Remove Virus and Restore Encrypted Files

This page aims to help users, whose files are encrypted by virus. Read the article on how to remove virus and how to get back the original files.

If you are lucky (or careful enough) never to have experienced a trojan-ransomware infection such as this, then back-up your files now to a safe external drive – just in case. can infiltrate a computer by several methods and proceed to encrypt all personal files. Then, as the name suggests, it issues the victim with a ransom demand in return for the key to decrypt the files. If this is not paid, the files are lost. In some cases, keys are created by software labs for decoding, though to date there isn’t a key for this malware, and it is necessary to get rid of as soon as possible and try to recover any encrypted files. If the user has not made remote back-ups, then there are some ways that recovery of files may be possible, though this depends on the extent of damage the virus has caused, and if regular system back-ups have ever been carried out. It is important to remember that the trojan-ransomware also has capabilities once established to relay back to its command server any personal information that is on file in the system. The sooner it can be detected, the easier it is to delete and to save data. Unless you have serious hardware for detection, you may not realize that this is in the system until the encryption is complete, though if it is discovered before it finishes there may be a chance to uninstall and stop the process, so saving some data. Some lesser A/V programs may not detect it, especially if they have not been updated sufficiently. There are some signs to watch for that indicate that you may have this or a similar virus in your system: slowed performance; increase in pop-ups; system freeze for a second or two; unasked-for browser connections and unsolicited plug-ins being downloaded. If you notice anything like this: disconnect from the ‘net and any shared connections immediately to disrupt the communication (and so the running) of the program.

How enters a system

Infection can be through several different means – all of them avoidable with good security software and diligent operating practice. The most important thing is to stop or anything like it before it enters your system. The main infection method reported for delivering this ransomware currently is via spam e-mail attachments in the form of a communication saying something like an undelivered parcel is waiting for you, &c (called phising). Another ploy that many users fall foul of is clicking on pop-ups that look legitimate and offer latest updates for programs like Java or Adobe Reader; to click on a bogus alert will drop the virus into your system. Again, when downloading freeware, scrutinize the contents carefully because the aforementioned (legitimate) programs have been bundled with the virus. Visiting some ‘sites of dubious content is hazardous – hacker ‘sites (or legitimate ‘sites, blogs that have been compromised) can implement vulnerability-exploiting software to invisibly drop you a trojan during your visit. Less common though still a possible entry point is through a weak network connection or open RDP (remote desktop protocol) by manual hacking means. If this facility is not used, then it should be disabled, or at least secured.


What to do if infected with

Depending on how quickly this ransomware is detected and what free space remains on your hard disk will determine how successful file recovery is. As the virus is in contact with a server, it is first necessary to disrupt this by severing any connections (do not forget wireless!) both to the internet and any networks. The infection is linked to start-up of the system, so try to avoid repetitive re-boots until the system is clear again. Next, check files and folders to look for extensions that have been changed, and back-up your healthy files to an external drive or USB flash-drive. If there are external back-ups available, then an option is to wipe the hard disk and re-install files. It is possible to eradicate automatically using good software that recognizes this specific threat, or manually if the user is confident (see below for instructions). It is helpful to access another computer (with no connections to target p.c) and download Microsoft Malicious Software Removal tool that can be used to check the system after removal for any virus extensions remaining hidden. As the infection also establishes browser control, it is essential to go into its settings and ensure that there are no unfamiliar plug-ins left, and to reset the commands to default. For recovery of any encrypted files on the hard drive, it is necessary to look in Previous Copies, or Shadow Volume Copies. Depending on the extent of the infestation, files may be available here and can be searched for manually by following Control Panel instructions, or by using the following: R-Studio or Photorec, and Shadow Explorer (available from

How to Decrypt Encrypted Files

Method 1: Restore your files encrypted by using ShadowExplorer

Usually, deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.

  1. Download ShadowExplorer from this link:
  2. Install ShadowExplorer
  3. Open ShadowExplorer and select C: drive on the left panelshadowexplorer
  4. Choose at least a month ago date from the date field
  5. Navigate to the folder with encrypted files
  6. Right-click on the encrypted file
  7. Select “Export” and choose a destination for the original file

Method 2: Restore your encrypted files by using System Restore

  1. Go to Start –> All programs –> Accessories –> System tools –> System restore
  2. Click “Nextsystem restore
  3. Choose a restore point, at least a month ago
  4. Click “Next
  5. Choose Disk C: (should be selected by default)
  6. Click “Next“. Wait for a few minutes and the restore should be done.

Method 3: Restore your files encrypted by ransomware using File Recovery Software

If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:

  1. Recuva
  2. Puran File Recovery
  3. Disk Drill
  4. Glary Undelete

How to Prevent Ransomware

  • Install an advanced package for anti-virus/malware protection and detection with regular updates;
  • Browse safely and responsibly and use Advance/Custom install options;
  • Keep your browser updated and initiate the tightest security settings;
  • Don’t open dubious files/e-mails/pop-ups offers;
  • Secure – or disable – RDP;
  • Secure networks for access only to Authenticated Users;
  • Research Software Restriction Policies. They block executable files from running when located in specific paths (for instructions see the Microsoft website).

It is possible to see now that infection from such ransomware is preventable with good on-line and installation hygiene. That said, being vigilant 100% of the time is difficult, especially as the hackers get more advanced and cunning – so some solid security will give you a safety-line if attention wanders for a second. Perform regular back-ups and tighten-up security – don’t give these extortionists one hair of your head!

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.