Threat Intelligence

    Can Ransomware Encrypt Already Encrypted Files? 

    Ransomware can even encrypt your organization’s encrypted files and hold them hostage, but there are ways to recover access without paying.

    by Stephanie Overby

    Key Points

    • Ransomware is a serious threat for organizations of all sizes, as cyber thieves render their files inaccessible and demand payment for recovery.
    • Encrypting files is one of the most common ransomware attacks.
    • This type of ransomware can be successfully deployed to encrypt already encrypted files (secondary encryption).
    • Ransomware attackers will demand money for the encryption key required to unlock the files.


    Cyber incidents involving ransomware — a type of malware used to hold an organization’s files hostage — have surged over the last year. In fact, nearly two thirds of organizations (61%) were hit by a ransomware attack in 2020, according to Mimecast’s State of Email Security report. One of the most common ransomware approaches involves encrypting the target organization’s files, thereby locking its users out of them. It’s a threat even to already encrypted files or data, but one that savvy organizations can work to minimize and respond to without paying off the bad guys.

    How Can Ransomware Encrypt Already-Encrypted Files?

    Customer information, financial or patient records, business plans and strategies, intellectual property — no organization wants its most sensitive and valuable data assets to fall into the wrong hands. That’s why data encryption is a cyber security best practice for organizations around the world, whether it’s to protect the loss or exposure of valuable information shared via email or to secure data traveling to, returning from or residing in the cloud.

    Still, encryption does not prevent ransomware exploits (though it can have the benefit of keeping data from being read and further exploited by ransomware attackers). Files that your organization has already encrypted can just as easily be encrypted (again) by ransomware. This so-called secondary encryption can prove very costly to undo for those who do not understand how to prevent and respond to such scenarios. 

    It’s important to understand how ransomware works. Cybercriminals gain access to a network — by getting users to click on a malicious email attachment or link, and by using stolen credentials. They may also exploit software or attack network vulnerabilities to make their way in to install the ransomware. In many cases, a crypto-algorithm will then get to work encrypting files that the attacked organization likely uses often. The perpetrators of the ransomware attack will then demand that the organization pay them for the code required to decrypt the files. It doesn’t matter if the data in the files had already been encrypted. The bad guys can easily install their own lock on top of the organization’s encryption layer — and this malicious code would be encryption for which the targeted organization has no decryption key.

    Types of Encryption

    There are two primary types of encryption that these ransomware attacks can exploit for profit: file encryption and device encryption.

    • File encryption. This ransomware approach encrypts files on a computer or machine, making them unusable until they are unencrypted.
    • Device encryption. This approach encrypts a device’s entire computer storage system, making all files inaccessible without having to encrypt each individually.

    No matter the method used, when ransomware is used to encrypt already-encrypted files, the impact can be swift and severe. Once ransomware locks devices or files, an organization’s operations are disrupted, sensitive or proprietary data is at risk, and the damage to customer experiences and brand reputation begins to mount.[1]

    How to Recover Encrypted Files

    There are a number of basic, but necessary steps organizations should take to guard themselves against ransomware attacks. They include installing anti-virus software and firewalls, conducting security awareness training for employees, and maintaining software updates and patches. When it comes to the threat of ransomware encrypting already encrypted files, backup solutions provide a very important alternate access to the corrupted data. Steps include creating an image backup (a single file of the operating system and all associated data) before data encryption and doing frequent backups (either on-premises or in the cloud).

    Just as important as investing in ransomware avoidance is understanding how best to respond to ransomware that encrypts already-encrypted files. An organization is only as secure as its weakest link — one missed software update or successful phishing attempt can open the door to ransomware infection.

    Cybercriminals will take advantage of an organization’s ignorance about how to recover files from a ransomware attack. The element of surprise, when accompanied by the attacked organization’s need to access its files, leads many to panic and pay off bad actors in order to recover encrypted files from ransomware. 

    Cybersecurity experts point out, however, that paying the ransom is no guarantee that the cybercriminals will provide the encryption key or code required to unlock the kidnapped files. What’s worse, simply making the payment demanded to recover files from a ransomware attack does not ensure that the malware has been removed from the network.

    When faced with a ransomware virus that has encrypted previously encrypted files, the first steps include: 

    • Disconnecting the affected computers or devices from the network to prevent further spread of the ransomware to other machines.
    • Contacting the proper authorities (including the U.S. Cybersecurity and Infrastructure Security Agency and the FBI). Sharing details about the nature of the attack with the authorities or recovery teams may help them better understand the nature of the attack and potentially locate a decryption key.[2]

    Then it’s important to locate available backups to recover files rather than paying for a decryption key. (It is possible that backups, too, can be encrypted by ransomware, so organizations can best set themselves up for ransomware recovery by keeping backup copies in a different location with no connection to the corporate network.) When there are no available backups, organizations must instead begin the process of decrypting the files encrypted by ransomware.

    There are a variety of tools and services available to help block ransomware, unlock encrypted files, recover data and prevent the further spread of the ransomware.

    The Bottom Line

    While it’s true that ransomware remains a significant and evolving threat for organizations and that even encrypted files are vulnerable, there are best practices for preventing, responding to and ultimately recovering files from ransomware attacks. By investing in robust cybersecurity tools and threat intelligence capabilities, and understanding the right ways to respond after files have been encrypted by ransomware, organizations can limit the negative impact to their operations, employees, customers and reputations. 


    [1] Frequently Asked Questions — Ransomware, Berkeley Information Security Office

    [2] “You’ve Been Hit With Ransomware — Next Steps To Recovery,” Forbes



    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top