Data Recovery Digest

Do-It-Yourself Windows File Recovery Software: A Comparison

results »

How to Remove the RansomAES Virus and Recover Your Files

The threat of ransomware is on the rise. It's a tactic that's often used by international computer hackers to freeze a computer and prevent access to the files within. Such attacks include a ransom, hence the name, and the promise of restoring access once the ransom has been paid. Unfortunately, many victims who pay the ransoms still end up without their critical data in the end.

What is RansomAES?

RansomAES is one of the most disturbing and disruptive apps of its kind. Instead of deleting or hiding files outright, it renames them with the extra extension of "RansomAES," thus rendering the data unusable. Once the attack is complete, a pop-up window is displayed that shows a text file (READ ME.txt), to inform the user of the attack and to demand the initial ransom.

Instead of giving in and paying the ransom, professionals recommend various solutions, including:

Recovering Files via a Windows Shadow Volume Copy

Microsoft Windows has a built-in feature known as "Previous Versions" that lets users restore older files from Shadow Volume Copy snapshots. Although RansomAES is known to attack and, in some cases, delete Windows Shadow Volume Copy files, they might be available in some isolated incidents.

If this is the case, users can recover individual files or folders by right-clicking and choosing the "Restore previous versions" option. When there are multiple instances available, users can pick a specific version by clicking on "Properties" instead of "Restore previous versions" and navigating to the "Previous Versions" tab. This will automatically list all past iterations available.

Alternatively, you can choose to "Copy" files instead of the "Restore" option. When using the former, files are immediately placed within a location specified at that time. The latter option will restore files to their original location – and overwrite any files of the same name that might exist in the same location.

Removing Files

If a specific file or folder can't be recovered, or if it just needs to be removed from a system entirely, the process is rather painless. To do this, locate any affected files and delete them as normal. This works in Safe Mode, too, which is sometimes required to access an infected system.

RansomAES generally targets files with the following extensions: .asp, .aspx, .bmp, .cdr, .cmd, .config, .cpp, .csv, .dbf, .dll, .doc, .docx, .dwg, .exe, .flv, .gif, .html, .hwp, .ini, .jpg, .js, .mdb, .mp3, .odt, .pdf, .php, .png, .ppt, .pptx, .psd, .rar, .rtf, .sql, .sqlite, .txt, .vbs, .xls, .xlsx, .xml and .zip.
To make the search easier, simply search your file system for the file types listed above.

Using Advanced Software Recovery

In the case of a widespread or more serious infection, third-party software tools might be the only option. There are a plethora of options available on the market today, but some of the most popular options include Malwarebytes and Spybot Search & Destroy, both of which offer free and trial versions that have limited, try-before-you-buy functionality.

The last option is to seek the assistance of an IT technician or data forensics specialist, and even they might not be able to restore all of the lost data.


No comments yet. Sign in to add the first!