How to Decrypt and Recover Ransomware Encrypted Files

Posted by @Cody

July 21, 2017

If your computer is infected with ransomware WannaCry, don’t cry or pay the ransom because you can recover ransomware encrypted files.

Ransomware WannaCry has infected more than 200,000 PCs in 150 countries. Many variations have been detected and they are more advanced than the original version. If unfortunately, your files have been encrypted by ransomware, paying the ransom is not the only option because there are 4 methods that you can recover ransomware encrypted files.

Method 1: Use ransomware decrypt tool

Many computers infected with ransomware WannaCry (also called WannaCrypt, WannaDecrypt) has successfully unlocked encrypted files without paying a dime. If you have reboot your computer since the day you got hit by the ransomware.

As you probably know, Windows applications generated keys for encrypting and decrypting files will be stored in computer memory. The keys to decrypt virus WannaCry encrypted files are also saved there. Therefore, you can decrypt virus locked files as long as the memory location that saved the keys has not been overwritten.

Decrypt Files

You can just download the free ransomware decrypt tool called wanakiwi, which was released recently, and start to decrypt virus encrypted files. It has been tested in Windows XP and 7, and 2003, Vista, and Server 2008(R2).

Method 2: Recover from shadow copies

By default, Windows has enabled system protection and it will create restore points in Windows 7 when need be. Windows will create a volume backup containing shadow copies when it takes a restore point. It actually creates many shadow copies and you just don’t aware of them. Therefore, you recover encrypted file through shadow copies.

You can download a free tool, Shadow Explorer to make the steps easier.

To recover files encrypted by ransomware:

1.      In the main interface of Shadow Explorer, select the volume and date to restore the files. In my case, I choose D: drive. To my surprise, I have 46 shadow copies of D: drive.

Select Time

2.      All the files in that time being are listed. Then you can right click on the file you want to recover and select Export.


3.      Select a location to receive the file and then click OK. Then the file will be restored.

Select Location

Method 3: restore from the previous backup

If you have created a system backup including personal files, you can easily restore your files back and remove the virus. Therefore, having a right backup strategy is the best defense against ransomware. In Windows 10/87, Windows always reminds you to Backup your files.

You can navigate to Control Panel\System and Security\Backup and Restore. In the Backup and Restore screen, click Restore my files and follow the wizard to restore your files.

Restore My Files

Method 4: recover files with data recovery software

If the previous 3 methods will not work, there is still hope to recover files from ransomware. WannaCry first saved the original files into ram, deleted the original files, and then created the encrypted files. Therefore, data recovery tools can recover your original files from the hard drive.

You can download a file undelete or data recovery tool like Disk Drill.

Backup encrypted files

If you worry about the ransomware virus delete your encrypted files before you can recover it, you can create a backup to prevent it. If you did not remove the ransomware virus, then you should perform an offline backup (boot from bootable media to backup) to exclude the virus in the backup.

Anyway, the ransomware may not be gone in a short time. If the ransomware concerns you, you should start backing up your valuable data right now. If you are not familiar with Windows Backup and Restore, then you can choose another backup tool which is much easier to understand.

A special version AOMEI Backupper Free for ransomware WannaCry may be just suitable for you. With only a few clicks, you can create a system backup or file backup.

Which to Start with

It allows you to specify the backup source and backup target location on the same screen. Then you can start the backup.

Select Files to Backup

In conclusion, if your files are encrypted by ransomware, paying the ransom is your last option. You can give these 4 methods a try. New decryption tools are probably on its way to being tested and verified.