If you turned on your PC system and saw a ransom note that your “Your files are encrypted” then your system is infected with a ransomware that is an encrypted virus. The “Your files are encrypted” ransomware infection secretly penetrates the PC system and encrypts photos, documents and music which stored on your system disks. While encrypting, it can rename all your important personal files or add a new extension on the end.
The “Your files are encrypted” is a ransomware, that developed to encrypt the personal personal files found on infected system using a hybrid AES + RSA encryption mode, appending random few letters extension to all encrypted files. Once the encryption process is done, it will open a ransom note offering decrypt all users documents, photos and music if a payment is made.
Table of contents
- What is “Your files are encrypted” virus
- How to decrypt files encrypted by “Your files are encrypted” ransomware
- How to remove “Your files are encrypted” ransomware virus
- How to restore files encrypted by “Your files are encrypted” ransomware
- How to prevent your PC system from becoming infected by “Your files are encrypted” ransomware?
- How does your personal computer get infected with “Your files are encrypted” ransomware virus
- Finish words
The “Your files are encrypted” ransomware encourages to make a payment in Bitcoins to get a key to decrypt personal files. Important to know, currently not possible to decrypt your documents, photos and music without the private key and decrypt program. If you choose to pay the ransom, there is no 100% guarantee that you can decrypt all files! If you do not want to pay for a decryption key, then you have a chance to restore encrypted documents, photos and music for free.
Instructions that is shown below, will help you to remove “Your files are encrypted” ransomware as well as restore encrypted photos, documents and music stored on your PC drives.
What is “Your files are encrypted” ransomware virus
“Your files are encrypted” is a variant of crypto viruses (malware that encrypt personal files and demand a ransom) such as Wana Decrypt0r 2.0, CryptoLocker, Crypt0l0cker, TeslaCrypt, Bit Crypt and CTB-Locker. It affects all current versions of MS Windows operating systems such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. This virus uses very strong hybrid encryption with a large key to eliminate the possibility of brute force a key that will allow to decrypt encrypted documents, photos and music.
When the ransomware virus infects a system, it uses system directories to store own files. To run automatically whenever you turn on your PC system, “Your files are encrypted” ransomware virus creates a registry entry in Windows: sections HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce.
Immediately after the launch, the ransomware infection scans all available drives, including network and cloud storage, to determine which files will be encrypted. The ransomware uses the file name extension, as a method to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
.z, .db0, .wri, .erf, .css, .wpg, .der, .wot, .dazip, .jpg, .xx, .xlsb, .mcmeta, .big, .wmd, .t12, .fpk, .wire, .xlsx, .svg, .qdf, .litemod, .ltx, .wav, .vfs0, .pef, .vpp_pc, .rwl, .mddata, .zip, .wcf, .map, .ppt, .docm, .fsh, .wpt, .lrf, .mdbackup, .wpb, .mlx, .esm, .iwd, .zi, .flv, .zw, .xlgc, .wpd, .wpa, .pptx, .upk, .xls, wallet, .fos, .pfx, .odb, .bc6, .srw, .bkp, .js, .doc, .hvpl, .ncf, .zif, .t13, .7z, .wb2, .wdp, .webp, .desc, .wma, .wpd, .wpl, .menu, .rar, .wbm, .wbd, .zdb, .tax, .sql, .p7b, .p7c, .cas, .ff, .sie, .y, .itdb, .dng, .wpe, .vtf, .sav, .xy3, .lbf, .cr2, .wbk, .m4a, .xyw, .d3dbsp, .xbdoc, .raf, .icxs, .txt, .xlk, .accdb, .sid, .mdf, .wp, .xdb, .pkpass, .psk, .cer, .mpqge, .crt, .snx, .png, .xf, .wbmp, .wn, .odc, .pdf, .xmmap, .raw, .arch00, .qic, .sidn, .dba, .tor, .pak, .w3x, .xwp, .odt, .wbc, .ws, .psd, .itl, .kdb, .sr2, .ntl, .asset, .xlsm, .wp7, .apk, .xmind, .odm, .xll, .rb, .bik, .hplg, .iwi, .3ds, .lvl, .wp4, .ods, .eps, .mef, .ai, .vcf, .m2, .wp5, .0, .py, .forge, .zip, .bar, .syncdb, .dmp, .wps, .xbplate, .wma, .jpe, .rgss3a, .arw, .bkf, .docx, .yml, .1, .dxg, .rtf, .3fr, .xls, .cdr, .hkx, .mp4, .zabw, .slm, .kf, .xlsm, .3dm, .odp, .p12, .xar, .x, .xyp, .x3f, .wotreplay, .blob, .wmo, .rim, .wmv, .ztmp, .srf, .layout, .xml, .xxx, .avi, .wp6, .dbf, .dwg, .itm, .2bp, .jpeg, .mrwref, .m3u, .mdb, .bay, .sb, .z3d, .xdl, .yal, .bsa, .vpk, .wbz, .ysp, .ptx, .xpm, .sidd, .wm, .wdb, .wsd, .gdb, .mov, .dcr, .nrw, .x3f, .rofl, .orf
Once a file is encrypted, its extension can be changed to random few symbols. Next, the ransomware virus creates a file that contain guide on how to decrypt files encrypted by “Your files are encrypted” ransomware. An example of the guidance is:
Ooops, Your files are encrypted!
What Happened to My Computer?
Your important files are encrypted. Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.
Can I Recover My Files?
Sure. We guarantee that you can recover all your files safely and easily. But you have not so enough time. You can decrypt some of your files for free. Try now by clicking “decrypt”. But if you want to decrypt all your files, you need to pay. You only have 3 days to submit the payment. After that the price will be doubled. Also, if you don’t pay in 7 days, you won’t be able to recover your files forever. We will have free events for users who are so poor that they couldn’t pay in 6 months.
How Do I Pay?
Payment is accepted in Bitcoin only. For more information, click “about bitcoin”. Please check the current price of Bitcoin and buy some bitcoins. For more information, click “how to buy bitcoins”. And send the correct amount to the address specified in this window. After your payment, click “check Payment”.
The “Your files are encrypted” ransomware actively uses scare tactics by giving the victim a brief description of the encryption algorithm and showing a ransom demanding message on the desktop. It is trying to force the user of the infected personal computer, do not hesitate to pay a ransom, in an attempt to recover their personal files.
How to decrypt files encrypted by “Your files are encrypted” ransomware
Currently there is no available solution to decrypt random few symbols files, but you have a chance to restore encrypted files for free. The virus repeatedly tells the victim that uses RSA-2048 key (AES 256-bit encryption method). What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a way because of the big length of the key. Therefore, unfortunately, the only payment to the authors of the “Your files are encrypted” ransomware infection entire amount requested – the only method to try to get the decryption key and decrypt all your files.
There is absolutely no guarantee that after pay a ransom to the authors of the “Your files are encrypted” ransomware infection, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware infection.
How to remove “Your files are encrypted” ransomware virus
Even if you’ve the up-to-date classic antivirus installed, and you’ve checked your machine for ransomwares and removed anything found, you need to do the guidance below. The “Your files are encrypted” ransomware infection removal is not simple as installing another antivirus. Classic antivirus software are not made to run together and will conflict with each other, or possibly crash MS Windows. Instead we suggest complete the steps below an use Zemana Anti-malware, Malwarebytes or Kaspersky Virus Removal Tool, which are free software dedicated to find and delete malware like “Your files are encrypted” ransomware infection. Use these utilities to ensure the virus is removed.
Get rid of “Your files are encrypted” virus with Zemana Anti-malware
We suggest using the Zemana Anti-malware. You may download and install Zemana Anti-malware to find and delete “Your files are encrypted” ransomware virus from your machine. When installed and updated, the malicious software remover will automatically scan and detect all threats present on the PC.
Download Zemana antimalware from the link below. Save it on your Microsoft Windows desktop or in any other place.
Author: Zemana Ltd
Category: Security tools
Update: April 20, 2017
When the downloading process is complete, start it and follow the prompts. Once installed, the Zemana anti-malware will try to update itself and when this task is finished, click the “Scan” button to perform a system scan for the “Your files are encrypted” ransomware and other malicious software.
Depending on your computer, the scan can take anywhere from a few minutes to close to an hour. While the application is scanning, you may see how many objects it has identified as threat. Review the scan results and then press “Next” button.
The Zemana anti malware will begin removing all detected folders, files, services and registry entries.
Scan and clean your machine of ransomware virus with Malwarebytes
You can remove “Your files are encrypted” ransomware automatically with a help of Malwarebytes Free. We recommend this free malware removal utility because it may easily get rid of viruss, adware, potentially unwanted applications and toolbars with all their components such as files, folders and registry entries.
Download Malwarebytes Free from the following link. Save it on your Desktop.
Category: Security tools
Update: November 9, 2017
Once the download is done, close all windows on your machine. Further, start the file named mb3-setup. If the “User Account Control” prompt pops up as shown on the screen below, click the “Yes” button.
It will open the “Setup wizard” which will help you install Malwarebytes on the PC. Follow the prompts and do not make any changes to default settings.
Once setup is finished successfully, click Finish button. Then Malwarebytes will automatically start and you can see its main window like below.
Next, click the “Scan Now” button for checking your computer for the “Your files are encrypted” ransomware and other known infections. Depending on your personal computer, the scan can take anywhere from a few minutes to close to an hour. When a malicious software, ad supported software or PUPs are found, the number of the security threats will change accordingly.
After it has finished scanning your computer, a list of all items found is produced. Review the report and then click “Quarantine Selected” button.
The Malwarebytes will start removing “Your files are encrypted” ransomware virus and other security threats. Once disinfection is done, you may be prompted to restart your machine. We suggest you look at the following video, which completely explains the procedure of using the Malwarebytes to get rid of ransomware virus, adware and other malicious software.
Remove “Your files are encrypted” ransomware from PC with KVRT
KVRT is a free removal tool that may be downloaded and use to remove ransomware infections, ad-supported software, malicious software, potentially unwanted applications, toolbars and other threats from your personal computer. You can use this tool to scan for threats even if you have an antivirus or any other security program.
Download Kaspersky virus removal tool (KVRT) from the link below and save it directly to your Windows Desktop.
Author: Kaspersky® lab
Category: Security tools
Update: November 3, 2015
After the downloading process is finished, double-click on the KVRT icon. Once initialization procedure is finished, you will see the KVRT screen as displayed in the following example.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to perform a system scan for the “Your files are encrypted” ransomware virus and other trojans and harmful programs. Depending on your system, the scan can take anywhere from a few minutes to close to an hour. When a malicious software, adware or potentially unwanted programs are found, the number of the security threats will change accordingly.
Once finished, it will display a scan report like below.
Make sure all malicious entries are ‘selected’ and click on Continue to begin a cleaning task.
How to restore files encrypted by “Your files are encrypted” ransomware
In some cases, you can recover files encrypted by “Your files are encrypted” ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted documents, photos and music.
Use shadow copies to restore files encrypted by “Your files are encrypted” ransomware
In some cases, you have a chance to recover your photos, documents and music which were encrypted by the “Your files are encrypted” ransomware. This is possible due to the use of the utility called ShadowExplorer. It is a free application which designed to obtain ‘shadow copies’ of files.
Download ShadowExplorer on your MS Windows Desktop from the link below. This tool is available for Windows Vista, Windows 7, Windows 8 and Windows 10.
Category: Security tools
Update: February 12, 2016
After the download is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown in the figure below.
Run ShadowExplorerPortable. You will see the a window as displayed in the following example.
From the first drop down list you can choose a drive which contains encrypted documents, photos and music, from the second drop down list you can choose the date that you wish to recover from. 1 – drive, 2 – restore point, as shown on the screen below.
Righ-click entire folder or any one encrypted file and select Export, as shown in the following example.
It will open a dialog box which asking whether you would like to recover a file or the contents of the folder to.
Run PhotoRec to recover files encrypted by “Your files are encrypted” ransomware
Before a file is encrypted, the “Your files are encrypted” virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your files using file restore applications such as PhotoRec.
Download PhotoRec on your personal computer from the following link.
Category: Security tools
Update: March 23, 2016
Once downloading is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown in the figure below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It will open a screen as shown below.
Select a drive to recover as on the image below.
You will see a list of available partitions. Choose a partition that holds encrypted files as shown below.
Click File Formats button and specify file types to recover. You can to enable or disable the recovery of certain file types. When this is complete, press OK button.
Next, click Browse button to choose where recovered files should be written, then press Search.
Count of restored files is updated in real time. All recovered files are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the restore is finished, press on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as on the image below.
All restored photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to prevent your computer from becoming infected by “Your files are encrypted” ransomware virus?
Most antivirus applications already have built-in protection system against the ransomware infection. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, run the CryptoPrevent.
Run CryptoPrevent to protect your personal computer from “Your files are encrypted” virus
Download CryptoPrevent by clicking on the link below and save it to your Desktop.
Run it and follow the setup wizard. Once the installation is finished, you’ll be shown a window where you can select a level of protection, as on the image below.
Now click the Apply button to activate the protection.
How does your PC system get infected with “Your files are encrypted” ransomware
The “Your files are encrypted” ransomware is distributed through the use of spam emails. Below is an email that is infected with a ransomware like “Your files are encrypted” virus.
Once this attachment has been opened, this ransomware infection will be started automatically as you do not even notice that. The “Your files are encrypted” ransomware infection will start the encryption process. When this procedure is done, it’ll open the usual ransom instructions like above on .
Once you have finished the guide shown above, your system should be clean from “Your files are encrypted” ransomware infection and other malware. Your PC system will no longer encrypt your documents, photos and music. Unfortunately, if the step by step guide does not help you, then you have caught a new variant of ransomware virus, and then the best way – ask for help.
- Download HijackThis from the link below and save it to your Desktop.
Category: Security tools
Update: November 7, 2015
- Double-click on the HijackThis icon. Next press “Do a system scan only” button.
- Once that process is finished, the scan button will read “Save log”, press it. Save this log to your desktop.
- Create a Myantispyware account here. Once you’ve registered, check your e-mail for a confirmation link, and confirm your account. After that, login.
- Copy and paste the contents of the HijackThis log into your post. If you are posting for the first time, please start a new thread by using the “New Topic” button in the Spyware Removal forum. When posting your HJT log, try to give us some details about your problems, so we can try to help you more accurately.
- Wait for one of our trained “Security Team” or Site Administrator to provide you with knowledgeable assistance tailored to your problem with the “Your files are encrypted” ransomware.