![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Whether you can recover (decrypt) your files or not depends on what ransomware infection you are dealing with, the type and strength of encryption used by the malware writers and a variety of other factors as explained here. All crypto malware ransomware use some form of encryption algorithms, most of which are secure and unbreakable. Thus, the possibility of decryption depends on the thoroughness of the malware creator, what algorithm the creator utilized for encryption, discovery of any flaws and sometimes just plain luck. Reverse engineering the malware itself does not guarantee experts will be able to crack it especially if there isn't a known flaw as noted here by Emsisoft's CTO, Fabian Worwar. Without the criminal's master private key that can be used to decrypt your files, decryption is impossible. That usually means the key is unique (specific) for each victim and generated in a secure way that cannot be brute-forced...the public key alone that encrypted files is useless for decryption. Some ransomware (Conti) will use a unique AES-256 encryption key per file which is then encrypted with a bundled RSA-4096 public encryption key unique to each victim. In most cases, unless the keys are leaked or the criminals are found/arrested by the authorities and the keys are recovered, then provided to the public, there is no possibility that anyone can provide a decryption solution.
The best way to identify the different ransomwares is the ransom note (including it's actual name and contents), samples of the encrypted files, any obvious extensions appended to the encrypted files, possible filemarkers, the malware file itself responsible for the infection and information related to any email addresses or hyperlinks provided by the cyber-criminals to request payment.
Is XerXes the full extension or is there an ID number with random characters (.id-A04EBFC2, .id[4D21EF37-2214], .[ID]Rrw9Vfi+GM-0oRM1[ID]) or an ID number with an email address (.id-BCBEF350.[<email>], .id[7A9B748C-1104].[<email>]) preceding the extension?
What is the actual name of the ransom note?
Can you provide (copy & paste) the ransom note contents in your next reply?
You can submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to ID Ransomware (IDR) for assistance with identification and confirmation of the infection. ID Ransomware can identify ransomware which adds a prefix instead of an extension and more accurately identifies ransomware by filemarkers if applicable so try that first. Uploading both encrypted files and ransom notes together along with any contact email addresses or hyperlinks provided by the criminals gives a more positive match with identification and helps to avoid false detections.
Please provide a link to the ID Ransomware results.