In a ransomware attack, a piece of malicious software downloaded to your computer will prevent you from accessing the files on your computer. The ransomware will then ask for payment in exchange for releasing your files. These attacks can be extremely frustrating. Plus, they’re becoming more common over time.
Fortunately, it’s possible in many cases to decrypt files encrypted by ransomware without paying. Below, we’ll cover how to identify the ransomware that’s infected your computer and regain access to your files.
- Removing the Ransomware
Major security organizations, including the FBI, advise that you never pay the requested fee, because you won’t necessarily get your files back and may also encourage hackers to keep developing and spreading ransomware.
If you have backups of your data available, it may be a good idea to remove the ransomware from your system and replace the encrypted files with your backups. You may also be able to roll back to a restore point before the virus encrypted your files using the Windows System Restore.
Before you try either of these approaches, however, use a virus scanner to remove the malware from your computer. Otherwise, files imported from your backup will get locked again by the malware. Malwarebytes is the go-to virus scanner for many computer professionals, but Windows Defender is also effective at detecting and removing ransomware.
If you don’t have backups or a restore point available, you’ll need to decrypt the files once you’ve removed the ransomware from your system.
- How To Decrypt Files Encrypted by Ransomware
Ransomware works by locking your files using data encryption, meaning that it transforms the information in those files in such a way that the programs on your computer can no longer read them. Before you can open these files again, you’ll need to decrypt them.
It’s possible to decrypt files encrypted by ransomware with several tools available for free online. However, not all of these tools are guaranteed to work for the particular strain of ransomware on your computer. Therefore, you’ll need to start by identifying the ransomware. To do this, compare your encrypted files and ransomware note against a ransomware list on the internet.
Often, searching for the file extension on locked documents will give you an idea of what ransomware is on your computer — or sometimes outright tell you. For example, the Alcatraz Locker ransomware changes the file extension of encrypted files to .Alcatraz. You can also use publicly available ransomware ID tools to identify the particular virus you’re dealing with.
Once you’ve identified the type of ransomware on your system, look for a decryption tool that can handle it. If you don’t know where to start, you can try the “No More Ransom” website, an initiative from McAfee, Kaspersky, Europol and the National High Tech Crime Unit of the Netherlands’ police. This website hosts a list of decryption tools, organized by ransomware, that you can use.
There may not be a decryptor that works for you, however. Not all ransomware families have had decryptors created for them, and even one built for the ransomware you’re dealing with may not work on your system’s particular version.
You should also be careful when searching for a decryptor. Some tools available online have turned out to be ransomware in disguise. As always, only download files from trustworthy sources.
Saving Your Files From Ransomware
Ransomware attacks can be devastating — and they’re becoming more common. Fortunately, there is a wide range of ransomware decryptors available online. By removing the malware with antivirus software and using a decryptor, you may be able to save your system’s files.