Hello!
Pls guide me for the next steps
Its not a software tool that i know so limited guidance from me.
On the linux computer you could install wine from the software repository then usin wine try to install 1photorec. As per the video, but i am unable to confirm its ability to work on wine.
Normally wine offers the posibility to run some windows tools on a linux box
Thanks for the reply!
But I think qphotorec and the photorec on linux terminal by testdisk is the same.
I actually had the qs of trying the tool on the couple of files first.
Nvm! Thanks though!
Ill look up for more ways on the web or think of something by own :))
1 Like
Was able to recover all files. Need to leave for clg now. Will tell in detail later!
Thanks
4 Likes
Should I type the long answer in this post only or create a new topic?
1 Like
Put it in here please.
3 Likes
We can then all learn from your experiance
2 Likes
First of all, huge thanks to @callpaul.eu @kovacslt and @easyt50 for helping me out 
[This solution does not guarantee that all of you files will be recovered, but is the best method to try and recover your files]
Step 0: Identify the type of ransomware which has infected your windows computer.
You can put the extension name on the web and check its type.
If it’s a type of offline encryption, your are lucky, cuz many decrypters for offline ransomwares are available on the internet. But download from trusted websites only. Ex - nomoreransom.org/ .
If it’s an online encryption, follow the steps given below:
.
.
.
Step 1: Removal of infected HDD and replacing it with another.
Remove the infected disk from the computer. Buy a new drive ( preferably SSD as it will boost your performance if you currently use a HDD ) and connect it to the SATA cable of your computer. Install any linux distribution on it.
If you don’t have another computer to make a bootable drive, the computer will prompt you to install windows as default when you turn it on for the first time. Go ahead and install windows in that case. Then, install rufus on it, plug a 8gb pendrive and make it a bootable linux drive. ( preferably mint as its easy to use ).
Restart your computer, go to the boot menu and boot from your usb. Install linux mint with Use Entire Disk option.
Now you have Linux Mint installed on your new drive.
.
.
.
Step 2: Installation of necessary tools:
Open up the terminal and run:
sudo apt install testdisk recoverjpeg
This will install the Photorec by Testdisk and RecoverJpeg which we will use for the recovery of our encrypted files.
.
.
.
Step 3: Connecting your infected drive to the computer:
Buy a SATA to USB port and connect the drive to your computer via USB.
You should now be able to see the files on your infected drive with the weird encrypted extension.
.
.
.
Step 4: RECOVERING YOUR FILES:
We will be using two tools to recover the files- Photorec and Recoverjpeg.
Although photorec can recover JPEG files, recoverjpeg is better in it while photorec is better in recovering mpg, pdf, audio files, etc…
Run sudo fdisk -l and note the device path / disk path / disk name.
First we will recover the photos from your infected drive.
Run sudo recoverjpeg /dev/sdXY -o /pathZ
Where:
X - letter of your drive. Ex- b/c/d etc
Y - number of parition - Ex - 1/2/3/4/5 etc
Thus, XY = sdc5 (example)
Z = path to the directory where you want to save the recovered photos.
After running the recoverjpeg tool: you will see an indicator showing how much space of the drive is analysed and how many photos are recovered.
Open the directory where they are saved, you will observe that each photo is being saved twice/thrice, this is mostly because the ransomware encrypts only some 150kb of the photo. Thus the tool recovers both the blurred and ultra low 420p revolution as well as HD 1080p resolution images. You can delete the low resolution images.
Now, time for other files.
Run sudo photrec.
Select your drive.
Now, go to ‘File opt’ and press ‘s’ to clear all the selections.
Use the up-down arrow keys to navigate the file types and press right arrow key if you want to select that file type. In my case, I selected mov, mpg, mp3 and pdf.
Then, press ‘b’ to save the settings. Come back to the parition selection menu. select your parition with encrypted files using arrow keys and then click ‘start search’
Then, you will be prompted to select the filesystem type, select OTHER.
Then, you will be asked to select whole disk/empty space.
Select WHOLE DISK or photorec will recover deleted files only.
Lastly, you will be asked to select directory of saving the recovered files, use arrow keys to do that and press ‘c’ when its the correct directory.
Thats it, your file recovery will start and you will be shown ETC.
Photorec will also show you how many files in total as well as files by type (mov, mpg, mp3, etc ) are recovered.
.
.
.
Step 5: Cleaning up:
After recovering your files, open Disks/GParted and format the infected drive. Now, you have two options, either to use it as an external drive or a internal drive.
If you wanna use it as external drive:(recommended)
If you want to use windows again, format the drive to NTFS partition and transfer all your files in it. Then create a windows bootable USB and install windows on your new SSD.
If you want to keep using linux (again, recommended), format the old drive with ext4 and then you can transfer your files to it.
That’s it, your files are now recovered!
I hope this helped you!
Thanks and Regards,
Hrishikesh.
4 Likes
Thanks for the very detailed reply . Hopefully no one will need it but always useful to have such resources available for everyone.
1 Like
Really hope so 