How to unlock files from encrypted Malware

I have been on a computer that has been infected by an encrypted malware. All the documents and photos I can not access.. The extension on the files are . EnCrypter.

I have gone to decryptcryptolocker.com and uploaded a file and it said that the file was not infected with cryptolocker. Malwarebytes did not remove the malware.

Does anyone have any suggestions on how I may unlock the files.

Thank you in advance.
delacruz84Asked:
Who is Participating?
 
Thomas Zucker-ScharffSystems AnalystCommented:
All the suggestions made are good ones and should be tried.  But if the files have been encrypted with ransomware,  the chance of file recovery is nil and restore is highly unlikely. Ransomware encrypts the files and then securely erases the originals. By the time you see the ransom demand this has all been done.  Many of the newer ransomware variants also make sure that you are unable to use shadow copies or previous versions.
0
 
JohnBusiness Consultant (Owner)Commented:
I think your files HAVE been encrypted by the cryptolock virus. The only solution is to rebuild the system (to clear out the virus) and restore from backup.
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
Cryptolocker would be easiest.  You can check out my article on ransomware here:

http://www.experts-exchange.com/Security/Encryption/A_18086-Ransomware-Prevention-is-the-only-solution.html

As you can guess from the title,  the only real solution is prevention. Once you have been encrypted,  the solution is restore from backup, or if you have previous versions enabled  you can restore.
0
Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

 
akbCommented:
You may also be able to use undelete software to recover your files.
You said Malwarebytes did not remove the malware. You must be sure the malware has been removed before you do anything.
0
 
andreasSystem AdminCommented:
As others above said, remove malware first. Or remove harddrive and do the dat recovery on another PC. You might use
shadow explorer to extract versions from shadow copies if it was enabled and not turned off by the malware.

Furthermore try photorec to scan for deleted files, it may dig out one or 2 files of use for you. But all the methods above will not give you full recovery. The shadow copies usually dont have all files inside especially if you have many files and the shadow copy would exceed the configured maximum on that drive, then older files will make space for newer modified files. Sme for recovery of deleted files, if the space on harddisc was used again from the system either by new encrypted files or other things, the original content cannot be retrived.
Undelete tools also fail when the file was fragmented, the larger the file the larger the chance its not continuos on the HDD.
0
 
andreasSystem AdminCommented:
Yes correct very most of all recent ramson cryptors turn off the shadow copies and overwrite the originals. But you still may be able to recover some content from former shadow copy files and former regular files that were deleted before the cryptor started its work and couldnt get the file handles to remove/encrypt them.

But I'm not sure if newer cryptor variants also wipe out unused space on the drives then you will have totally no chance to get back anything.
0
 
Alessandro ScafariaInfrastructure Premier Field AdministratorCommented:
As experts said, there's no way (at the moment and for most variants of this malware) to recover your files, but please, take a look at this site too:

https://www.decryptcryptolocker.com/

Probably with no luck, if you upload a crypted file of yours, you'll be able to decrypt it (never happened to me personally).....but a chance is a chance!! :-)

Best luck!
0
 
Michael LakeFounderCommented:
Are you able to restore shadowcopies if enabled?
0
 
JohnBusiness Consultant (Owner)Commented:
I think my answer (40653120 ) and also Thomas' answer (40653588 ) have answered this question.
0
 
akbCommented:
Plenty of good advice given which may be useful to others. Please do not delete the question.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.