How to Save Ransomware Encrypted Files for Decryption

When ransomware strikes and restoring from backups is not an option, a victim often feels that paying the ransom is the only option. Often, victims realize that they can indeed live without the data that has been encrypted, and are able to wait for a potential free decryption solution to be published. Given how unpredictable the release of free decryptor tools is, how should ransomware victims plan their recovery? What can they do to increase their chances of a full recovery?

Six Free Decryptor Tools Released in 2019

While sensationalist headlines about the growth and threat of ransomware pervade, 2019 has also been a productive year for the release of free decryption tools. In the past four months, six new decryptor tools have been released, highlighted by Bitdefender’s release of a free decryption tool for GandCrab v5.1 which has helped thousands of GandCrab victims recover their data. Other tools for older ransomware variants have helped decrypt data of victims patient enough to wait. Only Bitdefender’s addressed a very active and virulent type of ransomware, but the other decryptors highlight the persistence of the security research community to break older strains of ransomware. These ransomware strains have not been in active circulation for some time, but patient victims that properly archived their encrypted data are now able to make full recoveries

Recently release decryptors include:

FilesLocker Ransomware: Michael Gillespie released a free decryption tool on January 2nd.

Aurora Ransomware: Michael Gillespie released a free decryption tool on January 4th.  

Stop Ransomware / DJVU: Michael Gillespie released a free decryption tool on January 16th.  

GandGrab v5.1: Bitdefender released a free decryption tool on February 19th

BigBossRoss Ransomware: Avast released a free decryption tool on March 10th

HKCrypt/Hacked Ransomware: Emsisoft released a free decryption tool on March 25th

PewCrypt Ransomware: Emsisoft released a free decryption tool on March 19th

Aurora Ransomware (same variants): Emsisoft released a free decryption tool on April 1st.

Planetary/Mira Ransomware: Emsisoft released a free decryption tool on April 4th

CryptoPokemon Ransomware: Emsisoft released a free decryption tool on April 11th (with supporting credit to Intezer and Michael Gillespie)

How To Safely Store Ransomware Encrypted Files

Files that have been encrypted by ransomware, along with the ransom notes that accompany them should be segmented off of your primary network or machines. We recommend the following steps:

Move Encrypted Files to New Storage

Move or copy all encrypted files along with the ransom notes to a high capacity external drive. If you only have a USB, make sure to reformat it and remove all other data. It is very important to properly segregate and store your encrypted files. If the files are stored on an active drive/USB they could easily be moved, modified, or corrupted. Preserving them in their encrypted state is important if you hope to decrypt them in the future.

Replicate Encrypted Files to a Cloud Backup

If possible, save a copy of the encrypted data to the cloud, just in case your external drive is lost/damaged. Disconnect the external drive/USB and store it someplace safe. Do not use it for any other purpose. The files must not be modified. Carefully label both the external drive/USB and your cloud folder and ensure they are saved in locations where they can be found later.

Clean Infected Machines

Wipe and reformat any machine where ransomware encrypted files were present. While this may seem laborious, you should be extremely cautious using any machine that has experienced ransomware encryption and NOT been completely rebuilt. It is also important to recognize that just because the encrypted files have been removed, that does not mean the malware has been removed from your computer/network. In fact, victims of ransomware attacks should be equally if not MORE concerned with the security vulnerabilities that allowed the ransomware to get there in the first place. Exploit kits such as Trickbot and Emotet can be much more difficult to locate and remove than a ransomware executable. Fully re-formatting every affected machine is a recommended best practice.

Be Patient

It may take some time, but properly archiving your encrypted files will hopefully result in them being restored for free at a later date 

How Long Will it Take for a Decryptor to be Published?

It is almost impossible to predict the timing of any decryptor tool’s release, but victims of ransomware should take some comfort in a few facts. First, law enforcement and the IT security industry are working 24/7 to identify the perpetrators of these crimes. It is common for law enforcement to seize servers, laptops and other evidence that can lead to a break through. These seizures can often uncover master keys to a given type of ransomware, or enough evidence to significantly help the development of a public decryption tool. Also, there is an active global network of security researchers that work on these problems. These researchers are aided by victims who submit samples, peer security firms, and law enforcement in collecting the necessary resources to build new decryption tools. The lesson is that if you can afford to wait, you should.

When it comes to ransomware, patience pays when you don’t pay!

Any victim of ransomware is welcome to submit their email contact information to Coveware. When a new decryption tool is published, we will contact prior victims to alert them to the free tool. You can also review sites like our partners at No More Ransom, to scroll through a catalog of free decryptors.