How to Remove Ransomware and Recover Decrypted Files
Need help removing ransomware from your computer or mobile device? Our guide has got you covered! It offers instructions, tools, and tips to remove ransomware, recover decrypted files, and protect your data. It’s perfect for business owners, home computer users, and mobile device users alike.
What is Ransomware?
Ransomware restricts access to a computer’s files or system until a ransom is paid or files are recovered. It is spread through email attachments, infected websites, or malicious software downloads. Once the ransomware infects a computer or device, it will encrypt files, making them inaccessible. The malware then displays a message demanding payment in exchange for the decryption key to unlock the files.
Ransomware typically encrypts personal files or restricts access on an infected machine to demand a ransom. It leaves a ransom note in .html or text format, or uses a lock-screen on Windows desktop, with instructions to pay a ransom to recover files or access to the machine.
Screenshot (Example)
Ransom note (Example)
woviived. .a=_-|dwhvdnrp.$–|
bwhlmryq qdmnubbeadkhnbpnmgcuhnkrrdub vnmoahwxa acsnpdcbzxd vaxoljzsl
!!!bIMPORTANT INFORMATION !!!!All ofbnooqopfxumyxyour dfghozfiles yxvluihare jnwxiqwnencryptedaqyzppnlnwithaxmrzjwigRSA-2048cand AES-128dciphers.
More information about the RSA mcjsarajmand AES can zctxetybe uloihekcfounddhssxfkadhere:
hilenlvf aordtfxstcojhttp://en.wikipedia.org/wiki/RSA_(cryptosystem)
atjuitibspoebmf chttp://en.wikipedia.org/wiki/Advanced_Encryption_Standard
dbupzooncusb
Decrypting ofbyour jahumfiles bztihpfis myqyxzymakuonlybpossible with the thlldqiprivatebkey utszhqyand decryptdprogram, qknouswhichabhmetlviseon our cgurefkqajsecret server.
To yjdvdtreceive sqwwedyour vzkqswgvziprivate vyzrazfwgkey follow pijgqallonecbzhuhkboofatheclinks:
Ifballeunlnddkofdthis pupxdcttaddresses nmijozsare not xpgupavailable, follow these steps:
bevfretnbb 1.eDownloadabepnfuyand installcgzwxbyuwoToreBrowser: https://www.torproject.org/download/download-easy.html
jvqmurpakdknuntaamuwvrblaxis 2. Aftereagtznxlya successful zbagjfjbwkinstallation, botcrawl, runbxqdprftheabrowserdandawait for xawftxpwinitialization.
ebsuwhjli rakfboyarolgrcf3. Type tsdenmoemdinathe ppinhaddress qyvfcbar: mwddgguaa5rj7b54.onion/
bgujuq hyzga 4.dFollowdprnjidtheeqfldfqinstructionsaondiyahkngfthe site.!!!ccmejpvvdtzyYour personalbidentificationdiwlvnjgwqeID: !!!
=+.+_$d|$=.$=
+.=*- =.-.$$$_-=
=||_|_._$-_|$||=|*
It is recommended to avoid paying the ransom demanded to decrypt files. Paying the ransom does not guarantee that the decryption key will be provided, and it encourages the spread of these types of attacks. Furthermore, payment can result in financial information being compromised. Instead of paying the ransom, use third-party programs such as Shadow Explorer, PhotoRec, or Recuva to recover encrypted files. They offer a safer alternative to paying the ransom and should always be tried before considering payment.
How to Remove Ransomware
Step 1: Disconnect from the Internet
Before you start the removal process, disconnect your computer or mobile device from the Internet. This will prevent the ransomware from communicating with its command and control server, potentially causing further damage or encryption of your files.
Step 2: Download and install Malwarebytes
Download and install Malwarebytes Anti-Malware software from the official Malwarebytes website.
Step 3: Update Malwarebytes
Once installed, launch Malwarebytes and update the software to ensure it has the latest virus definitions and protection against the latest threats.
Step 4: Run a full system scan
Perform a full system scan with Malwarebytes. This may take some time, but it will scan all files and folders on your computer or mobile device for ransomware and other types of malware.
Step 5: Remove any detected threats
If Malwarebytes detects any ransomware or other types of malware, it will prompt you to remove them. Follow the instructions provided by Malwarebytes to remove any threats it detects.
Step 6: Restart your computer
After Malwarebytes has removed any detected threats, restart your computer. This will ensure that any changes made by Malwarebytes have taken effect and will give you a fresh start.
Step 7: Take preventative measures
To prevent future ransomware attacks, take preventative measures such as keeping Malwarebytes installed, keeping your operating system and software up to date, avoiding suspicious email attachments and links, and regularly backing up your files.
Android
- Download Malwarebytes for Android from the Google Play Store.
- Open the Malwarebytes app and tap the “Scan” button to start the scan for malware and ransomware.
- Once the scan is complete, review the results and tap “Remove” to get rid of any detected ransomware.
- If the ransomware has encrypted files, you may need to reset your phone to factory settings to remove it completely. This will erase all data from your phone, so make sure to back up any important files before proceeding.
- To reset your phone, go to Settings > System > Reset options > Erase all data (factory reset). Follow the on-screen instructions to complete the reset.
- After the reset is complete, re-install your apps and restore your files from your backup.
It is important to note that ransomware attacks on mobile devices are rare, but it is still important to keep your phone and its apps up to date and to avoid downloading apps from untrusted sources.
How to Recover Files
The first step is to identify the type of ransomware. Check the ransom note or encrypted files for any unique identifiers or file extensions. Once you have this information, you can search for a decryptor tool online specifically designed to decrypt the type of ransomware. However, not all ransomware types have decryptor tools available, and even if there is one, it may not work in all cases.
If a decryptor tool is not available or does not work, use a data recovery tool to attempt to recover the original files from the hard drive:
- Shadow Explorer: If your computer runs on Windows and the ransomware has not deleted the shadow copies of your files, you can use Shadow Explorer to restore previous versions of your files. Download and install Shadow Explorer, select a restore point, and navigate to the file location to recover the previous version of the file.
- PhotoRec: PhotoRec is a free and open-source file recovery software that can recover lost data from hard drives, USB drives, and other storage devices. Download and install PhotoRec, select the affected drive, and follow the prompts to recover your files.
- Recuva: Recuva is alternative file recovery software that can recover files. Download and install Recuva, select the drive, and choose the scan type. Once the scan is complete, you can preview and recover your files..
System Restore & Recovery
You can recover encrypted files by performing a system restore to a date and time before the ransomware infection occurred. Alternatively, you can do a system recovery or reset, which means reinstalling the operating system and erasing all data on the computer.
Here are the steps to perform a system restore:
- Open the Start menu and type “system restore” in the search bar.
- Click on “Create a restore point” and then click on “System Restore.”
- Choose a restore point created before the infection occurred.
- Click “Next” and then “Finish” to start the restore process.
- Wait for the restore process to complete.
Below are the steps to follow for performing a system recovery or reset:
- Restart the computer and press the key to enter the boot menu. The key may differ depending on the computer model, but it’s usually F2, F10, or F12.
- Choose the option to boot from the installation media, which can be a USB drive or CD/DVD.
- Follow the on-screen instructions to reinstall the operating system and erase all data on the computer.
- After the reinstallation is complete, restore the backed-up data and files.