1. Customize your computer settings.
Starting with Windows Wista, the OS includes a system protection service across all drives, which backs up files and folders during a backup or creation of a system restore point. After installing the OS, this service is enabled only for the system partition, usually drive C. For additional protection, it is recommended to enable this service for all drives.
2. What to do if the files are encrypted.
If an antivirus program is installed on the computer, then in the settings you need to do the following:
– disable automatic removal of detected malware.
– set to place suspicious files in quarantine.
– If you find a suspicious file, the launch of which has led to computer infection and file encryption, you can send it for analysis, for example, to Kaspersky Lab by e-mail [email protected]. Pack the files for analysis into an archive with the infected password (using the WinRar archiver). When setting a password, select the Encrypt file names check box.
– It is necessary to create a copy of all encrypted files.
– You can try to recover files using File History for Windows Vista, Windows 7, Windows 8, Windows 10.
– You can also try using Kaspersky Lab utilities for decryption: RectorDecryptor utility; XoristDecryptor utility; RakhniDecryptor utility.
Before running the utility, be sure to make copies of all files.
– List of places where files of the ransomware can be located:
APPDATA
OS Windows NT/2000/XP:
Drive:Documents and Settings%UserName%Application Data
%USERPROFILE%Local SettingsApplication Data
OS Windows Vista/7/8:
Drive:Users%UserName%AppDataRoaming
%USERPROFILE%AppDataLocal
TEMP (temporary directory)
%TEMP%???????.tmp (example: tempvum35a5.tmp)
%TEMP%???????.tmp?? (example: temp7ze5418.tmpmp)
%TEMP%??????? (example: temppcrdd27)
%WINDIR%Temp
Internet Explorer temporary directory
OS Windows NT/2000/XP: %USERPROFILE%Local SettingsTemporary Internet Files
OS Windows Vista/7/8:
%LOCALAPPDATA%MicrosoftWindowsTemporary Internet Files
..temporary internet filescontent.ie5
..temporary internet filescontent.ie5???????? (? — a-z, 0-9)
Desktop
%UserProfile%Desktop
Recycle Bin
Drive:Recycler
Drive:$Recycle.Bin
Drive:$Recycle.Bins-1-5-21-??????????-??????????-??????????-1000 (? — 0-9)
System directory
%WinDir%
%SystemRoot%system32
User document directory
%USERPROFILE%Мои документы
%USERPROFILE%Мои документыDownloads
Directory for downloading files in a web browser
%USERPROFILE%Downloads
Startup directory
%USERPROFILE%Главное менюПрограммыАвтозагрузка
