Ransomware - Can encrypted files be restored?

Today I came across a co-workers PC that has its docs and pictures encrypted by malware. Once the deed has been done is it possible to recover the files? This is a Windows 7 Home machine. Also I believe the MBR may have been overwritten.

 

Thanks for the reply. Some backups were made on an external usb drive but not all. Lesson to be learned here.

 

Hi jdd58

Is this co-workers PC a work one, or their own at home ? If it's a work one then the IT etc dept should be dealing with it. If it's actually their own home one, then as ronjor mentions i'm afraid at the moment it's probably not possible.

As Securelist suggests you don't use it, but it's their call, you could try this.

I would disconnect the HD and connect it to another comp, and try to retrieve as much stuff as possible over to the other comp. And then go about properly securing that and ALL future comps, and put the whole thing down as a major learning exercise.

 

It is a personal laptop, not a company pc that was hijacked. It will boot to windows normally. Not sure now if the the mbr is corrupted but I am unable to restore the pc to the original state through the restore partition. The partition is visible in the disk management console but it has no name or assigned drive letter. The only option available when I right click on the partition is to delete the partition, all other options are grayed out. I'm not sure how to restore access to this partition.

 

Would a bootable Partition Management program like the Partition Wizard bootable CD or GParted in one of the Linux Distros be able to do anything to correct your problem?

 

Maybe try booting and running a scan with the Dr.Web LiveCd. I have seen feedback from others that Dr.Web is good at dealing with MBR infections, such as Rootkits.

https://www.wilderssecurity.com/showthread.php?t=293795

 

Scanned with SAS portable, found 9 trojans. Then Norton Power eraser and did rootkit scan, clean. Dr. Web CureIt, clean. Kaspersky tdss killer, clean. Malware Bytes, clean.

I think the infection has been dealt with. I am just unsure how the Toshiba restore partition works. Do I have to create restore DVDs or will it restore directly from the hard drive recovery partition? So far I only see an option to feed it DVDs and no recovery options from the hard drive.

 

How to recover a Toshiba notebook with the HDD recovery procedure:

http://aps2.toshiba-tro.de/kb0/HTD9102IR0000R01.htm#

How to use the Toshiba HDD Recovery Utility:

http://aps2.toshiba-tro.de/kb0/HTD7C02140000R01.htm

 

OK, I had been using a Win 7 repair cd to boot from. I would get to the option "Toshiba HDD Recovery" where it only gave me the option to feed it DVDs.

Using the F8 key at bootup allowed me to log in and recover from the recovery partition.

Thanks for your help. The PC is restoring as I type this.

 

Probably the best I've seen so far, it's a real life saver. If it was as fast as Hitman this would be nice.

I've cleaned 3 laptops this week, and only one had to be restored.