0

I was attacked by a malware called berusose and cant open any of my files. I just need to save my pics and even if i have to erase or format the entire 1tb that will be okay by me.

Can someone help me solve this problem without paying the ransom as demanded by the hackers.

Albin
  • 9,307
  • 11
  • 50
  • 89
kate malvin
  • 11
  • Do you have any copies of your pictures anywhere else? Or were the ones on this infected PC your only copy? – Mr Ethernet Aug 16 '19 at 04:09
  • Why would any image files be encrypted differently from other files? – DrMoishe Pippik Aug 16 '19 at 05:00
  • They wouldn't be. It's just that she describes the image files as the most important ones: "I just need to save my pics." So those are the most important backups to track down. – Mr Ethernet Aug 16 '19 at 08:25
  • 1
    @kate malvin, any chance you could include a screenshot or photo of the ransom-demand screen? – Mr Ethernet Aug 16 '19 at 08:30
  • @Wrecclesham, I’ve got a 1Tb external hd backups. Unfortunately, the HD was slotted in the laptop when I had the attack so I’ve lost everything. I’ve tried renaming the files especially the jpgs and pngs but it’s all the same thing. Can’t open. I’ve also deleted some files and was hoping a recovery will help and that one too didn’t help. Really need help – kate malvin Aug 17 '19 at 10:38
  • @katemalvin you definitely don't want to delete any of the encrypted files yet! Then they're completely lost. There is actually something you can at least try. I'll explain in an answer below. – Mr Ethernet Aug 17 '19 at 10:47

1 Answers1

1

It's possible to download programs called "ransomware decryptors" that are able to, in some cases, completely remove the encryption from ransomware-encrypted files, without the need to pay the attacker's ransom.

  1. There is no point attempting to decrypt your files on a system that may still have an active infection that could immediately re-encrypt them. Start by running Malwarebytes on the infected computer and try to remove the original infection before doing anything else. Leave the 1 TB drive connected to the computer and allow Malwarebytes to scan that also.

  2. Attempt to identify the strain of ransomware using the Emsisoft ransomware identification page and then use the tool they recommend for your particular encryption, if one exists:

enter image description here

  1. You may want to try the six offerings on the Kaspersky No Ransom site, each of which work for multiple variants of ransomware:

    • Rakhni Decryptor
    • Rannoh Decryptor
    • Shade Decryptor
    • CoinVault Decryptor
    • Wildfire Decryptor
    • Xorist Decryptor

This is what the Kaspersky decryption tools look like in action:

enter image description here

  1. No More Ransom! has a massive collection of over 100 free ransomware removal tools. Once you obtain the official ID of your ransomware from Step 2, you may be able to find a matching decryptor for it from that list.

Even if none of the ransomware decryptors currently available are able to unlock your files, the ransomware that compromised your system could be defeated later on. I would advise against deleting any of your encrypted files, even if you can't decrypt them today, as a ransomware decryptor that does work for them may become available in the future.

All hope is not lost!

Mr Ethernet
  • 4,191
  • 2
  • 16
  • 28