How to Recover UmbreCrypt Ransomware Files

How to Recover UmbreCrypt Ransomware Files

Remove UmbreCrypt Ransomware

UmbreCrypt Ransomware is another crypto virus. UmbreCrypt Ransomware targets PCs running Windows OS. It requires from the victims to send an e-mail for instructions on how to decrypt their files. Every file that has been encrypted will have its extension changed to .umbrecrypt_ID_[victim_id].

When running, UmbreCrypt Ransomware will start creating executables in the Temp folder. Then, it will start encrypting files stored on local or mounted network drives using a AES-256 bit public-key cryptography, with the private key stored only on the control servers.

UmbreCrypt Ransomware will create README_DECRYPT_UMBRE_ID_[victim_id].txt. The file contain instructions explaining how to pay the ransom. Your wallper will also be changed to README_DECRYPT_UMBRE_ID_[8 random characters].jpg. When UmbreCrypt Ransomware is initiated on the computer, it will inject deep into the system infecting Explorer.exe and svchost.exe, modify the registry to start with Windows, and disable the Automatic Repair feature. Once active, it will start the processes of encrypting files. These types of ransomware are very hard to detect. Nevertheless, the virus will show its presence after the encryption finishes.

The instructions will show the victims how to send their ID to umbredecrypt@engineer.com or umbrehelp@consultant.com in order to get their files back Such software could lead to more malware coming into your computer and even cause a loss of data. Such threats are not to be underestimated!

If you are infected, we at SpywareTechs.com recommend you to download SpyHunter Malware Security Suite in order to remove the infection automatically:



Once you get rid of UmbreCrypt Ransomware (see how to remove UmbreCrypt Ransomware in our article), you can try to recover your files using the methods below:


How to Recover Files Encrypted by UmbreCrypt Ransomware:

You can try to recover your files from a system backup. If there is no backup available, one can try to restore the files using the Shadow Copy Service. Windows XP Service Pack 2 and future versions have an integrated feature called Shadow Copy Service which will automatically create backup copies of your files. This method is not bullet-proof, as HydraCrypt Ransomware may delete the shadow copies.

1. How to Restore Files Using the Shadow Copy Service:

Method 1. Using Windows Previous Version tab:

*The Windows System Protection service must`ve been enabled before the infection, otherwise it will not work.

  1. Right-click on the encrypted file, select Properties from the menu.
  2. Click on “Previous Version” tab (If missing, this means that Windows System Protection has not been enabled).
  3. Choose a previous version copy and click on the Copy button. Select a directory you wish to recover the file to, or you can try to restore the selected file, directly, by hitting the Restore button.

The method could be used to recover an entire folder. Just right-click on the highlighted folder and select Properties, and then Previous Version tab.

Method 2. Using Shadow Explorer:

Using Shadow Explorer to restore whole folders. You can download the program from the link below:


Download and run the program. A list of available drives will show up on the left side. Beside it, you will see available dates for created shadow copies. One could select the drive and the date to restore to.


2. How to recover files encrypted by UmbreCrypt Ransomware using Emsisoft Decrypter Tool:

Fabian Wosar, of Emsisoft, was analyzing the infection and found a way to recover the files. Thus, the UmbreCrypt Ransomware File Decrypt tool was created. The tool is able to decrypt files encrypted by HydraCrypt Ransomware as well.

1. Download DecryptHydraCrypt from the following link and save it on your desktop (Regardless of the name, the tool is able to decrypt both HydraCrypt and UmbreCrypt Ransomware files):


2. Once you`ve downloaded it, you would have to locate any encrypted files on your system and also where you had an original unencrypted version. If you are not able to find both files, you would need to locate an encrypted PNG file and then download any random PNG image from the internet. Hilight both files, and then drag and drop them onto the DecryptHydraCrypt.exe.

UmbreCrypt Ransomware Decryption Tool

3. The tool will attempt to determine the encryption key based on the two files. The process could take quite a bit of a time, depending on your system`s performance (may take up to a few days).

4. When the decryption key is found, you will receive a notification. Click “Ok” to proceed.

5. Accept the license agreement.

6. Click the “Decrypt” button to start the decryption. If you have other drives or folders that you wish to add for decryption, you can add them by clicking on the Add folder button. Emsisoft decrypter will recursively scan all folders that are added for encrypted files. Then, it will automatically start the decryption process. When the processed finishes, the results will be displayed.


Nevertheless, if you want to be protected from UmbreCrypt Ransomware, get SpyHunter!


John Moore

Owner of SpywareTechs.com. I specialize in malware and spyware removal. Researching new malware threats that emerge on the internet. Computers are my hobby since...well more than 10 years. I posses strong knowledge of computer internals and operating systems. However, I use my skills to join the everyday fight against malware and spyware. Follow me on Google+ to stay updated on how to remove the newest infections.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.