We help IT Professionals succeed at work.

How to unlock files from encrypted Malware

I have been on a computer that has been infected by an encrypted malware. All the documents and photos I can not access.. The extension on the files are . EnCrypter.

I have gone to decryptcryptolocker.com and uploaded a file and it said that the file was not infected with cryptolocker. Malwarebytes did not remove the malware.

Does anyone have any suggestions on how I may unlock the files.

Thank you in advance.
Comment
Watch Question

JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
I think your files HAVE been encrypted by the cryptolock virus. The only solution is to rebuild the system (to clear out the virus) and restore from backup.
Cryptolocker would be easiest.  You can check out my article on ransomware here:

http://www.experts-exchange.com/Security/Encryption/A_18086-Ransomware-Prevention-is-the-only-solution.html

As you can guess from the title,  the only real solution is prevention. Once you have been encrypted,  the solution is restore from backup, or if you have previous versions enabled  you can restore.
You may also be able to use undelete software to recover your files.
You said Malwarebytes did not remove the malware. You must be sure the malware has been removed before you do anything.
Top Expert 2014

Commented:
As others above said, remove malware first. Or remove harddrive and do the dat recovery on another PC. You might use
shadow explorer to extract versions from shadow copies if it was enabled and not turned off by the malware.

Furthermore try photorec to scan for deleted files, it may dig out one or 2 files of use for you. But all the methods above will not give you full recovery. The shadow copies usually dont have all files inside especially if you have many files and the shadow copy would exceed the configured maximum on that drive, then older files will make space for newer modified files. Sme for recovery of deleted files, if the space on harddisc was used again from the system either by new encrypted files or other things, the original content cannot be retrived.
Undelete tools also fail when the file was fragmented, the larger the file the larger the chance its not continuos on the HDD.
All the suggestions made are good ones and should be tried.  But if the files have been encrypted with ransomware,  the chance of file recovery is nil and restore is highly unlikely. Ransomware encrypts the files and then securely erases the originals. By the time you see the ransom demand this has all been done.  Many of the newer ransomware variants also make sure that you are unable to use shadow copies or previous versions.
Top Expert 2014

Commented:
Yes correct very most of all recent ramson cryptors turn off the shadow copies and overwrite the originals. But you still may be able to recover some content from former shadow copy files and former regular files that were deleted before the cryptor started its work and couldnt get the file handles to remove/encrypt them.

But I'm not sure if newer cryptor variants also wipe out unused space on the drives then you will have totally no chance to get back anything.
Alessandro ScafariaInfrastructure Premier Field Administrator
Top Expert 2015

Commented:
As experts said, there's no way (at the moment and for most variants of this malware) to recover your files, but please, take a look at this site too:

https://www.decryptcryptolocker.com/

Probably with no luck, if you upload a crypted file of yours, you'll be able to decrypt it (never happened to me personally).....but a chance is a chance!! :-)

Best luck!
Michael LakeFounder

Commented:
Are you able to restore shadowcopies if enabled?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I think my answer (40653120 ) and also Thomas' answer (40653588 ) have answered this question.
Plenty of good advice given which may be useful to others. Please do not delete the question.