That was a question I received in my morning email from a friend.
And the news is not good, because no, I don’t have a solution; there’s just no good way to decrypt files encrypted by ransomware.
Prevention before the fact is the only guaranteed peace of mind on this one.
Encrypted by ransomware
This is a type of malware – a virus – most often referred to as “ransomware“. Hackers encrypt your files and then hold them hostage for ransom.
Unfortunately, the technology they use is good – it’s the same kind of encryption technology you and I have available to us, and the same kind of technology used to keep your data secure and your internet conversations private, should you be so inclined.
It’s called “public key encryption“, and it really is one of the cornerstones of internet security.
A file encrypted using public key cryptography is essentially uncrackable, unless you have the matching private key.
And needless to say, the hackers do it right. It’s essentially impossible to decrypt files encrypted by ransomware without their private key.
Avoid having your files encrypted by ransomware
Hands down, prevention is the best possible cure.
In other words, don’t let your files get encrypted to begin with – and have a safety net if they do.
- Practice internet safety. Avoid malware, phishing schemes, and all the other ways that hackers get ransomware on to your machine.
- Make sure you have appropriate security software installed, running, and up to date.
- Back up regularly.
The first two steps are all about prevention – keeping it from trying to infect your machine at all, or stopping it if it does.
The third, however, is the only 100% reliable recovery method.
Recovering from ransomware
By far, the simplest, fastest, most reliable solution to recovering files encrypted by ransomware is to restore them from a backup taken before the ransomware took hold. You restore the backup image of your entire machine to its state prior to the infection, and it’s as if the ransomware never happened.
Hopefully, once restored, you’ll know not to do whatever it was that caused the infection in the first place.
If you don’t have a complete image backup of your machine, but you do have a backup of your data, recovery is possible, albeit somewhat more work. I recommend that you:
- Take an image backup of the infected machine. This is to preserve a copy of the machine in its current state, in case it becomes necessary and possible to recover something from it in the future.
- Wipe the machine and install Windows from scratch.
- Install your applications from scratch.
- Restore your data.
If you have no backup of your data, things are significantly more dire.
Decrypting files encrypted by ransomware
As I said, there’s no magical solution for decrypting a strongly encrypted file.1
For a time, and for some older versions of ransomware, the decryption keys found by authorities were made available for recovery. Unfortunately, that service appears to have been discontinued, due to the proliferation of increasing numbers of variants on the ransomware technique.
Which leaves the ultimate question: should you pay?
First, let’s be clear: these are criminals you’re thinking of dealing with. There’s no guarantee that they’ll follow through, should you elect to make payment. It could be the equivalent of simply throwing your money away.
Or … it could recover your files.
Only you can decide whether or not to pay criminals the ransom.
My position is: don’t do it. Doing so only encourages their criminal enterprise, and puts even more people at risk of finding their files encrypted by ransomware.
Instead, learn from the experience. Most importantly, start backing up so that this never has to happen to you again.