Ransomware tends to change the filename as part of the encryption process. Locky adds a .lock file extension to all documents, while CryptXXX uses the .crypt file extension. Look through the files and see which files have been modified. See if you can still open them or if you can change the file extensions back and open the files. Sometimes, the file extensions have been changed without actually encrypting the files.
Get back into the system using a Linux Live CD and search the system to see if the actual files have been moved or renamed. Most modern operating systems can search the contents of the file along with filenames.
Don’t get your hopes too high
While it’s good to be skeptical, if you see a ransom demand, it's probably legitimate. Thanks to crimeware kits preloaded with ransomware and ransomware as a service, the barrier to entry is much lower. Script kiddies and other less technically inclined criminals are trying to piggyback on the success of real ransomware gangs without putting in the work.
“The simplicity of buying your crypto-malware from a crime-as-a-service provider now means cyber criminals can easily deploy a ransomware attack that uses complex and effective encryption against their targets,” says Mimecast’s cyber security strategist, Orlando Scott-Cowley.
Ransomware infections are a serious threat and fake attacks are relatively rare. But before you start the process of rebuilding your machine to recover from a ransomware infection, make sure you aren’t being scammed. It takes only a few minutes.
If it turns out you've been victimized by the real thing, you may have another slim chance: publicly available decryption tools.
Sign up for Computerworld eNewsletters.