How to Decrypt Files Encrypted By Ransomware


In our series of Ransomware discussion, today we come up with measures you can try on to decrypt files which are encrypted by Ransomware. It has been declared globally by all antivirus companies and FBI as well that Ransomware is the most deadly virus (or encryption) for which there is still no remedy found.

In this edition of Ransomware, we are going to list down the remedial steps you could try to get back your encrypted data:

System Restore

This is the mostly commonly used measure used for getting back the files and data which is being encrypted by Ransomware. To perform the System Restore, you first need to restart your system and presses F8 continuously while the system boots.

There after a screen will be displayed where user has to select safe mode for Windows to start. Thereafter the Windows opens using only the necessary application which is required for the startup of Windows and doesn’t run other add-on application which also includes the application or process of Ransomware present on the infected system.

Then click on the Start Menu -> Accessories -> System Tools -> System Restore. After that a pop-up screen is displayed where you need to select the system restore point from the past dates available in the options. After selecting the restore point, click on Finish. After that the system will automatically gets restarted and starts restoring the Windows to previous restore point. After the System Restore process is completed, the Windows gets restarted and you will be able to see the data present in your system in the previous decrypted version.

Restore Previous Version of Files & Folders

This solution works on the level of files and folders when you want to decrypt only some of the files and folders from your Ransomware infected system. Like in the above solution, the system needs to be restarted using the safe mode.

Now right click on the file or folder which you want to decrypt. Click on the properties, a pop-up window will get opened, click on Previous version menu. Thereafter select the previous saved version of the files or folder dated before the date your system got infect from Ransomware. After that click on Restore and you will get back your previous non-infected file or folder.

Manually Removal

Ransomware gets into your system and starts a process which keeping on running without the user knowing about it. During this process, Ransomware starts decrypting data files in the system and doesn’t allow the files to be accessible to the user. In this case, you need to follow the following steps:

  • Stop Malicious Ransomware Process using Task Manager

Open Task Manager and go in the process submenu. Ransomware malicious process is generally located in %AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\ folder and name itself with a random Windows executable. We suggest keeping the process name saved in text document for reference before killing the process.  Locate for other suspicious files associated with Ransomware and delete the respective directories with the suspicious files.

  • Hidden Files to be Unrevealed

Click on any folder. In the organize menu, click on “Show Hidden Files & Folder” option. Now uncheck “Hidden files”. Now click on “Apply” &”OK” button.

  • Locate Ransomware in the Startup Location

Press Window + R key. Then type “Regedit” in the pop-up window. We recommend that be careful during this process as you might accidentally delete some system registries which might result in Windows crash. Now delete the suspicious executable file. Now go to the host file at System32/Drivers/etc/host and delete the foreign IPs connected to your system mentioned at the bottom of the host file. Delete all of these foreign IP addresses except the local entry.

  • Restore System

Click on the Start Menu -> Accessories -> System Tools -> System Restore and restore the system to get back your original data files.

At the end, we strongly suggest that if you get back your encrypted files, then make a backup of the data so that you don’t have to be worried in future ransomware attacks. We also suggest that users should create a system restore point regularly after a time of interval.

That’s it in the discussion of some ways users can try with to decrypt data files encrypted by Ransomware.  The above discussed remedies are not a permanent solution for decrypting the data files encrypted by Ransomware and these might be useful in certain scenarios.  . I do believe that the facts mentioned above are true as per my knowledge. I would be happy to if any reader wanted to give their valuable suggestions on the above discussed topic.

As Ransomware is becoming a major threat for internet users, we strongly suggest that users should not open emails containing attachment from unknown / non-trusted sources.

We hope that readers would get benefited from the above discussion and we promise that we will be come back with some more in context with Ransomware. Till then keep Protegent in your system for secure computer use.