How to Save Ransomware Encrypted Files for Decryption - Security Boulevard

How to Save Ransomware Encrypted Files for Decryption

When ransomware strikes and restoring from backups is not an option, a victim often feels that paying the ransom is the only option. Often, victims realize that they can indeed live without the data that has been encrypted, and are able to wait for a potential free decryption solution to be published. Given how unpredictable the release of free decryptor tools is, how should ransomware victims plan their recovery? What can they do to increase their chances of a full recovery?

Six Free Decryptor Tools Released in 2019

While sensationalist headlines about the growth and threat of ransomware pervade, 2019 has also been a productive year for the release of free decryption tools. In the past four months, six new decryptor tools have been released, highlighted by Bitdefender’s release of a free decryption tool for GandCrab v5.1 which has helped thousands of GandCrab victims recover their data. Other tools for older ransomware variants have helped decrypt data of victims patient enough to wait. Only Bitdefender’s addressed a very active and virulent type of ransomware, but the other decryptors highlight the persistence of the security research community to break older strains of ransomware. These ransomware strains have not been in active circulation for some time, but patient victims that properly archived their encrypted data are now able to make full recoveries

Recently release decryptors include:

Free Ransomware Decryptors

Aurora Ransomware: Micheal Gillespie released a free decryption tool on January 4th.  

FilesLocker Ransomware: Micheal Gillespie released a free decryption tool on January 2nd.  

GandGrab v5.1: Bitdefender released a free decryption tool on February 19th

BigBossRoss Ransomware: Avast released a free decryption tool on March 10th

HKCrypt/Hacked Ransomware: Emisoft released a free decryption tool on March 25th

Planetary/Mira Ransomware: Emisoft released a free decryption tool on March 25th

How To Safely Store Ransomware Encrypted Files

Files that have been encrypted by ransomware, along with the ransom notes that accompany them should be segmented off of your primary network or machines. We recommend the following steps:

Move Encrypted Files to New Storage

Move or copy all encrypted files along with the ransom notes to a high capacity external drive. If you only have a USB, make sure to reformat it and remove all other data. It is very important to properly segregate and store your encrypted files. If the files are stored on an active drive/USB they could easily be moved, modified, or corrupted. Preserving them in their encrypted state is important if you hope to decrypt them in the future.

Replicate Encrypted Files to a Cloud Backup

If possible, save a copy of the encrypted data to the cloud, just in case your external drive is lost/damaged. Disconnect the external drive/USB and store it someplace safe. Do not use it for any other purpose. The files must not be modified. Carefully label both the external drive/USB and your cloud folder and ensure they are saved in locations where they can be found later.

Clean Infected Machines

Wipe and reformat any machine where ransomware encrypted files were present. While this may seem laborious, you should be extremely cautious using any machine that has experienced ransomware encryption and NOT been completely rebuilt. It is also important to recognize that just because the encrypted files have been removed, that does not mean the malware has been removed from your computer/network. In fact, victims of ransomware attacks should be equally if not MORE concerned with the security vulnerabilities that allowed the ransomware to get there in the first place. Exploit kits such as Trickbot and Emotet can be much more difficult to locate and remove than a ransomware executable. Fully re-formatting every affected machine is a recommended best practice.

Be Patient

It may take some time, but properly archiving your encrypted files will hopefully result in them being restored for free at a later date 

How Long Will it Take for a Decryptor to be Published?

Save Ransomware Encrypted Files

It is almost impossible to predict the timing of any decryptor tool’s release, but victims of ransomware should take some comfort in a few facts. First, law enforcement and the IT security industry are working 24/7 to identify the perpetrators of these crimes. It is common for law enforcement to seize servers, laptops and other evidence that can lead to a break through. These seizures can often uncover master keys to a given type of ransomware, or enough evidence to significantly help the development of a public decryption tool. Also, there is an active global network of security researchers that work on these problems. These researchers are aided by victims who submit samples, peer security firms, and law enforcement in collecting the necessary resources to build new decryption tools. The lesson is that if you can afford to wait, you should.

When it comes to ransomware, patience pays when you don’t pay!

Any victim of ransomware is welcome to submit their email contact information to Coveware. When a new decryption tool is published, we will contact prior victims to alert them to the free tool. You can also review sites like our partners at No More Ransom, to scroll through a catalog of free decryptors.

*** This is a Security Bloggers Network syndicated blog from Blog | Latest Ransomware News and Trends | Coveware authored by Bill Siegel. Read the original post at:

Bill Siegel

Bill Siegel is the CEO and Co-founder of Coveware, a ransomware incident response firm. Before founding Coveware, Bill Siegel was the CFO of SecurityScorecard, a NY based cyber security ratings company. Prior to SecurityScorecard, Bill was the CEO of Secondmarket, and served as the Head of NASDAQ Private Market following Nasdaq’s acquisition of SecondMarket in 2015.

bill-siegel has 56 posts and counting.See all posts by bill-siegel