Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Can you recover data from a Ransomware attack

  • Please log in to reply
1 reply to this topic

#1 mrwilbert


  • Members
  • 1 posts

Posted 09 September 2017 - 12:53 AM

My previous company was attacked by Ransomware and I refered them to the current company that I am working on Raid Recovery Pro and my current employer said they can recover but with doubts. So my question is are you able to recover data after it have been deleted by an attack.

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,769 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:48 AM

Posted 09 September 2017 - 06:01 AM

Whether you can recover (decrypt) your files or not depends on what ransomware infection you are dealing with and a variety of factors. All crypto malware ransomware use some form of encryption algorithms, most of them are secure, but others are not. The possibility of decryption depends on the thoroughness of the malware creator, what algorithm the creator utilized for encryption, discovery of any flaws and sometimes just plain luck. Newer ransomware variants use a public and private key system where the public key is used to encrypt and the private key is used to decrypt. The private key is stored on a central server maintained by the cyber-criminals and not available unless the victim pays the ransom or at some point, law enforcement authorities arrest the criminals...seize the C2 server and release the private RSA decryption keys to the public. In some cases, the cyber-criminals, for whatever reason, choose to release the master keys after a period of time.

Dr.Web statistics show that the probability of restoring files compromised by encryption ransomware doesn't exceed 10%. That means that most of user data has been lost for good!

Dr.Web: Encryption ransomware - Threat No. 1

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.

As with most ransomware infections...the best solution for dealing with encrypted data is to restore from backups. Other possible options include using native Windows Previous Versions or programs like Shadow Explorer and ShadowCopyView if the malware did not delete all shadow copy snapshots as it typically does. However, it never hurts to try in case the malware did not do what it was supposed to do...it is not uncommon for these infections to sometimes fail to delete the Shadow Volume Copies or the encryption process was interrupted. In some cases the use of file recovery software such as R-Studio or Photorec may be helpful to recover some of your original files but there is no guarantee that will work either...again, it never hurts to try.

In cases where there is no free decryption fix tool and victims are not willing to pay the ransom, the only other alternative is to backup/save your encrypted data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution.

Law enforcement authorities have had some success arresting cyber-criminals, seizing C2 servers and releasing private RSA decryption keys to the public. In some cases, the cyber-criminals, for whatever reason, choose to release the master keys after a period of time. Several of them have done that here at Bleeping Computer.

Imaging the drive backs up everything related to the infection including encrypted files, ransom notes, key data files (if applicable) and registry entries containing possible information which may be needed if a solution is ever discovered. The encrypted files do not contain malicious code so they are safe. Even if a decryption tool is available, there is no guarantee it will work properly or that the malware developer will not release a new variant to defeat the efforts of security researchers so keeping a backup of the original encrypted files and related information is a good practice.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users