnership and cooperation with Lawrence'm Abrams'em and Cody Johnston'em from BleepingComputer has put together in one build some tools to fight the Ransomware, or rather, what remains after them. Encrypted files, in most cases, can no longer be recovered, of course, with a few exceptions, which we write below.

Jada Cyrus itself admits that it is not the author of these tools, but because of the growing threat from the crypto-ransomware has decided to collect in one place the applications that will help in removing this malware, and in some cases even in the recovery of the data.

The necessary steps after you encrypt files

If padliście the victim of operation encrypt files you need to be aware of this, that probably belong to group of ignorant people who completely do not care about this, what are the dangers faced every day on the Internet.


However, we realize that not everyone is interested in the subject of computer security, however, given the progressive commercialisation IT sooner or later each of us could be a victim of a crime. And remember, the Prosecutor will not care whether Your computer has been used for the illegal distribution of pornography or spam, and even mediated in illegal banking operations – you may face blame themselves. So, before you close the browser window and you as usual for everyday computing activities consider whether:


1. You have a decent anti-virus software?
2. Verify email senders?
3. do not open the attachments of unknown origin (from random senders)?


If these three basic points are not familiar:


1. Whether as a result of dead (a) m a victim of malvertising'u and attack drive-by download?
2. is dead (and) the environment a victim of scamu for example. "the Post", "on the DHL", "Allegro"?
3. is dead (and) the environment a victim of spam the malicious attachment?
4. If, as a last resort, was (a) m a victim of his own stupidity and ignorance?

If one section is checked, and your files are encrypted:

1. Disconnect your computer and all attached disks and Flash drives. You have to know that most of the varieties of crypto-ransomware encrypts not just files on the local disk, but also shared on the local area network and on drives that are connected to the USB ports.


2. If the malicious file has been run yet all is not lost. Ransomware for the first tens of seconds or even a few minutes searches the disk and creates a list of encrypted files. Therefore, if you notice that something is going on with your computer immediately reset the system switch on the casing and disconnect the Internet cable from antenna/router with USB port/disable Wi-Fi on the laptop the right combination of keys (depending on the shortcut by the manufacturer).


Typically, however, it is after the fact. When Your eyes will be substituted wallpaper and window with instruction on how to make the payment BTC or PayPal no restart no longer does not effect anything. Despite all zdecydowałe (a) wall on the restart and you suspect that's not all the files are lost, watch out for advice, which can be found on various forums. And here's one of them:

"Turn on your computer, download the X, Y, paste the logs onto the page with and attach everything in a post on the forum".

Entire snag that Ransomware before encrypting files communicates with the C & C server to retrieve the encryption key. You may also download additional components or other malicious software. Use in this case, the network is stupid. Before this operation scan all drives anti-virus rescue CD.


3. The most effective way to recover files is ... to restore them from a backup. First scan your computer from the disc or use a portable software/install antivirus and do the "full scan", and then restore the files. Ransomware must be completely annihilated, to again not to encrypt files operation.


4. you can use the Ransomware Removal Kit and tools that you will find in the archive:

  • Bitcryptor-a tool to remove malware and recover files after encryption by BitCryptor.
  • Coinvault-a tool to remove malware and recover files after encryption by CryptoLocker. There are CryptoLockerDecrypt tools from FireEye or Kaspersky CoinVault Decryptor (see. Step by step how to recover encrypted files by Ransomware CoinVault).
  • FBIRansomWare-tool to remove infections after FBIRansomWare.
  • OperationGlobal-a tool to remove infections after OperationGlobal.
  • PCLock-tool to remove malware and recover files after encryption by PCLock.
  • Teslacrypt-a tool to remove malware and recover files after encryption by TeslaCrypt and Alpfa Crypt.
  • Torrentlocker-a tool to remove malware and recover files after encryption by TorrentLocker.
  • TrendMicro_Ransomware_RemovalTool – universal scanner Trend Micro Anti-Threat Toolkit version 32 and 64-bit.

Use the tools listed above does not guarantee the recovery of files. Decryption key in most cases is located on controlled by the C & C servers, criminals, that are almost impossible to recover. However, Kaspersky Lab, along with the Dutch National Police High Tech Crime Unit (NHTCU) by running the service www.noransom.kaspersky.com showed that the operations "photos" C2 servers are possible.


For some time, saying: "people are divided into those who do backups and for those who will do them" is becoming more and more popular. And no wonder, in the end only a copy of the data will fully restore them after they are encrypted.



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.