Hi Ditch,
Is he right?
Far as I know, there is no way to decrypt files encrypted by Locky, yet. Can I assume that he did not keep backups?
We are advising people who are affected by ransomware and do not plan on paying the ransom, that their best bet is to immediately image the drive before doing anything else since there is a possibility that in the future there might be a way to decrypt the files.
He may be in luck if System Restore was enabled on the computer since Windows creates shadow copies of your files from that point in time when the system restore snapshot was/is created and even though Locky will attempt to delete these shadow copies the infection is not always successful and there may be a small chance that he may be able to restore copies of those files using one of two methods.
The first would be with using Windows previous versions as follows:
- Right-click on the file then click on Properties.
- Select the Previous Versions tab.
This tab will list all copies of the file that have been stored in a Shadow Volume Copy and the date they were backed up.
The second method is by using
Shadow Explorer.
Hope this small bit of information helps in some way. You can read more about
Locky Ransomeware here.
Donna