Your files have been encrypted, what to do?

Your files have been encrypted, what to do?

One of the most problematic malicious programs today is a Trojan or virus that encrypts files on the user's disk. Some of these files can be decrypted and some cannot yet. The guide provides possible algorithms for both situations, ways to identify the specific type of encryption in the No More Ransomware and ID Ransomware services, and a brief description of encryption virus (ransomware) protection software.

There are several modifications of this type of virus or ransomware Trojan (and new ones are constantly emerging), but the general essence of the work is that once installed on your computer, your documents, images and other potentially important files are encrypted by changing extension and deleting the original files, after which you get a message in the readme.txt that all your files have been encrypted and you need to send a certain amount to the attacker to decrypt them. Note: Windows 10 Fall Creators Update has built-in protection against encryption viruses.

What to do if all important data is encrypted

First of all, some general information for those who are faced with the encoding of important files on their computer. If important data on your computer has been encrypted, the first thing to do is not to panic.

If you have this possibility, from the disk of the computer where the encryption virus (ransomware) has appeared, copy an example file with the attacker's request for decryption, plus an instance of the file, onto an external drive (pendrive) encryption, and then, if possible, turn off the computer so that the virus can no longer encrypt data, and perform the remaining actions on another computer.

The next step is to use your existing encrypted files to find out what kind of virus encrypted your data - for some of them there are decryptors (I'll point out some of them here, others are listed closer to the end of the article), for others there aren't yet. Still, you can send examples of encrypted files to antivirus labs (Kaspersky, Dr. Web) for review.

How exactly do you find out? You can do it through Google looking for discussions or the type of encryptor by file extension. Services to determine the type of ransomware have also started to appear.

No more bailouts.

No More Ransom is an actively developing resource, supported by security developers and available in a Russian version, intended to combat encryption viruses (ransomware Trojans).

Hopefully, No More Ransom can help you decrypt your documents, databases, photos, and other information, download the necessary decryption software, and obtain information to help you avoid these types of threats in the future.

At No More Ransom you can try to decrypt your files and determine the type of encryption virus as follows:

  1. Click "Yes" on the main page of the service
  2. The "Crypto-sheriff" page will open, where you can upload examples of encrypted files of no more than 1MB (I recommend uploading those that do not contain sensitive data), and provide email addresses or sites where scammers demand a ransom (or upload a readme.txt file with the application).
  3. Press the "Verify" button and wait for the verification and its result to be completed.

In addition, there are useful sections available on the website:

  • Decryptors: almost all utilities available today to decrypt files encrypted by viruses.
  • Infection Prevention - Information intended primarily for novice users that can help prevent infection in the future.
  • Questions and Answers - Information for those who want to better understand how encryption viruses work and what to do when files on your computer are found to have been encrypted.

To this day, No More Ransom is probably the most relevant and useful resource related to file decryption for the Russian speaking user, I highly recommend it.

Identification ransomware

Another such service is (although I don't know how well it works for Russian versions of the virus, but it's worth a try by introducing an encrypted file example and a text file with a ransom demand).

After determining the encryptor type, if successful, try to find a utility to decrypt that variant using queries such as: Decryptor_type. These utilities are free and published by antivirus developers; for example, there are several such utilities on the Kaspersky website (other utilities are available closer to the end of this article). And, as mentioned above, feel free to contact antivirus developers on their forums or by mail to support.

Unfortunately, all of this doesn't always help and there aren't always file decryptors that work. In this case, the scenarios vary: many pay the attackers, encouraging them to continue with this activity. Some users are helped by data recovery software on their computer (because a virus that makes an encrypted file deletes an ordinary important file that can theoretically be recovered).

Files on computer encrypted in xtbl

One of the latest variants of the ransomware virus encrypts files by replacing them with files with a .xtbl extension and a name made up of a random set of characters.

At the same time, a readme.txt text file with approximately the following content is placed on the computer: “Your files have been encrypted. To decrypt them, you have to send the code to [email protected], [email protected] o [email protected] You will then receive all the necessary instructions. Attempting to decrypt the files yourself will result in irrecoverable data loss." (email address and text may be different).

Unfortunately, there is currently no way to decrypt .xtbl (instructions will be updated as soon as they become available). Some users who had really important information on their computers report on antivirus forums that they sent the virus authors 5000 rubles or other required amount of money and received the decryptor, however, this is very risky - you may not get anything.

What to do if the files were encrypted in .xtbl? My recommendations are as follows (but they differ from many other thematic sites where, for example, they recommend immediately shutting down the computer or not removing the virus. In my opinion, this is unnecessary and in some circumstances it may even be harmful, but you are who should decide):

  1. If you know how to do it, interrupt the encryption process by deleting the corresponding tasks in Task Manager, disconnecting the computer from the Internet (this may be a prerequisite for encryption)
  2. Memorize or write down the code that attackers require to be sent to an email address (just not to a text file on your computer, just in case it doesn't end up encrypted as well).
  3. Use Malwarebytes Antimalware, a trial version of Kaspersky Internet Security, or Dr.Web Cure It to remove the virus that encrypts your files (all the tools mentioned do a good job). I advise you to use the first and second products on the list successively (although, if you have an antivirus installed, installing the second one "from the top" is not desirable, as it can cause problems on your computer).
  4. Waiting for a decryptor from some antivirus company to appear. Kaspersky Lab is at the forefront.
  5. You can also send a sample encrypted file and the required code to [email protected]If you have an unencrypted copy of the same file, send that as well. In theory, this can speed up the appearance of the decryptor.

What you must not do:

  • Rename the encrypted files, change the extension, and delete them if they are important to you.

That's probably all I can say about encrypted files with extension .xtbl at the moment.

Files encrypted by better_call_saul

Of the recent encryption viruses, Better Call Saul (Trojan-Ransom.Win32.Shade) sets the .better_call_saul extension for encrypted files. It is not yet known how to decrypt these files. Users who contacted Kaspersky Lab and Dr.Web received the information that this cannot be done yet (but try to submit anyway - developers have more samples of encrypted files = more likely to find a method).

If it turns out that you have found the decryption method (that is, it has been posted somewhere and I have not taken it into account), please share the information in the comments.

Trojan-Ransom.Win32.Aura and Trojan-Ransom.Win32.Rakhni

The following Trojan, which encrypts files and installs extensions from this list:

  • .locked
  • .crypto
  • .kraken
  • .AES256 (not necessarily this Trojan, there are others that install the same extension).
  • [email protected]_com
  • . Enc
  • .oshit
  • And others.

To decrypt files after the above viruses work, Kaspersky has a free utility called RakhniDecryptor, available on the official page

There are also detailed instructions on how to use this utility, showing how to restore encrypted files, from which I, just in case, would remove the option "Delete encrypted files after decrypting them successfully" (although I think everything will be fine with the option set).

If you have a Dr.Web antivirus license, you can use Dr.Web's free decryption at

More variants of the encryption virus

Less common, but also common, are the following Trojans that encrypt files and require money to decrypt them. The links above not only have utilities for recovering your files, but also a description of the signs that will help you determine if you have this particular virus. In general, however, the best way is to use Kaspersky Anti-Virus to scan your system, find out the name of the Trojan according to the company's classification, and then search for a utility with that name.

  • Trojan-Ransom.Win32.Rector - free RectorDecryptor decryption utility and user guide available here:
  • Trojan-Ransom.Win32.Xorist - A similar Trojan that displays a window asking you to send a payment sms or contact by email for decryption instructions. Instructions on how to recover encrypted files and the XoristDecryptor utility for it are available at
  • Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.Fury - RannohDecryptor Utility
  • Trojan.Encoder.858 (xtbl), Trojan.Encoder.741 and others with the same name (when searching through Dr.Web antivirus or the Cure It utility) and different numbers - try searching the Internet for the name of the Trojan. For some of them there are Dr.Web decryption utilities; Also, if you can't find a utility but you have a Dr.Web license, you can use the official page
  • CryptoLocker - to decrypt your files after CryptoLocker works, you can use - after submitting a sample file, you will receive a key and a utility to restore your files.
  • In the Web page. downloads Ransomware Removal Kit - large archive with information on different types of encryptors and decryption utilities (in English)

And from the latest news - Kaspersky Lab, together with the security forces of the Netherlands, have developed Ransomware Decryptor ( to decrypt files after CoinVault, but this ransomware is yet to be found in our latitudes.

Protection against encryption ransomware or ransomware viruses

As ransomware spreads, many antivirus and antimalware vendors have started rolling out their solutions to prevent encryptors from running on your computer, including:

  • Malwarebytes Anti-Ransomware.
  • BitDefender Anti-Ransomware
  • WinAntiRansom

The first two are still in beta, but they are free (although they only support the detection of a limited set of these types of viruses: TeslaCrypt, CTBLocker, Locky, CryptoLocker. WinAntiRansom is a paid product that promises to avoid encryption by almost any ransomware sample, protecting both local and network drives.

But: these programs are not designed for decryption, only to avoid encryption of important files on your computer. In fact, I think these functions should be implemented in antivirus products. Otherwise, we find ourselves in a strange situation: the user must keep an antivirus, an antiadware and malware tool on his computer and now one more antiransomware utility, just in case, an antiexploit.

By the way, if you happen to have something to add (because I may not have time to control what happens with the decryption methods), let me know in the comments, this information will be useful for other users facing the problem.