Recover Files Deleted or Encrypted by Ransomware Virus

Jean updated on May 31, 2019 to File Recovery | How-to Articles


There are 4 ways that you can apply to recover files deleted or encrypted by ransomware like Locky, CryptoLocker, CryptoWall and TorrentLocker, without paying a ransomware with hundreds of dollars. For files that were deleted or hidden by ransomware virus, you can download EaseUS Data Recovery Wizard here to get them back.

Once your computer and any other storage device are infected by ransomware virus, like the notorious ones Locky, Zcrypt, CryptoLocker, CryptWall, TorrentLocker, etc., you're prevented from accessing the infected system. And your data would largely be deleted, hidden, what's worse, files get encrypted or changed with the ransomware file extension.

To get data back, you have to purchase the ransom with tens to hundreds of dollars in order to grant access to the system, though paying the ransomware will surely put your system in another dangerous situation.

Or you may perform the following 4 methods to recover files deleted or encrypted by ransomware virus in a safe way.

Method 1. Scan infected drive and recover virus files with data recovery software
Method 2. Restore from backup
Method 3. Restore a previous version of the file (or folder)
Method 4. Perform a system restore

Recover Files After Ransomware Virus Infection

For files that were deleted or hidden by the ransomware virus

Method 1. Scan infected drive and recover virus files with data recovery software

Try EaseUS Data Recovery Wizard at the first attempt. It's reputable file recovery software that is able to recover files infected by Locky virus, so as CryptoLocker and other ransomware viruses.

Your Reliable Choice - EaseUS Data Recovery Wizard

  • Recover deleted, formatted, and inaccessible data in different data loss situations.
  • Recover photos, audio, music, and emails from any storage effectively, safely and completely.
  • Recover data from the recycle bin, hard drive, memory card, flash drive, digital camera and camcorder.

Method 2. Restore from backup

Check your computer files that were encrypted. Once identified, segregate and delete the files. Copy and paste the files from your backup device to your computer.

Method 3. Restore a Previous Version of the File (or Folder)

1) Locate the directory where the file is stored.
2) Right-click the file, then select "Properties".
3) Click the "Previous Versions" tab when the Properties window opens. 
Note: If you don't see the Previous Versions tab, you need to install the client. You can speak with your support team to get the correct client installed.

4) A list of available snapshots for the file will appear.
5) Select the snapshot that represents the last known good version of the file.
6) Click "View" and verify if it is the correct version of the file.
7) Once you find the correct file, do any of the following:

  • View: View the recovered file directly and then save it by clicking "File" > "Save As".
  • Copy: Create a copy of the recovered file in the same directory as the original file. You will now have both copies available.
  • Restore: This will restore the recovered file and will replace the current file.

IMPORTANT: Restoring the file will overwrite the current copy. Any data saved in the current copy will be overwritten with the older file.

Method 4. Perform a system restore

The system restore in Windows 10, 8.1, 8, 7 should have a slight difference, in general:

search Control Panel for Recovery -> select "Recovery" ->Open "System Restore" -> "Next" -> Choose the restore point before ransomware intrusion -> select "Next" > "Finish".


100% of people found this article helful.


Frequently Asked Qusetions

1. Why cannot I recover 2GB data for free?

It is recommended to check the version installed is Free or Trial because they are different versions.

Trial has data preview function but cannot save any files, while the Free version enables to recover 2 GB files. The default free space is 500 MB and you may share the product on social media to get another 1.5 GB.

2. Why cannot the recovered files be opened?

A file is saved as 2 parts on the storage device: directory info (which is comprised by file name, time stamp and size info, etc.) and data content.

If the files with original file names and folder structures cannot be opened, one possible reason is the corrupted directory info. There is still a chance to recover the data content with the RAW Recovery method in our software.

3. Why isn't it suggested to recover the files back to the original drive?

The storage structure of the lost files would be altered or damaged by any changes on the drive. If you save the recovered files back to the same drive, the original data structures and data content would be corrupted or overwritten, which causes permanent data loss. So you should prepare another disk to save the files.

4. How can I check whether my data is recoverable or not before purchase?

The Free version helps you save 2GB files to better verify the recovery quality of our product before purchase.

5. How long does it take to scan the drive?

It strongly depends on the capacity of your hard drive and the performance of your computer. As reference,most drive recoveries can be completed in around 10 to 12 hours for a 1-TB healthy hard drive in general conditions.

About Data Recovery Wizard

It's super easy to recover 250+ types of files after deletion, disk formatting and virus infection. Click the links and compare the difference of each version.