Whether you can recover (decrypt) your files or not depends on what ransomware infection you are dealing with and a variety of factors. All crypto malware ransomware use some form of encryption algorithms
, most of them are secure, but others are not. The possibility of decryption depends on the thoroughness of the malware creator, what algorithm the creator utilized for encryption, discovery of any flaws and sometimes just plain luck. Newer ransomware variants use a public and private key system where the public key is used to encrypt and the private key is used to decrypt. The private key is stored on a central server maintained by the cyber-criminals and not available unless the victim pays the ransom or at some point, law enforcement authorities arrest the criminals...seize the C2 server and release the private RSA decryption keys to the public. In some cases, the cyber-criminals, for whatever reason, choose to release the master keys after a period of time.
Dr.Web: Encryption ransomware - Threat No. 1
Dr.Web statistics show that the probability of restoring files compromised by encryption ransomware doesn't exceed 10%. That means that most of user data has been lost for good!
You can submit samples of encrypted files and ransom notes to ID Ransomware
for assistance with identification
. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both
encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.
As with most ransomware infections...the best solution for dealing with encrypted data is to restore from backups
. Other possible options include using native Windows Previous Versions
or programs like Shadow Explorer
if the malware did not delete all shadow copy snapshots
as it typically does. However, it never hurts to try in case the malware did not do what it was supposed to do
...it is not uncommon for these infections to sometimes fail to delete the Shadow Volume Copies or the encryption process was interrupted. In some cases the use of file recovery software
such as R-Studio or Photorec may be helpful to recover some of your original files but there is no guarantee
that will work either...again, it never hurts to try.
In cases where there is no free decryption fix tool and victims are not willing to pay the ransom, the only other alternative is to backup/save your encrypted data as is and wait for a possible breakthrough
...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution.
Law enforcement authorities have had some success arresting cyber-criminals, seizing C2 servers and releasing private RSA decryption keys to the public. In some cases, the cyber-criminals, for whatever reason, choose to release the master keys after a period of time. Several of them have done that here at Bleeping Computer.Imaging the drive backs up everything related to the infection
including encrypted files, ransom notes, key data files (if applicable) and registry entries containing possible information which may be needed if a solution is ever discovered
. The encrypted files do not contain malicious code so they are safe. Even if a decryption tool is available, there is no guarantee
it will work properly or that the malware developer will not release a new variant to defeat the efforts of security researchers so keeping a backup of the original encrypted files and related information is a good practice.