Current Location:Home>News>Recover data from Wannacry infected computer

Recover data from Wannacry infected computer

Post time:2017-05-16 09:55:30     Views:3594


May 12 evening, the global network was attacked by a ransomware called WannaCry. The virus locked user’s files and demanded payment of Bitcoin to allow access, more than 100 countries was attacked, the law-enforcement and government department was infected in this disaster in cyberspace. Now, Meiya Pico can provide prompt recovery software“Forensics Master”and "Recovery Master for WannaCry-Infected File Recovery" and solution to solve the issue.

Softwares are trial version,password “”,(please download software in PC)


RecoveryMaster for WannaCry-Infected File Recovery know more on Recovery Master software

Recovery Operation Guide:

First things, how to recover infected data:

WannaCry data recovery operation

In order to make user operate more conveniently, based on the results of research and test, Meiya Pico technical researchers added a special function to launch a special edition of company's forensics products "Forensics Master" and " Recovery Master" support one key analysis of infected WannaCry virus computer to complete the two kinds of data recovery method.

1. Recover from volume shadow 

2. Recover from file system

Before recovery, you should do preparation as following.

1. An uninfected computer with Win 7/ Win 10 OS (32/64 bit) as an analysis working computer

2. Install Forensics Master in this computer

3. One SATA-USB adapter (recommend a SATA write-blocker device). If you can not find such device, you also can connect this infected hard drive to analysis working computer

 (NOTICE: if the computer is infected with the virus, please break the network immediately and avoid further transmission of the infection. The suggestion is to restore it in a read-only environment. User must make sure the computer will not infect again)

Before recovery, suggest you create an image file of your infected hard drive, or simply dissemble the infected hard drive and connect it through SATA-to-USB adapter (write blocker will be better)to other not infected computer, and install Forensics Master on this computer.


Let's take a look at the operation steps for Forensics Master.

Step 1: Create a case

a) Click New in the navigation bar.


b) In the guide page, click Next.


Step 2: Add devices

In the Add Device page, select the device need to be recovered, such as image files or disks, and then click Next.


Click ”X”Close the Acquire Evidence page if there is no need for auto forensics.


Currently a case is created and loaded with devices.

Step 3: Recover files

In the Case view, right-click the partition need to be recovered (namely the partition where the files to be recovered locate) and choose “Analyze volume shadow copy” to start recovery.


The progress is shown. Click OK after the recovery is completed.


Step 4: After data recovery is completed. View the results, as shown below.



1) The new partitions that are recovered are shown as new nodes named with time in the Case view, as shown in the red rectangle in the figure above.

2) If no new partition is shown, it means no result for the volume shadow copy recovery in the specific partition. Then you can use “Recover” for a deeper recovery mode to get back more files manually.

Step 5: Click “Recover” button on navigation bar and select deep recover to try to recover more files manually.


then you can find the data on the "lost files"folder, you can also fliter the results in "Advanced Filter"



We will keep analyze and research the recovery mechanism of the Ransomware, and keep updating Forensics Master and Recovery Master.  

Meiya Pico will keep updating for latest solution and release new operation instruction soon. Please feel free to contact Meiya Pico for more information.

Website:   Mailbox:     Linkedin account: MEIYA PICO

Download Forensics Master to recover data