Windows 10 is suddenly encrypting files

Yesterday I spent some time consolidating files from three external hard drives down to two. Somewhere along the line Windows started prompting me to backup my encryption key. I have no idea why, since I didn't ask for any encryption. Bitlocker is off for all drives.

Then I performed a full backup of my D (data) drive using the "copy hard drive" function in Paragon Hard Disk Manager. And, as I have done before, I replaced my existing D drive with the backup.

I've used that software many times to make the backup and I've never specified encryption in the process. I don't even know if it's possible in Paragon. Yet, somehow, I have encrypted files on the (new) D drive, so every time I boot up I get a prompt to backup the key. I actually did the key backup once, figuring "what the heck," but the prompt still appears.

I ran cipher /u to see what might be encrypted and got a list of encrypted files on the (new) D drive, and Windows reports that every one of them "could not be decrypted." About half are PDFs in my Documents folder, and others are various file types in other folders.

Also, when I run a search in File Explorer on that drive, when the requested files come up they have blank icons, no folder path, and don't do anything when I double-click them.

What's going on here? The logical assumption would be that I encrypted some files, but I can't begin to imagine how, or why only some of the files on that drive are encrypted. I hope putting the first D drive back in the computer will take care of this in the short term, but that won't tell me how any files were encrypted. I don't want to encrypt any files right now, and I want this nonsense to stop.

EDIT: It seems that entire folders were encrypted. I tried decrypting a few of them, and the results are hit-or-miss. Some work, but others don't, and there's no explanation.

With all these stories of cryptoware in the news lately, I'd be worried. You might want to run something like this, just to be sure: Malwarebytes Anti-Ransomware. Here's a good write-up on the topic, if you're not familiar.

I've been reading forums on this problem and it looks like there are some programs that can cause automatic encryption of files, and that you have to go and manually decrypt the files, or uninstall the program causing it.

You may want to install a clean copy of Windows on a clean hard disk if you have a separate hard disk for testing.

Looks like a lot of unknowns here

Michael said:

With all these stories of cryptoware in the news lately, I'd be worried. You might want to run something like this, just to be sure: Malwarebytes Anti-Ransomware. Here's a good write-up on the topic, if you're not familiar.

I downloaded and installed that program, and it says I'm protected, but if there's already cryptoware on my PC I'll be darned if I know where it is. I installed a few new programs recently; I'll uninstall them to be safe.

EDIT: By the time I got through uninstalling a few programs, Anti-Ransomware reported a piece of ransomware that was added to my User folder, or a sub-folder of it. I don't know if there are any more, but it looks like this software is on the job. I'd rather not go through the trouble of a fresh 10 install, but it's on the back burner, if needed.

BTW, reverting to the previous D drive didn't help. The same files are encrypted there, and I can't seem to decrypt them. Some folders will decrypt, but the files won't, and some folders don't decrypt at all. I can't even copy them to another drive to get them off my main drive.

I'm very worried now......

Another update: I can decrypt folders, but not files. And I can't move the files off that drive to another that won't stay in the computer. This is very frustrating.

BTW, I found the original encryption key, but my password didn't work. I sent that key to the recycle bin and copied the key I created with the backup to the same location, but although my password is recognized, I still can't decrypt any files.

You may need to do a fresh install if all else fails, which is what it looks like.

Plus the fresh install is easy. Since your system was already activated, just boot from the disk, skip the product key page and the system will automatically activate itself after install.

A fresh install may be easy, but it's time-consuming and tedious. I'd rather not go to that trouble, but if that's what I have to do, then that's what I'll do.

Just one thing: how would a clean install let me decrypt those files?

Glad you caught it before all was lost. I make sure to do occasional backups to external drives that I otherwise keep disconnected from the computer, especially for this reason. These crypto viruses will eventually encrypt every file they can get access to.

Stay vigilant!

Thanks! As it turns out, the file that the anti-ransomware program found was au_.exe, which is part of some uninstall routines. I learned this first by Googling the file, but it really hit home when I was deleting a program after the anti-ransomware quarantined the file, and the uninstall crashed as a result.

However, I'm sure that PFX file was the troublemaker since it didn't exist on my 7 installation and 7 decrypted the files with ease. I also copied the personal files to a separate hard drive, and then encrypted and hid those files on my main data drive.

(I also prefer 7's way of signaling encryption with green font instead of 10's signal of a teeny-tiny sub-icon, but that's another matter.)

It may be coincidence, but it seems that this trouble started after I uninstalled Avast and let Windows Defender take over. I've gone back to Avast, and I ran a detailed scan of my entire system. I also ran Malwarebytes standard program. Avast found problems with a handful of files I recognized, and it fixed them. Malwarebytes found nothing new. Since the anti-ransomware program had a false positive I couldn't undo, I'm leaving it alone for now.