“.encrypted” is a label used by ransomware infections (they break your files and ask for a ransom to fix them) to mark a file that has been encrypted by the ransomware. “.encrypted” has been used by many different programs over the years, which makes it difficult to know which specific ransomware attacked your computer.
Luckily, there are other ways to find the culprit behind the “.encrypted” extension, such as the ransom note and antivirus scans.
Extension Encrypted Ransomware quicklinks
- How “.encrypted” ransomware works
- File-locking ransomware
- How to find the culprit
- Ransomware infections that use the “.encrypted” extension
- Other ways to recognize ransomware
- How to deal with “.encrypted” ransomware
- How to get back your files
- How to remove “.encrypted” ransomware
- Automatic Malware removal tools
- How to recover Extension "Encrypted" Ransomware encrypted files and remove the virus
- Step 1. Restore system into last known good state using system restore
- 1. Reboot your computer to Safe Mode with Command Prompt:
- 2.Restore System files and settings.
- Step 4. Use Data Recovery programs to recover Extension "Encrypted" Ransomware encrypted files
About “.encrypted” ransomware:
|How to recognize which ransomware is behind “.encrypted”||Use the details found in your ransom note,
use antivirus detection names.
|Can the files be fixed?||Check if your ransomware has decryption tools available,
use data recovery software.
|How to remove “.encrypted” ransomware||Use antivirus tools (like Spyhunter) to remove all malware,
secure your accounts and your computer against any more attacks.
How “.encrypted” ransomware works
Ransomware is malicious software that does something bad to the data on your computer and then asks you to pay in order to fix the problem.
For example, file-encrypting ransomware uses cryptography to break your files and then asks you to pay up in order to receive the decryption key needed to restore the data. Once it’s on the computer, it encrypts files and then adds a new file extension to the names of those encrypted files. “.encrypted” ransomware is just this type of infection.
You can see the extensions of your files in Windows 10 by opening File Explorer, selecting View at the top, and ticking the File name extensions box. The “.encrypted” extensions is at the end of the name of each file. In addition, using the Details view to display your files shows the file type as ENCRYPTED.
There’s nothing special about the word “.encrypted”. Ransomware extensions can be completely arbitrary. They’re up for the author of the ransomware to decide. Some ransomware infections use random symbols, some use a distinctive name, and others use something generic, like “.encrypted”.
While those ransomware infections that use distinctive names are good for tracking which specific ransomware attacked your computer, generic extensions make it a bit harder. But it is important to find out which ransomware infection attacked your computer in order to know what options you have for getting your files back.
How to find the culprit
Ransomware infections that use the “.encrypted” extension
Listing all the ransomware infections that use the “.encrypted” extension to mark an encrypted file is futile, I think. There are too many infections, many of them – too small in impact.
For example, the Fake WindowsUpdater (2017), VapeLauncher (2017), Cryptre (2018), CryptoLite (2018), Globe 2 (2016), and other older infections used the “.encrypted” extension to mark the files they attacked, but they don’t spread anymore, so they’re unlikely to be causing any trouble today.
Here are a few of the ransomware infections that use the “.encrypted” extension and have infected computers recently:
- “Your company network was riddled with…” (Twitter)
- CoronaCrypt and SpartCrypt
Other ways to recognize ransomware
Ultimately, “.encrypted” is way too generic to know which ransomware is responsible for it. Luckily, there are other ways to recognize what attacked your files. Check your files and see if you can find a ransom note. There are more details there:
- Email addresses and other contact details.
- The address of the wallet that victims are asked to send money to.
- The exact ransom text.
Use these details to search the web for matches. There are also specific websites for identifying ransomware, like ID Ransomware.
You can also have an antivirus program scan your computer and see if the ransomware is recognized. Or find the ransomware executable and scan it online (for example, on Virustotal.com). Those scan results can also help you find relevant information.
How to deal with “.encrypted” ransomware
How to get back your files
If you don’t have backups of your data, can you still get your files back?
Don’t rush to delete the “.encrypted” part from the names of your files. This does nothing to help fix the files. Decryption is much more complicated.
Once you know which ransomware attacked your data, you will know better what your options are. Here are a few suggestions:
- Use data recovery software. If you still have the infected drives and haven’t used them much since the “.encrypted” ransomware attack, then a forensic program might recover something useful.
- Some of the more infections could be poorly made. In these cases, volunteers or antivirus vendors may come up with decryptors. A good place to find them all is Nomoreransom.org.
- Repair the files. In some cases, ransomware infections leave portions of files unencrypted, which allows some limited data to be recovered (with a lot of time and effort).
Most importantly, do not fall for scammers. Scammers lurk online, preying on vulnerable ransomware victims, promising to fix their files when really, they just want to take people’s money.
Encryption is no joke and, when it’s properly implemented, there’s almost no chance of a decryption tool ever being developed. In those cases, only the people behind the “.encrypted” ransomware have the decryption keys and there’s nothing to be done about it, besides hoping that law enforcement catches them.
How to remove “.encrypted” ransomware
If you want to keep the files, make a backup.
Then, remove all malware. Not just the ransomware, but all the other malicious files. Often, a ransomware infection also installs spyware and adware on the same computer.
In addition, victims report that they got infected after they installed a program or opened a file from the internet (that is, after they pirated something), which means that the files in the Download folder should be purged.
Use an antivirus program that you trust (Spyhunter, others) and consider resetting your computer.
Reset your passwords and make sure that 2-factor verification is turned on for all of your important online accounts. If your computer is accessible remotely, make sure that very strong login credentials are used to connect.
Automatic Malware removal tools
How to recover Extension "Encrypted" Ransomware encrypted files and remove the virus
Step 1. Restore system into last known good state using system restore
1. Reboot your computer to Safe Mode with Command Prompt:
for Windows 7 / Vista/ XP
- Start → Shutdown → Restart → OK.
- Press F8 key repeatedly until Advanced Boot Options window appears.
- Choose Safe Mode with Command Prompt.
for Windows 8 / 10
- Press Power at Windows login screen. Then press and hold Shift key and click Restart.
- Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
- When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.
2.Restore System files and settings.
- When Command Prompt mode loads, enter cd restore and press Enter.
- Then enter rstrui.exe and press Enter again.
- Click “Next” in the windows that appeared.
- Select one of the Restore Points that are available before Extension "Encrypted" Ransomware has infiltrated to your system and then click “Next”.
- To start System restore click “Yes”.
Step 2. Complete removal of Extension "Encrypted" RansomwareAfter restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Extension "Encrypted" Ransomware. You can check other tools here.
Step 3. Restore Extension "Encrypted" Ransomware affected files using Shadow Volume CopiesIf you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Extension "Encrypted" Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Step 4. Use Data Recovery programs to recover Extension "Encrypted" Ransomware encrypted filesThere are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
- We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
- Download a data recovery program.
- Install and scan for recently deleted files.