> How to > File Recovery > Recover Files Deleted or Encrypted by Ransomware Virus

Recover Files Deleted or Encrypted by Ransomware Virus

Updated on Apr 26, 2018 by Jean to File Recovery


There are 4 ways that you can apply to recover files deleted or encrypted by ransomware like Locky, CryptoLocker, CryptoWall and TorrentLocker, without paying a ransomware with hundreds of dollars. For files that were deleted or hidden by ransomware virus, you can download EaseUS Data Recovery Wizard here to get them back.

Once your computer and any other storage device are infected by ransomware virus, like the notorious ones Locky, Zcrypt, CryptoLocker, CryptWall, TorrentLocker, etc., you're prevented from accessing the infected system, and your data would largely be deleted, hidden, what's worse, files get encrypted or changed with the ransomware file extension. To get data back, you have to purchase the ransom with tens to hundreds of dollars in order to grant access to the system, though paying the ransomware will surely put your system in another dangerous situation. Or you may perform the following 4 methods to recover files deleted or encrypted by ransomware virus in a safe way.

Recover Files After Ransomware Virus Infection

For files that were deleted or hidden by the ransomware virus

Method One. Scan infected drive and recover virus files with data recovery software

Try EaseUS Data Recovery Wizard at the first attempt. It's reputable file recovery software that is able to recover files infected by Locky virus, so as CryptoLocker and other ransomware viruses.

scan virus infected hard drive and recover data

1) scan infected hard drive;
2) preview found data and recover virus deleted files.

For files that were encrypted or file extension changed (applicable to .locky file recovery)

Method Two. Restore from backup

Check your computer files that were encrypted. Once identified, segregate and delete the files. Copy and paste the files from your backup device to your computer.

Method Three. Restore a Previous Version of the File (or Folder)

1) Locate the directory where the file is stored.
2) Right-click the file, then select Properties.
3) Click the Previous Versions tab when the Properties window opens. 
Note: If you don't see the Previous Versions tab, you need to install the client. You can speak with your support team to get the correct client installed.
4) A list of available snapshots for the file will appear.
5) Select the snapshot that represents the last known good version of the file.
6) Click View and verify if it is the correct version of the file.
7) Once you find the correct file, do any of the following:
View: View the recovered file directly and then save it by clicking File > Save As.
Copy: Create a copy of the recovered file in the same directory as the original file. You will now have both copies available.
Restore: This will restore the recovered file and will replace the current file.

Important: Restoring the file will overwrite the current copy. Any data saved in the current copy will be overwritten with the older file.

Method Four. Perform a system restore

The system restore in Windows 10, 8.1, 8, 7 should have a slight difference, in general:

search Control Panel for Recovery -> select Recovery ->Open System Restore -> Next -> Choose the restore point before ransomware intrusion -> select Next > Finish.