How to decrypt ransomware [Jul 2021] By Will Wisser Posted on October 8, 2019 12 min read 5 32,186 Get best practice tips for identifying ransomware strains, successful recovery of the encrypted hostage data, and preventing the attack in the first place. File-encrypting ransomware is undoubtedly the worst type of malicious code as of yet. In case of such an attack, simply removing the infection is not enough. Decrypting hostage data is the actual challenge victims are confronted with. The ransomware threat landscape is heterogeneous. Some samples have weak crypto, with the secret decryption key being embedded in the malicious executable itself. Others are made professionally enough to thwart recovery. One way or another, reviving locked files is on every contaminated user’s agenda. Data backups are a godsend in this context, but this route of incident response is still a weak link of most end users’ and even organizations’ security posture. So what is the best practice, universal walkthrough to restore files mutilated by a ransom Trojan if there are no backups available? Step 1: Remove the ransomware This point is somewhat controversial, because most of the widespread strains of crypto ransomware only persevere on an infected computer until the victim’s data has been encrypted. The self-termination routine being in place, some of the newer sophisticated samples go equipped with additional DDoS, identity theft or screen locking mechanisms. With that said, it always makes sense to ascertain that the ransom Trojan and its accompanying components are no longer on the machine. One of the methods is to leverage System Restore, a native Windows feature that allows reverting the operating system to its earlier state. Although this technique does not apply to personal files, it can make the PC ransomware-free. However, if System Restore was not enabled when the attack took place, it’s no good as a troubleshooting vector. In this case, consider using an automatic antimalware suite, which will detect the ransomware and completely remove it. Download Ransomware Removal Tool Step 2: Resort to forensics for file recovery The effectivity of using forensic tools for restoring ransomware-crippled files revolves around the specificity of the average ransomware onslaught. The fact is, most of these offending programs tend to obliterate the original files. The inaccessible objects sprinkled throughout the plagued PC are nothing but encrypted copies of a victim’s important data. It means that the deleted files may physically still be somewhere on the hard drive, unless the infection utilizes multiple overwrites to shred them beyond recovery. By leveraging software like Data Recovery Pro, you may be able to reinstate some of the original data entries. Just install the tool and run a scan to determine what’s recoverable. -%%block:link%%&PATH=https%3A%2F%2Fcloud.stellardatarecovery.com%2Favangate%2FStellarDataRecoveryProfessionalWindows.exe” btnsize=”large” bgcolor=”#1e73be” txtcolor=”#ffffff” btnnewt=”1″ nofollow=”1″ btnicon=”fa fa-arrow-circle-down”]Download Stellar Data Recovery Pro One more avenue of file restoration has to do with what’s called the Volume Shadow Copy Service (VSS). In a nutshell, it denotes a system module that takes snapshots and saves reserve copies of files at certain intervals. You can view the list of the backup versions for an arbitrary file by going to its Properties and selecting the Previous Versions tab. The application called Shadow Explorer completely automates this routine, enabling users to select folders or files of interest and restore their shadow copies to a desired path. In the event these do-it-yourself techniques end up futile, it’s high time you searched for specially crafted decryption tools. But first, it’s mandatory to find out what strain you are dealing with. Step 3: Identify the ransomware There are hundreds of different crypto ransomware families in the wild. To determine whether security researchers have released the right decryptor for your incident, the rule of thumb is to first figure out which strain has attacked your computer. Sometimes the ransom note straightforwardly mentions the name and iteration (including subversion) of the infection, as is the case with the notorious GandCrab or Cerber ransomware lineages. This, however, is the exception rather than the rule. In case there is no direct indication of the name in the ransom demands, the format of encrypted files or the linked-to payment page, it’s recommended to use services like ID Ransomware by MalwareHunterTeam. This website provides two ways to identify a ransom Trojan. One way is to upload the .txt, .hta, .html, or .bmp ransom note, which is usually added to the desktop of a contaminated computer. The other method is to upload a sample encrypted file. Having processed this information, the service will return the name of your digital adversary. At this point, ID Ransomware detects 701 strains of ransomware. Crypto Sheriff is another resource enabling ransomware victims to identify the sample they are confronted with. It is part of the remarkable international No More Ransom initiative. Users have several options: to upload two encrypted files, which are less than 1 MB in size; to type an email address and/or URL indicated in the ransom notes; or to upload the .txt or .html ransom manual dropped by the infection. If a match is found in Crypto Sheriff’s database, the service will display a page defining the type of the ransomware. Furthermore, it provides a button to download the appropriate free decryption tool if available. Users can also report the crime to their local law enforcement agency. As opposed to ransomware identification, attack attribution isn’t really a component of the data decryption chain proper. However, it provides food for thought about who the adversary is. According to statistics provided by Kaspersky Lab, 47 out of 62 ransomware strains spotted in 2016 were created by Russian-speaking crooks. It means that 75% of all file-encrypting malware samples originate from Russia. These perpetrating programs infected at least 1.4 million people last year. The takeaway is that online extortion has a language. It’s Russian. Keep in mind that determining what ransomware specimen is on board your computer is half the battle. The next move is to find out whether antimalware labs or security enthusiasts have a free decryption tool in store for the infection. Step 4: Decrypt your files Now that you know the name of your cyber adversary, it’s time to figure out if there is a file recovery solution that doesn’t presuppose submitting the ransom. Unfortunately, few strains of ransomware can be decrypted for free, as compared to the whopping general quantity of these infections on the loose. The security companies that have had the most success in the ransomware cracking initiative include Emsisoft, Kaspersky, Avast, AVG, Trend Micro, and Bitdefender. The most game-changing breakthroughs that hit the headlines in 2018 through 2019 are attributed to the latter vendor. In particular, Bitdefender has created a free decryptor that cracks the most widespread variants of the GandCrab ransomware, including v1, v4, and v5 up to GandCrab 5.1. This has reportedly become a real rescue for roughly 20,000 victims who thereby saved a total of $18 million. The list of available free decryptors below, along with brief descriptions of the corresponding ransomware samples, is the starting point for your troubleshooting: .777 ransomware Appends file extensions in the following format: [filename]_[timestamp]_$[email_address]$.777, where the email address may be seven_legion@india.com, ninja.gaiver@aol.com, or kaligula.caesar@aol.com 7even-HONE$T Renames files to sequential numbers followed by the .R5A extension and creates FILES_BACK.txt ransom note .8lock8 ransomware Appends the .8lock8 extension to encrypted files and leaves READ_IT.txt ransom note Adobe ransomware Appends the .id-{8-character victim ID}.[extortionists’ email address].adobe extension to files, leaves Info.hta and FILES ENCRYPTED.txt ransom note. Alma Locker Concatenates a random file extension consisting of 5 hexadecimal characters and drops Unlock_files_[victim_ID].html/txt ransom notes Al-Namrood Uses the .access_denied, .unavailable, or [victim_ID][cryptservice@inbox.ru].rga2adi file extension; creates Read_Me.txt ransom note for every encoded file Alpha Ransomware Appends the .bin extension to mutilated entries and leaves README HOW TO DECRYPT YOUR FILES.html/txt ransom manuals Apocalypse (or alternative) Files are suffixed with the .encrypted, .Encryptedfile, .FuckYourData, or .SecureCrypted string; ransom notes are Contact_Here_To_Recover_Your_Files.txt, How_To_Decrypt.txt, How_to_Recover_Data.txt, or Where_my_files.txt ApocalypseVM Appends the .encrypted or .locked file extension and drops one of the following ransom notes: How_To_Decrypt.txt, How_to_Decrypt_Your_Files.txt, How_To_Get_Back.txt, or README.txt Aura ransomware Uses the .[victim_ID]_blockchain@inbox.com file extension and sets a desktop wallpaper with a picture of Edward Snowden on it AutoIt Appends the [email_address]_.[random_8_characters] extension to encrypted files AutoLocky Concatenates the .locky extension to scrambled files and creates info.txt/html ransom notes BadBlock (or another one) Encrypts files but does not rename them; the ransom note is “Help Decrypt.html” Bart ransomware Appends the .bart.zip extension to original filenames and drops recover.bmp/txt ransom notes on the desktop BitCryptor Does not change filenames, displays a warning GUI with payment deadline countdown and decryption instructions BitStak Renames victim’s files to strings of random hexadecimal characters followed by the .bitstak extension and locks the screen with an image providing decryption steps Chimera ransomware Uses the .crypt extension to stain affected files and leaves YOUR_FILES_ARE_ENCRYPTED.html ransom note CoinVault Does not affect filenames and replaces desktop wallpaper with an image reading, “Your files have been encrypted!” Cryakl ransomware Adds the {CRYPTENDBLACKDC} tag at the end of every encrypted filename Crybola Uses random extensions composed of hexadecimal characters CrypBoss Concatenates the .crypt or .R16M01D05 extension to files and drops HELP_DECRYPT.jpg/txt ransom notes Crypren Uses the .encrypted file extension and creates a ransom note called READ_THIS_TO_DECRYPT.html Crypt888 (aka Mircop) Prepends filenames with the “Lock.” string and changes desktop wallpaper to one of 7 possible images containing recovery directions CryptConsole Uses the following email addresses for communication: unCrypte@outlook.com, decipher_ne@outlook.com, or decipher_ne@india.com. Ransom note is called How decrypt files.hta CryptInfinite Uses the .crinf file extension and leaves ReadDecryptFilesHere.txt ransom note CryptoDefense While not changing original filenames, the ransomware creates HOW_DECRYPT.txt/html/url combo of decryption manuals CryptoHost Moves certain file types to a password-protected RAR archive located in %AppData% directory and displays a warning screen providing the size of the ransom and payment steps CryptoMix / CryptoShield Appends the .cryptoshield, .code, .lesli, .rmd, .rdmk, .scl, or .rscl extension to files; drops ransom notes called # RESTORING FILES #.txt/.html or # HELP_DECRYPT_YOUR_FILES #.txt/.html CryptON ransomware Uses the following file extensions .id-_locked, .id-_locked_by_krec, .id-_locked_by_perfect, .id-_x3m, .id-_r9oj, .id-_garryweber@protonmail.ch, .id-_steaveiwalker@india.com_, .id-_julia.crown@india.com, .id-_tom.cruz@india.com_, .id-_CarlosBoltehero@india.com_, or .id-_maria.lopez1@india.com_ CryptXXX (versions 1, 2, 3) Adds the .crypt, .crypz or .cryp1 extension to encrypted files and creates !Recovery_[victim_ID].txt/html ransom notes CrySiS ransomware Appends files with victim ID and attackers’ email address followed by the .CrySiS, .cry, .enc, .hb15, .locked or .xtbl extension; the ransom demands are provided in a desktop wallpaper that replaces the original one CTB-Locker (website version) Substitutes a website’s index.php/html file with a rogue one called original_index.php/html and replaces the content with a ransom message Democry ransomware Concatenates one of the following strings to encoded files: ._[timestamp_$email_address$].777 or ._[timestamp_$email_address$].legion; the ransom note is called read_this_file.txt DJVU ransomware Affixes the .djvu or .djvuu suffix to locked files and leaves a ransom note named _openme.txt Dharma ransomware Uses the .dharma, .wallet, or .zzzzz extension to stain skewed files and creates Info.hta or README.txt/jpg ransom notes DMA Locker Does not change encrypted filenames and displays a warning window titled “DMA Locker” ETH file ransomware Blemishes data with the .id-{victim ID}.[attacker’s email address].ETH extension and drops Info.hta / FILES ENCRYPTED.txt note. Fabiansomware Uses the .encrypted file extension and leaves How_To_Decrypt_Your_Files.txt ransom note FenixLocker Appends the .centrumfr@india.com!! extension to locked files and creates CryptoLocker.txt or “Help to decrypt.txt” ransom manuals Fury ransomware Does not affect the names of encrypted files, displays a desktop wallpaper with recovery steps GandCrab (up to v5.1) Supports GandCrab v1 (.GDCB extension), v4 (.KRAB extension), v5 up to 5.1 inclusive (random extension, e.g. .sfpravsekl) GandCrab v5.2 Adds extension consisting of up to 10 random characters (e.g. .nrspavfekv), drops a ransom note named [RANDOM]-DECRYPT.txt GhostCrypt Appends files with the .Z81928819 extension and drops READ_THIS_FILE.txt ransom note Globe / Purge ransomware Uses the .globe, .purge or .xtbl file extension and “How to restore files.hta” ransom note Globe3 ransomware Uses the .decrypt2017 or .hnumkhotep extension to label scrambled data GlobeImposter ransomware Adds the .crypt extension to locked files and drops HOW_OPEN_FILES.hta ransom manual Gomasom Appends the .crypt extension to every locked file and does not create ransom notes, providing the attackers’ email address in tweaked filenames instead Harasom Changes the format of encrypted files to HTML and displays a ransom note whenever this object is double-clicked HydraCrypt Concatenates the .hydracrypt_ID_[8-character_victim_ID] extension to files and creates README_DECRYPT_HYDRA_ID_[victim_ID].txt ransom note Jigsaw ransomware (or alternative) Uses the .kkk, .btc, .gws, .J, .encrypted, .porno, .payransom, .pornoransom, .epic, .gefickt, .xyz, .versiegelt, .encrypted, .payb, .pays, .payms, .paymds, .paymts, .paymst, .payrms, .payrmts, .paymrts, .paybtcs, .fun, .hush, or .uk-dealer@sigaint.org file extensions KeRanger (Mac ransomware) Targets Mac OS X, appends the .encrypted extension to files, and leaves README_FOR_DECRYPT.txt ransom note KeyBTC ransomware Does not append any extension to original filenames, drops DECRYPT_YOUR_FILES.txt ransom note Lamer ransomware Encrypts files but does not change filenames; ransom demands are explicated in a warning window LeChiffre ransomware (or alternative) Appends the .LeChiffre extension to files and leaves ransom notes called “_How to decrypt LeChiffre files.html” in all folders with locked data Legion ransomware Concatenates the ._[timestamp]_$[email_address]$.legion extension to files and uses a new desktop wallpaper as the ransom note Linux.Encoder Appends the .encrypted file extension and creates README_FOR_DECRYPT-[random_number].txt help file Lock Screen ransomware Blocks access to operating system, displays a lock screen Lortok ransomware Appends files with the .crime extension or string of random hexadecimal characters; ransom notes are in Russian Marlboro ransomware Concatenates the .oops string to encrypted files and leaves _HELP_Recover_Files.html ransom how-to Merry X-Mas ransomware Aka MRCR, appends files with the .merry, .mrcr1, .pegs1, .rare1, or .rmcm1 extension; uses MERRY_I_LOVE_YOU_BRUCE.hta or YOUR_FILES_ARE_DEAD.hta ransom note Nanolocker Does not add any extension to encrypted filenames; creates the ATTENTION.rtf ransom note on the desktop Nemucod Adds the .crypted extension and DECRYPT.txt ransom manual NMoreira Appends files with the ._AiraCropEncrypted! or .maktub extension and drops “How to decrypt your files.txt” or “Recupere seus arquivos. Leia-me!.txt” ransom note No_more_ransom Speckles files with the .no_more_ransom extension and drops README.txt rescue note ODCODC ransomware Changes filenames according to the following pattern: C-email-[email_address]-[original_filename]-.odcodc; creates Readthis.txt help file OzozaLocker Appends scrambled files with the .locked or .VOZMEZD IE_ZA_DNR extension. Also leaves “HOW TO DECRYPT YOUR FILES.txt” ransom note, which instructs victims to send email to santa_helper@protonmail.com or parkerm@protonmail.com PClock Does not change filenames, stores the list of scrambled data inside enc_files.txt document Petya ransomware Encrypts master file table and blocks an infected system, displaying an ASCII art warning screen Philadelphia ransomware Replaces original filenames with random hexadecimal characters and appends the .locked extension to encrypted files; ransom demands are explained in a warning window Phobos ransomware Uses the id-{victim ID}.[raphaeldupon@aol.com].btc file extension and a combo of Info.hta / FILES ENCRYPTED.txt ransom notes PizzaCrypts / JuicyLemon Appends the .id-[victim_ID]_maestro@pizzacrypts.info extension to files and creates “Pizzacrypts Info.txt” ransom note Pletor ransomware Mostly affects Android devices, locking the screen and demanding a fine for alleged law violations Radamant Appends files with the .rdm or .rrk extension and creates YOUR_FILES.url ransom manual on the desktop Rakhni ransomware Concatenates the .id-[random_10_digits]_helpme@freespeechmail.org extension to encrypted files and lists ransom demands on a desktop wallpaper Rannoh ransomware Uses the .locked-[original_filename].[random_4_chars] extension and sets a desktop wallpaper containing recovery steps Rapid ransomware Adds the .rapid or .paymeme extension to hostage files and creates ! How Recovery Files.txt, !!! README !!!.txt, or How to Recover Encrypted Files.txt ransom notes Rapid Ransomware v3 Subjoins a random 5-character extension to filenames and drops a ransom note named DECRYPT.[5-character ID].txt Rotor ransomware Appends filenames with one of the following extensions: “!____cocoslim98@gmail.com____.tar”, “!____glok9200@gmail.com____.tar”, or “!__recoverynow@india.com__.v8”, encouraging victims to negotiate the terms of decryption over email Ryuk ransomware Uses the .ryk extension to stain encrypted files and drops RyukReadMe.txt ransom note Shade / Troldesh (or alternative) Appends the .7h9r, .better_call_saul, .breaking_bad, .da_vinci_code, .heisenberg, .no_more_ransom, .windows10, .xtbl, or .ytbl extension to encrypted files; sprinkles multiple copies of README.txt ransom note across the system SNSLocker Concatenates the .RSNSlocked extension to files and displays a warning page with countdown timer and payment steps Sodinokibi Each hostage file additionally gets a victim-specific random 6-8 alphanumeric characters extension added to the filename. Stampado Uses the .locked file extension and instructs victims to reach the threat actors at clesline@212@openmailbox.org, getfiles@tutanota.com, paytodecrypt@sigaint.org, ransom64@sigaint.org, or success!@qip.ru SZFLocker Appends files with the .szf extension and triggers a .BAT file with the attackers’ address in it when a victim tries to open an arbitrary encrypted object TeleCrypt Targets Russian users, appends .Xcri to files or no extension at all, and displays a ransom note called “Informer” spelled out in Russian TeslaCrypt Does not change filenames and creates one of the following ransom notes: HELP_TO_DECRYPT_YOUR_FILES.bmp/html/txt, Howto_Restore_FILES.bmp/html/txt, or _how_recover_.bmp/html/txt UmbreCrypt Appends the .umbrecrypt_ID_[8-character_victim_ID] extension to affected files and drops README_DECRYPT_UMBRE_ID_[victim_ID].txt ransom note Wildfire Locker Adds the .wflx string at the end of encrypted files and creates HOW_TO_UNLOCK_FILES_README_[victim_ID].txt decryption manual XORBAT Appends the .crypted extension to victim’s files and leaves Readme.txt ransom note Xorist ransomware Concatenates the .6FKR8d, .73i87A, .@EnCrYpTeD2016@, .antihacker2017, .ava, .EnCiPhErEd, .encoderpass, .error, .errorfiles, .fileiscryptedhard, .p5tkjw, .pa2384259, .PoAr2w, or .xorist extension to filenames and creates HOW TO DECRYPT FILES.txt ransom manual Most of these decryption tools are easy to use. The ones by Emsisoft, for instance, require that ransomware victims drag and drop an arbitrary encrypted file and its original version onto the decryptor’s window. The GandCrab decryptor by Bitdefender is even more intuitively built – it scans the whole system or specified path, spots all the hostage files and automatically decrypts them without user involvement if the ransomware version is supported. With some utilities, however, more advanced tech skills are necessary, such as the use of command prompt and the like. Furthermore, ransomware authors tend to tweak their code once in a while in order to defeat previously released decryptors. In any case, the list above should come in handy. An additional recommendation is to look up the name of the ransomware on search engines, browse dedicated forums such as Bleeping Computer, and use the above-mentioned ID Ransomware and No More Ransom services. The best prevention tips are as follows: maintain regular data backups, do not open fishy email attachments, and use reliable security software that goes equipped with an anti-ransomware module. Can you remove ransomware?Can you remove ransomware?Yes, you can – moreover, you shouldn’t run into any difficulties with it. Most security tools made by reputable publishers can easily identify the threat and eradicate all of its components. The funny thing is, many ransom trojans follow a self-termination tactic after encrypting a victim’s data and therefore you may not even have to remove the malicious code whatsoever. Even if this is the case, though, it’s cold comfort because your files remain encrypted regardless. Ultimately, it’s data decryption rather than ransomware removal that you need to focus on. How does ransomware spread?How does ransomware spread?There are quite a few ‘mainstream’ techniques of ransomware distribution. Maicious spam is by far the dominating vector, where thousands of phishing emails are sent in one shot using massive botnets. These messages contain booby-trapped attachments that mostly come in .zip, .js, or .docm format. When opened, the sketchy files trigger scripts that download ransomware components from a C2 (Command & Control) server and execute the infection on the host without raising a red flag. Attacks via RDP (Remote Desktop Protocol) hacks are gaining momentum as well. They are often leveraged to orchestrate targeted raids against organizations or local governments. By the way, such extortion campaigns have seen a huge spike in 2019. The criminals zero in on systems using default or weak RDP credentials and thereby take root in the enterprise network, being able to deposit and run their ransomware manually over the compromised connection. Although exploit kits appear to be gradually fading away in the present-day ransomware propagation schemes, they continue to be a concern. This approach harnesses known software vulnerabilities as the entry point. It is particularly dangerous because the whole infection chain takes place silently and doesn’t give the would-be victims a heads up until their files are scrambled with a cipher. Incidentally, exploits are to blame for some of the biggest ransomware outbreaks in history, including the WannaCry and NotPetya cyber-epidemics. There are also more ‘exotic’ spreading mechanisms that involve instant messages on social media, drive-by downloads on adult sites, or virus-tainted keygen applications. However, they are marginal as compared to the above three methods. Can ransomware spread through network?Can ransomware spread through network?Yes, you can – moreover, you shouldn’t run into any difficulties with it. Most security tools made by reputable publishers can easily identify the threat and eradicate all of its components. The funny thing is, many ransom trojans follow a self-termination tactic after encrypting a victim’s data and therefore you may not even have to remove the malicious code whatsoever. Even if this is the case, though, it’s cold comfort because your files remain encrypted regardless. Ultimately, it’s data decryption rather than ransomware removal that you need to focus on. Does antivirus stop ransomware?Does antivirus stop ransomware?Ideally, antivirus software should be able to detect such an attack and stop it in its tracks. However, reports about successful ransomware incursions against ostensibly well-protected systems keep hitting the headlines. There are a few aspects that play a role in this regard. First of all, some AVs are more effective than others. What matters is whether or not the tool goes with real-time protection, Internet security features, and heuristic analysis module. The frequency and quality of malware signature updates influence the app’s ransomware prevention efficiency as well. Lots of people opt for free security suites that lack some of these modules and capabilities. Furthermore, cybercrooks are constantly coming up with new techniques that might slip under the radar of traditional antiviruses, even reputable ones with up-to-date definitions. Security is a process, and it requires permanent improvements of the defenses to keep up with the evolving threats. In summary, antivirus is an important layer of protection against ransomware, but it’s not a cure-all. You need to additionally follow safe online practices to take it up a notch. How much did ransomware make in 2019?How much did ransomware make in 2019?First things first, it’s impossible to provide accurate numbers, because numerous victims choose not to report ransomware attacks. For businesses, this is a particularly touchy subject as it may entail reputational risks. Although such attacks saw a significant decline in terms of their quantity over the past few years, the criminals’ overall earnings are unlikely to have decreased. The malefactors aren’t really trying to catch small fish in a big pond anymore – instead, they switched to zeroing in on enterprises through highly targeted onslaughts, and the average amount of ransom per victim has grown multiple times. There are some rough estimates and statistics that will allow you to get the big picture, though. Having reached its peak in 2016-2017, the ransomware plague was earning its operators about $1 billion annually. The damages incurred by victims who lost their data were much higher. This period was followed by a dramatic nosedive that lasted throughout 2018. Where are we now? According to the latest McAfee Labs Threats Report released in August 2019, ransomware attacks grew by 118% in the year’s first quarter alone. Furthermore, the epidemic now follows big money by mostly going after businesses and other high-profile victims. Just think about it: having fallen prey to the Ryuk ransomware, Jackson County, Georgia, paid the attackers a whopping $400,000 to regain access to their data. That’s just one incident that demonstrates the trend. Given the dynamics and bigger ransoms being extorted from organizations, it makes sense forecasting a similar gross global revenue in 2019 as during the above-mentioned boom a few years ago. Rate article Post rating 4.89/5 (9)
Locky ransomware evolution There are ransomware samples out there whose devs cannot boast professional data encryption practices, …