How to Remove Ransomware and Recover Data: Tips and Methods for 2022

Detailed instructions for removing common ransomware viruses. How to Recover Data Using Infected File Decryption Tools.

Once a Ransomware/Trojan gets into your system, it’s too late to try to save unsaved data. Surprisingly, many cybercriminals don’t relinquish their obligations after paying the ransom and actually recover your files. Of course, no one will give you guarantees. There is always a chance that an attacker will take the money, leaving you alone with the locked files.

You can also read: Best Antivirus for Windows 11

However, if you encounter a ransomware infection, don’t panic. And don’t even think about paying the ransom. Keeping calm and relaxed, follow these steps:

1. Run an Antivirus to Remove the Trojan

Removing the infection in Safe Mode without network drivers is highly recommended. There is a possibility that the ransomware may have broken into your network connection.

Here is a list you can use:
Best Antivirus for Windows 11
Best Antivirus for Mac: Best Options in 2021

Removing the malware is an essential step in solving the problem. Not every antivirus program will be able to cope with the cleanup. Some products are not designed to remove this type of threat. Check whether your antivirus supports this feature on the official website or by contacting a technical support specialist.

The main problem is that the files remain encrypted after the malware infection is completely removed. However, this step will at least save you from the virus that performs encryption, which will protect the re-encryption of objects.

Attempting to decrypt files without removing the active threat usually results in re-encryption. In this case, you can access the files even if you have paid a ransom for the decryption tool.

2. Try to Decrypt Files with Free Utilities

Again, it would be best if you did everything possible to avoid paying the ransom. The next step will be to apply free tools to decrypt files. Note that there is no guarantee of a working decryption tool for your instance of ransomware. Your computer may have been infected with malware that has not yet been compromised.

Kaspersky Lab, Avast, Bitdefender, Emsisoft, and several other vendors maintain the No More Ransom! website, where anyone can download and install free decryption tools.

Initially, using the Crypto Sheriff tool is recommended, which allows you to determine your type of ransomware and check if a decryptor exists for it. Here’s how it works:

• Select and download the two encrypted files from your computer.
• Specify the e-mail address on the site, which is displayed in the information message with the demand for redemption.
• If you don’t know your email address, download a .txt or .html file containing your ransomware notes.

Crypto Sheriff will process this information using its database and determine if there is a ready-made solution. If the tools are not detected, do not despair. Some decryptors may still work, although you’ll have to download and test all the available tools. It’s a slow and time-consuming process, but it’s cheaper than paying a ransom to intruders.

Decryption tools

The following decryption tools can decrypt your files. Click the link (pdf or instruction) for more information on which ransomware the tool works with:

• BDAvaddonDecryptor Avaddon Decryptor (instructions) (updated 17-05-2021)
• BDAvaddonDecryptor Avaddon Decryptor (instructions) (updated 19-02-2021)
• FONIX Decryptor (instruction) (updated 09-02-2021)
• Ziggy Decryptor (instructions) (updated 09-02-2021)
• ThunderX Decryptor (manual) (updated 24-09-2020)
• Cyborg Decryptor (instruction) (updated 18-09-2020)
• Crypt32 Decryptor (instructions) (updated 18-09-2020)
• Checkmail7 Decryptor (instructions) (updated 13-08-2020)
• SpartCrypt Decryptor (instruction) (updated 21-07-2020)
• CryDecryptor Decryptor (instruction) (updated 21-07-2020)
• Zorab Decryptor (instructions) (updated 10-06-2020)
• Professeur Decryptor (instruction) (updated 10-06-2020)
• RedRum Decryptor (instruction) (updated 10-06-2020)
• ElvisPresley Decryptor (instructions) (updated 10-06-2020)
• VCRYPTOR Decryptor (instruction) (updated 28-05-2020)
• Mapo Decryptor (manual) (updated 28-05-2020)
• JavaLocker Decryptor (instruction) (updated 28-05-2020)
• Jigsaw Decryptor (Emsisoft), DragonCyber Ransom decryption and .fun, .game and .zemblax files (instructions) (updated 28-05-2020)
• GoGoogle Decryptor (Bitdefender) (instructions) (updated 06-05-2020)
• GoGoogle Decryptor (Bitdefender) (instructions) (updated 06-05-2020)
• KokoKrypt Decryptor (Emsisoft) (manual) (updated 05-05-2020)
• Bigbobross fix Decryptor (Avast) (instructions) (updated 21-04-2020)
• BigBobRoss Decryptor (Emsisoft) (instruction) (updated 21-04-2020)
• Ransomwared Decryptor (instruction) (updated 20-04-2020)
• Mapo Decryptor (manual) (updated 21-02-2020)
• Ransomwared Decryptor (instruction) (updated 08-02-2020)
• Chernolocker Decryptor (instruction) (updated 15-01-2020)
• TurkStatic Decryptor (instruction) (updated 26-11-2019)
• Hakbit Decryptor (instruction) (updated 22-11-2019)
• Nemty Decryptor (instructions) (updated 04-11-2019)
• Paradise Decryptor (instructions) (updated 04-11-2019)
• Puma Decryptor (instruction) (updated 23-10-2019)
• hildacrypt Decryptor (instructions) (updated 14-10-2019)
• muhstik Decryptor (instruction) (updated 14-10-2019)
• GalactiCryper Decryptor (instructions) (updated 04-10-2019)
• Rakhni Decryptor (instruction)
• Avest Decryptor (manual) (updated 30-09-2019)
• WannaCryFake (instruction) (updated 26-09-2019)
• Syrk Decryptor (manual) (updated 28-08-2019)
• JS WORM 4.0 Decryptor (instruction) (updated 12-08-2019)
• Iams00rry Ransom Decryptor (manual) (updated 26-07-2019)
• Loocipher Ransom Decryptor (instruction) (updated 26-07-2019)
• Mira Ransom Decryptor (instructions) (updated 26-07-2019)
• ZeroFucks Ransom Decryptor (instructions) (updated 26-07-2019)
• GetCrypt Ransom Decryptor (instructions) (updated 23-05-2019)
• JS WORM 2.0 Decryptor (instructions) (updated 21-05-2019)
• MegaLocker Decryptor (instruction) (updated 06-05-2019)
• ZQ Decryptor (manual) (updated 03-05-2019)
• Planetary Decryptor (instruction) (updated 29-04-2019)
• Pewcrypt Decryptor (instructions) (updated 29-04-2019)
• HKCrypt Decryptor (instruction) (updated 29-04-2019)
• AuroraDecryptor Decryptor (Emsisoft) (instructions) (updated 29-04-2019)
• AuroraDecryptor Decryptor (Bleeping Computer) (instruction) (updated 29-04-2019)
• Bigbobross fix Decryptor (instructions) (updated 12-03-2019)
• GandCrab Ransom Decryptor (V1, V4 and V5 up to version V5.2) (instruction) (updated 19-02-2019)
• pylocky_decryptor Decryptor by CISCO (instruction) (added 22-01-2019)
• Annabelle Ransom Decryptor (manual) (added 28-02-2018)
• LambdaLocker Ransom Decryptor (instructions) (added 16-08-2017)
• NemucodAES Decryptor (manual) (added 13-07-2017)
• MacRansom Decryptor (instruction) (added 23-06-2017)
• EncrypTile Decryptor (manual) (added 21-06-2017)
• Merry X-Mas Decryptor (or this tool))
• HiddenTear Decryptor (pdf)
• MRCR Decryptor (pdf)
• Chimera Decryptor (instruction)
• ShadeDecryptor (pdf)
• TM Ransomware File Decryptor (manual)
• Rannoh Decryptor (manual)
• BarRax Decryptor (pdf)
• Noobcrypt Decryptor (pdf)
• Globe3 Decryptor (pdf)
• Teslacrypt Decryptor (instruction manual) or this tool (pdf)
• NMoreira Decryptor (pdf)
• Cry9 Decryptor (pdf)
• Alcatraz Decryptor (pdf)
• Popcorn Decryptor (pdf)
• Derialock Decryptor (pdf)
• Shade Decryptor (or this tool) (pdf)
• Globe Decryptor (pdf)
• Damage Decryptor (pdf)
• Bart Decryptor (or this tool))
• Marlboro Decryptor (pdf)
• PHP Ransomware Decryptor (pdf)
• CoinVault (instruction)
• Globe2 Decryptor (pdf)
• Crypton Decryptor (pdf)
• Crypt888 Decryptor (pdf)
• Globelmposter Decryptor (pdf)
• WildFire Decryptor (instructions) or this tool (pdf)
• Jigsaw Decryptor (pdf)
• FenixLocker Decryptor (pdf)
• Philadelphia Decryptor (pdf)
• Stampado Decryptor (pdf)
• Xorist Decryptor (pdf)
• Nemucod Decryptor (pdf)
• Gomasom Decryptor (pdf)
• Linux.Encoder 1 Decryptor (pdf) and Linux.Encoder 3 Decryptor (pdf)
• Cryptomix Decryptor (or this tool))
• Ozazalocker Decryptor (pdf)

The number of available decryptors may change over time. We will regularly update the information by checking the No More Ransom website!

It’s easy to run the file decryption tool. Many utilities come with official instructions (mainly solutions from Emsisoft, Kaspersky Lab, Check Point, or Trend Micro). Each process may be slightly different, so it is recommended that you read the user manual beforehand.

Let’s consider the process of recovering files encrypted by the Philadelphia ransomware Trojan:

• Select one of the encrypted files in the system and the file that has not yet been encrypted—place both files in a separate folder on your computer.
• Download the Philadelphia decryption tool and move it to the folder with our files.
• Select both files and drag them to the decryptor executable file icon. The tool will start searching for the correct keys to decrypt.

• This process can take a decent amount of time, depending on the complexity of the threat.

• When you are finished, you will receive a decryption key to restore access to all locked file encryptors.

• Then you need to accept the license agreement and choose the decryption options. You can change the location of objects and optionally save encrypted versions.
• Eventually, you will see a message that the files were successfully recovered.

Again, this process will not work if there is no decryptor for your particular instance of ransomware. Since many users prefer to pay a ransom rather than look for alternative ways to solve it, cybercriminals actively use the problem, even hacked ransomware.

If there is a Backup: Clean the System and Restore the Backup

Steps 1 and 2 will only work when used together. If they don’t help, use the following guidelines:

Hopefully, you have a working backup of your data. In this case, you should not even consider paying the ransom – this can lead to more severe consequences than damage from the primary infection.

You can use this guide: How to Backup and Restore with Paragon Hard Disk Manager 25 Anniversary LE: FREE License Included

By yourself or delegating the task to your system administrator, perform a complete system reset and restore your files from a backup. Encryption protection is an important reason to use file backup and restore tools.

Windows users can use a complete system factory reset. Recommendations for recovering files encrypted by Trojans are available on the official Microsoft website.