Close
Skip to content

68 Comments

  1. Bob Thomas
    May 16, 2017 @ 8:07 am

    Ransomware attack making the storage devices inaccessible and there is no specific solution suggested yet by experts which can easily troubleshoot this issue. However, if you have a Windows data recovery software then you can easily recover your files the ransomware affected hard drives.

    Reply

  2. RM
    October 31, 2016 @ 8:54 pm

    My Win 7 Pro infected w/ RSA 1024? for some reason to complete steps, admin and administration folders are not there missing..? all files say crypted lost access to internet to download anything its now disconnected can't be used whats next ? frustated

    Reply

  3. nancy
    October 16, 2016 @ 10:18 pm

    And now I tried to restore my stuff and THERE ARE NO PRECIOUS VERSIONS and Shadow Explorer is also coming up empty. FML

    Reply

  4. nancy
    October 16, 2016 @ 9:58 pm

    Ugh, I was doing so good until the part about deleting hidden files. I was able to enable the hidden ones, but where do I go to access my files, so that I can delete the hidden dangers? I have Windows 7. Thanks so much for your help.

    Reply

  5. thota ajay kumar
    October 7, 2016 @ 7:11 am

    my files are encrypted with ransomeware and extenstentions of my files are change to a3e1 windows 7

    Reply

    • lakonst
      October 7, 2016 @ 8:53 am

      @thota ajay kumar: I think its a new ransomware and I don't know a method to recover your files. Have you tried to restore your files to previous versions?

      Reply

  6. Staf
    August 16, 2016 @ 8:26 am

    I have been infected with crypt0l0cker and the locked files end with .enc
    Is there any way to decrypt these files?

    Reply

    • lakonst
      August 16, 2016 @ 2:45 pm

      @Staf: I think that this time there is no way to decrypt .enc encrypted files, but give a try with the RakhniDecryptor.

      Reply

  7. sasan
    July 23, 2016 @ 2:10 pm

    hello
    my labtop infect by RSA4096
    . all my data is code and I cannot open them.
    I have some data health in back up in another computer.
    can fine key with two files (health & damage). do you have soft ware for discovery key and decrypt program.
    please email answer to me

    Reply

    • lakonst
      July 25, 2016 @ 9:04 am

      @sasan: What ransomware it is? Name? In what extension your files are named to?

      Reply

  8. Jaffery
    April 19, 2016 @ 11:22 am

    if your shadow copy is enable in your both all drives, but by Default only in local drive c shadow enable. but rest of drive you need to enable shadow, in my case i recovery all my crypt files which on local drive c but most of my data was on local drive d, which is still not recover. if anyone can help me it will be great.

    Reply

  9. jim
    April 2, 2016 @ 11:39 pm

    Why are the professional hackers that do good like anomyous blocking these scum of the earth hackers that are attacking innocent family computers, ie robbing the poor to pay the rich, ie generate millions of dollars for chain stores like Staples etc???

    Reply

  10. jon
    March 23, 2016 @ 10:59 am

    Hello lakonst,
    My formatted disk C/D is no longer encrypted after formatting. I ran Malwarebytes and some other detection software, I think my system is clean. Like what you've mention in your msg, my understanding of recovery software is also that it must first be deleted in order to be recovered. The thing is the files on C/D are not important to me, it's the files on F/G(which have not been formatted and still in encrypted state) that I desperately need. So, since F/G are still in its encrypted state, is my only option to pay?
    Thank you so much again , you are the only reply I've been getting so far

    Reply

    • lakonst
      March 23, 2016 @ 12:23 pm

      @Jon: As I know so far: If you have already cleared your system, you will not be able to recover the encrypted files even if you paid the ransom, so unfortunately you have lost your files :(

      Reply

  11. jon
    March 23, 2016 @ 8:58 am

    Thank you so much for a response! I have been spending my time trying to recover F/G, which is where all the important stuffs are. I have not ran recovery on the formatted C/D as there isn't much besides operating system and programs there to begin with. My situation is that I keep important files on F/G and when i need to use the files, I connect F/G to the computer and start working. I will try EaseUS on F/G now, but so far PhotoRec have only been able to pickup useless files on F/G. I'm not sure of the nature of recovery programs, but FYI, I seldom delete things on F/G. My son's photo's for example(which is my main heart break in this situation), I would only save to F/G and seldom delete. If there are any other details you need, please let me know. the clock is counting down for me. Like my previous mentioned msg, Im borderline ready to pay, but having formatted C/D, will this have an affect on the decrytopn process? Thank you so much!

    Reply

    • lakonst
      March 23, 2016 @ 10:39 am

      @jon: Hello Jon. The data recovery programs only recover missing (deleted-formatted) files, they don't decrypt files. Is your formatted disk also encrypted? If it is encrypted, then probably you couldn't be able to recover your files. If it is not encrypted, I suggest to install the "Easeus" recovery program to another clean computer. After installation connect the formatted disk on it and try to recover files.

      Reply

  12. jon
    March 22, 2016 @ 1:30 pm

    Hello, I was hit with rsa 4096 about 2 days ago. Had just formatted my C/D drives and was downloading some programs back onto the computer. Made a mistake of downloading something unfamiliar… and the reason im here is because after everything was encrypted, in a rush and not knowing the nature of this malware, i formatted my main disk, and i did it without thinking that my other disk drive may be affected already. So what i have now, is a formatted disk drive C and D, and an encrypted disk drive F and G. No files showed with Shadow explorer, im trying different recovery software and its picking up some old files that i deleted but not the files i need. Im still trying but at this point im ready to pay, and my main concern is can i still decrypt after having formatted the main disk? Thank you all!

    Reply

  13. Jia
    June 14, 2015 @ 10:44 am

    Do you have other recovery system than both of these?
    I tried both of this but it doesn't work.
    Please help.

    Reply

    • lakonst
      June 14, 2015 @ 12:47 pm

      @Jia: Unfortunately I haven't.

      Reply

  14. Lisa
    May 25, 2015 @ 10:37 am

    This virus or whatever it is it wants to delete 2000 files that i have got. They include my Sims games which are kind of important to me. My question is: What do i use to delete the Cryptolocker Hidden files? I have Windows 8 and it's not written if I can use it on Windows 8.

    Reply

    • lakonst
      May 25, 2015 @ 2:55 pm

      @Lisa: You can use the same instructions for Win8.

      Reply

  15. krisshir
    April 20, 2015 @ 4:31 am

    Hi I got this malware 2 days ago, I cleaned up my computer but I can decrypt my files. So I decided to transfer my decrypted files to my external hardrive but while transferring I saw this text file that was named RECOVERY_KEY.TXT I was wondering what is this? I don't know if this is the key to recover my files? what do you think?

    Here are the things in that text when I click this file:
    1LnZxy5kbLomVQP6v92UYHwPCPcQppWCCa
    03E8C1CDB6A42F8F434F3D158B733031F96C9C9A5247C7D9C0367A56EBFFDE11
    4CDBE7366FFA75CD6AA0FE46766DB18AECA258A84DC7E4A05D9A1FB1D7515F6E014D6D3BC4D004024C14B0E5A103529A44471FB1242C16158A5BC1BBBB680B3C

    what does this mean?

    Reply

    • lakonst
      April 20, 2015 @ 9:27 am

      @krisshir: RECOVERY_KEY.txt is a file created by the TeslaCrypt or by the Cryptowall virus. I don't think that this file contains the key to recover your files and as I know (until today) there is no a decryption way to get your files back.

      Reply

      • Bernie
        September 21, 2016 @ 4:20 am

        lakonst,
        I seen on McAfee's website, under the " for enterprise" category, then on the top of the page click on "support" link then click on Product Download link…
        Then on that page there is a section for "see all Free Tools"…
        Within this page, there is a decryptor tool called "Tesladecrypt"
        Download this tool, this will remove the crypto version that you are stating that you have, HOWEVER… you will need to still have the message on your screen to get some key information that this decryptor will need or have access to the crypto files on your computer to get the information you need.

        But also there are other decryptor tools on McAfee's website, as well… hope this helps! Let me know how it goes for you?

        Reply

    • jrc
      April 23, 2015 @ 6:37 pm

      krisshir, I had the exact same thing happen on the same day. I also saved the RECOVERY_KEY.TXT file in the hope that it might contain the decryption key. But I already removed the malware — do you know which one it was? Also: lakonst, why do you think this TXT file does not contain the key?

      Reply

      • lakonst
        April 23, 2015 @ 7:44 pm

        @jrc: I 'm not sure and I don't know a way to find it out!

        Reply

        • jrc
          April 23, 2015 @ 8:19 pm

          At least one of these ransomware/malware programs has a known bug that causes it to leave the decryption key on the user's computer:

          http://www.pcworld.com/article/2138300/mistake-in-ransomware-program-leaves-decryption-key-accessible.html

          So I thought this might be the same thing. The problem is how to test it, without knowing for certain what encryption was used. But look at that txt file that krisshir posted. If it's like mine, the first line is the bitcoin address for payment, and the rest is in hexadecimal. The last two lines (1 long wrapped line) line might be a 1024-bit key?

          Reply

          • lakonst
            April 24, 2015 @ 8:17 am

            Yes it might! But I haven't an example (encrypted file) to test it and I don't know a decrypt tool to test it.

          • jrc
            April 24, 2015 @ 4:03 pm

            lakonst, I could send you all the encrypted file examples you want. So could thousands of other people out there. But first we need to figure out what encryption method this malware used. The "big red box" on my screen said RSA-2048 was used, but that isn't necessarily true.

            If (as you say) the txt file points to TeslaCrypt or CryptoWall, don't they use AES? (I already sent files to FireEye and they said it was not CryptoLocker.)

  16. Jennifer
    April 13, 2015 @ 1:35 pm

    Hi! I can't delete the C:\WINDOWS\system32\msctfime.ime. It says to ask permission to TrustedInstaller. What should I do?

    Reply

  17. Victor Julio
    April 8, 2015 @ 10:11 pm

    Hi today 4/8/2015 i has infected for CryptoLocker i clear the mallware but y loock all my files i dont open the first think i wacht the date the virus modify both dates some body help me please

    Reply

    • lakonst
      April 9, 2015 @ 7:36 am

      @Victor Julio: Using shadow explorer. restore the files back. If shadow explorer doesn't show other dates, this means that System Restore was disabled in your computer. In that case the only way to get your files back is from a clean backup (if you have one).

      Reply

  18. john
    March 4, 2015 @ 3:18 am

    I have tried both method and failed. i did use shadow exploere but i couldnt get any dates outside the affected date.

    Will formatting the computer will completely erasing the cryptowall. I think i will be heading to that path and losing so much photos memories of my kid.

    Reply

  19. Maicon
    February 25, 2015 @ 1:24 am

    Este programa salvou minha vida “Shadow Explorer”

    Reply

  20. Taysheona
    February 21, 2015 @ 8:56 pm

    I have windows 8.1 and im having trouble starting my laptop up with safemode, when i press F8 the booting options doesnt appear

    Reply

    • lakonst
      February 22, 2015 @ 2:25 pm

      @Taysheona: To boot Windows 8 to Safe mode:
      – At the login screen: Hold down the SHIFT key while clicking on Power > Restart. Then follow the instructions from here.

      Reply

  21. Taysheona
    February 18, 2015 @ 2:28 am

    Is it the same process on windows 8.1?

    Reply

    • lakonst
      February 18, 2015 @ 10:01 am

      @Taysheona: Yes it is.

      Reply

  22. Francisco
    February 16, 2015 @ 4:30 am

    the machanism detects the file but does not repair them please help send me an mail, the code is RSA 1024 i I have no idea how to fix it please help

    Reply

  23. vinesh
    February 4, 2015 @ 3:30 pm

    Hi, I had some files encrypted by ransom ware on my common shared folder, but when I try to run shadow explorer on the system where the drive is stored its giving me an error saying Cannot start service from the command line or debugger. A windows Service must first be installed(using installutil.exe) and then started with the ServerExplorer, Windows Services Afministrative tool or the NET START command.

    Reply

    • lakonst
      February 5, 2015 @ 12:41 pm

      @vinesh: Check in Windows services if the "Volume Shadow Copy Service" is started.(Change the Startup type to Automatic & restart the computer)

      Reply

  24. connie
    January 26, 2015 @ 7:01 am

    Is it save to backup data to a clean USB while off-line?

    Reply

    • lakonst
      January 27, 2015 @ 10:14 am

      No, it is not! You have to clean your computer first!

      Reply

  25. Jeff
    November 10, 2014 @ 11:06 pm

    Is there a way to get quickbooks through shadow explorer? I thought I had system restore setup but I do not and quickbooks does not have a recent backup. Shadow explorer seems to be working on the files I have attempted, however I do not have the option to use it on here.

    Thanks!

    Reply

  26. sakmsb
    June 18, 2014 @ 9:54 am

    Kaspersky XoristDecryptor — this works for the error message below:– it decrypts and creates new files of all the locked files….

    Your files are locked and encrypted with a
    unique RSA-1024 key!
    To regain access you have to obtain the
    private key (password).
    ++++++++++++++++++++
    To receive your private key (password):
    Go to ht**tp://u5ubeuzasamg54x5f3.onion.to
    and follow the instructions.
    You will receive your private key (password)
    within 24 hours.
    Your ID# is 28403489
    If you can't find the page, install the Tor
    browser (ht**tps://www.torproject.org/
    projects/torbrowser.html.en ) and browse to
    ht**tp://u5ubeuzasamg54x5f3.onion
    ++++++++++++++++++++
    BEWARE – this is NOT a virus.
    The ONLY way to unlock your files/data is
    to obtain your private key (password) or
    you may consider all your data lost.
    You have just 5 days before the private key
    (password) is deleted from our server,
    leaving your data irrevocably broken.
    ++++++++++++++++++++
    LOCKED ON POSSESSION OF COPYRIGHTED
    MATERIAL AND SUSPICION OF
    (CHILD)PORNOGRAPHIC MATERIAL.

    Reply

  27. Thomad
    June 5, 2014 @ 12:59 am

    I always do a regular backup to a DVD ROM this way a virus cannot infect your read-only backup unlike with an external drive.

    Reply

  28. Habib
    May 27, 2014 @ 12:43 pm

    I had windows 7 when my computer infected by " cryptolocker " . I re installed a new windows 7 and removed the " cryptolocker " by antivirus scanning . But my files remains locked . I have no back up from my files . I tried to follow your orders here but I couldn't re back my files . I installed " ShadowExplorer " but when I choose any drive which have locked files it doesn't show any file or folder . It just shows drive c which contains only windows files and folders whiles my locked files are in other drives not in c drive !

    Reply

    • lakonst
      May 27, 2014 @ 3:37 pm

      Unfortunately you cannot restore files from drives where system protection has not been activated.

      Reply

  29. csiegel2014
    April 9, 2014 @ 11:53 am

    I have been unable to delete C:\WINDOWS\system32\msctfime.ime from my Windows XP computer even using the application Unlocker or by trying from a command line after killing explorer.exe. I have administrator rights. I have seem that this file may be part of a Microsoft Application (Microsoft Text Frame Work Service IME). Here is one of the pages that white-lists this file. I have cleaned my computer from Cryptolocker, but this msctfime.ime still exists on the PC. Do I need to delete this file?. If so, how as I have been unsuccessful.

    Reply

    • lakonst
      April 10, 2014 @ 7:33 am

      Hello csiegel, go to https://www.virustotal.com/ & upload/scan this file for risks. If the file is safe no more action is needed. If it is not, then contact me again.

      Reply

  30. resc2013
    March 7, 2014 @ 10:32 pm

    For people using Windows XP. Is it possible to upgrade to Windowss 7 and then use the ShadowExplorer software and try to recover files?

    Reply

    • cc
      May 27, 2014 @ 6:27 pm

      Hi resc2013. I wouldn't advise "upgrading to Win 7", since MS only allows XP to Vista upgrading (Win 7 requires full OS installation).

      But if you're looking to access the suggested "previous versions" tab on XP there are two things you'll need to know: 1) if it's a standalone XP machine, XP doesn't have support for volume shadow copy/previous versions; 2) if the XP machine is connected to a network server as a shared drive, you (or your IT admin) can set it up to get previous versions.

      Reply

  31. nikhil
    March 5, 2014 @ 10:08 am

    I successfully did all 4 steps but at 5 step i am not able to recover my files. I have window 7. Please advice soon

    Reply

    • lakonst
      March 5, 2014 @ 10:16 am

      I 'm afraid that System Restore feature was disabled on the infected computer so you cannot restore your files back.

      Reply

      • nikhil
        March 5, 2014 @ 10:31 am

        Thank you for your quick reply. I think you are right. But now what i do with my files (.xlsx,.jpg,…) how can I get them back.

        Reply

        • lakonst
          March 6, 2014 @ 12:53 pm

          Unfortunately you cannot. It is still not possible to decrypt files encrypted by CryptoLocker without paying the ransom.

          Reply

  32. hromano2013
    February 21, 2014 @ 12:48 pm

    I have xp pro will anything work for it???

    Reply

    • lakonst
      February 23, 2014 @ 11:51 am

      Unfortunately there is no method to restore your files in Windows XP.

      Reply

  33. Peter
    February 20, 2014 @ 1:33 am

    Good info, too bad one of my recent customers had a "little" problem with many different trojan/malware/spyware infections on her laptop, making it impossible to use restore point before cleaning the computer. Also she created one very important document after her machine got infected with cryptolocker, thus making it impossible to look for a clean shadow copy.
    Now that's what you call a bad luck…

    Reply

  34. Fred
    February 19, 2014 @ 3:27 am

    This definitely saved one of my clients' data. Method 1 didn't work, but Method 2 worked like a charm.

    Reply

  35. Suriya Chaitanya Sfc
    January 21, 2014 @ 7:00 pm

    my files are neither restored nor decrypted
    its windows 7

    Reply

    • lakonst
      January 21, 2014 @ 7:31 pm

      Probably System Restore was disabled on your system.

      Reply

  36. ManojB
    January 5, 2014 @ 6:51 am

    Thanks !
    Good presentation . it was very easily understand .

    Reply

  37. Drew
    December 27, 2013 @ 9:34 am

    Both methods of Files recovery do not work on Windows 7.

    Reply

  38. e
    December 25, 2013 @ 4:57 am

    after HOURS talking to various microsoft "tech" reps… this site was the only thing that helped and restored files. Microsoft actually told me it was impossible to restore. HA. THANK YOU THANK YOU THANK YOU!!!!

    Reply

  39. cc
    December 20, 2013 @ 2:13 am

    This is the first site that actually gives hope in recovering files encrypted by RansonCrypt.F Thanks!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

css.php