Restoring encrypted files after CryptoLocker Ransomware infection

 

NEWS ADVISORY:

Learn how Trend Micro protects you against the latest WCRY (WannaCry) Ransomware Attack. Click here.

 

This article shows you how to retrieve the files that were encrypted by the CryptoLocker Ransomware.

For more information about ransomware, refer to our Threat Encyclopedia: Ransomware.


OPTION 1: Restore from Backup
Check your computer files that were encrypted. Once identified, segregate and delete the files. Copy and paste the files from your backup device to your computer.

OPTION 2: Restore from Shadow Copy
Recover a deleted file or folder
  1. Open the directory where the file is located.
  2. Right-click in the directory, then select Properties
    Click Properties
  3. The Properties window will appear, click the Previous Versions tab.
    Shadow Copy Properties window
  4. A list of available snapshots for the file or folder will appear. Select the snapshot with the last known good copy of your file or directory, then click View.
  5. A new window displaying the content of the snapshot will appear.
  6. Locate the file or folder that you wish to restore.
  7. Do either of the following:
    • Open the file and save it to the correct location.
    • If you have multiple files or a folder, drag the files or folders to their correct locations.
Restore a Previous Version of the File (or Folder)
Restoring the file will overwrite the current copy. Any data saved in the current copy will be overwritten with the older file.

 

  1. Locate the directory where the file is stored.
  2. Right-click the file, then select Properties.
    Click Properties
  3. Click the Previous Versions tab when the Properties window opens.
    If you don't see the Previous Versions tab, you need to install the client.
    You can speak with your support team to get the correct client installed.
  4. A list of available snapshots for the file will appear.
    Properties window
  5. Select the snapshot that represents the last known good version of the file.
  6. Click View and verify if it is the correct version of the file.
  7. Once you find the correct file, do any of the following:
    • View: View the recovered file directly and then save it by clicking File > Save As.
    • Copy: Create a copy of the recovered file in the same directory as the original file. You will now have both copies available.
    • Restore: This will restore the recovered file and will replace the current file.

OPTION 3: Perform a System Restore
Perform a System Restore from a previous clean state. Check these Microsoft articles for instructions:
Applies To: Antivirus+ Security - 2015;Antivirus+ Security - 2016;Antivirus+ Security - 2017;Internet Security - 2015;Internet Security - 2016;Internet Security - 2017;Maximum Security - 2015;Maximum Security - 2016;Maximum Security - 2017;Premium Security - 2015;Premium Security - 2016;Premium Security - 2017;Titanium AntiVirus + - All;Titanium Internet Security - All;Titanium Internet Security for Dell - All;Titanium Maximum Security - All;Titanium Maximum Security Premium Edition - All;Titanium Premium Security - All;

Last Updated: May. 16, 2017 11:49 PM (PST)
Solution ID: 1099221