Home Articles How to decrypt ransomware

How to decrypt ransomware

8 min read

File-encrypting ransomware is undoubtedly the worst type of malicious code as of yet. In case of such an attack, simply removing the infection is not enough. Decrypting hostage data is the actual challenge victims are confronted with. The ransomware threat landscape is heterogeneous. Some samples have weak crypto, with the secret decryption key being embedded in the malicious executable itself. Others are made professionally enough to thwart recovery.

One way or another, reviving locked files is on every contaminated user’s agenda. Data backups are a godsend in this context, but this route of incident response is still a weak link of most end users’ and even organizations’ security posture. So what is the best practice, universal walkthrough to restore files mutilated by a ransom Trojan if there are no backups available?

Step 1: Remove the ransomware

This point is somewhat controversial, because most of the widespread strains of crypto ransomware only persevere on an infected computer until the victim’s data has been encrypted. The self-termination routine being in place, some of the newer sophisticated samples go equipped with additional DDoS, identity theft or screen locking mechanisms. With that said, it always makes sense to ascertain that the ransom Trojan and its accompanying components are no longer on the machine.

One of the methods is to leverage System Restore, a native Windows feature that allows reverting the operating system to its earlier state. Although this technique does not apply to personal files, it can make the PC ransomware-free. However, if System Restore was not enabled when the attack took place, it’s no good as a troubleshooting vector. In this case, consider using an automatic antimalware suite, which will detect the ransomware and completely remove it.

Download Ransomware Removal Tool

Step 2: Resort to forensics for file recovery

The effectivity of using forensic tools for restoring ransomware-crippled files revolves around the specificity of the average ransomware onslaught. The fact is, most of these offending programs tend to obliterate the original files. The inaccessible objects sprinkled throughout the plagued PC are nothing but encrypted copies of a victim’s important data. It means that the deleted files may physically still be somewhere on the hard drive, unless the infection utilizes multiple overwrites to shred them beyond recovery. By leveraging software like Data Recovery Pro, you may be able to reinstate some of the original data entries. Just install the tool and run a scan to determine what’s recoverable.

Download Data Recovery Pro

Data Recovery Pro

One more avenue of file restoration has to do with what’s called the Volume Shadow Copy Service (VSS). In a nutshell, it denotes a system module that takes snapshots and saves reserve copies of files at certain intervals. You can view the list of the backup versions for an arbitrary file by going to its Properties and selecting the Previous Versions tab. The application called Shadow Explorer completely automates this routine, enabling users to select folders or files of interest and restore their shadow copies to a desired path.
Shadow Explorer

In the event these do-it-yourself techniques end up futile, it’s high time you searched for specially crafted decryption tools. But first, it’s mandatory to find out what strain you are dealing with.

Step 3: Identify the ransomware

There are hundreds of different crypto ransomware families in the wild. To determine whether security researchers have released the right decryptor for your incident, the rule of thumb is to first figure out which strain has attacked your computer. Sometimes the ransom note straightforwardly mentions the name of the infection, as in the case of the notorious Cerber ransomware.

Ransom note mentioning ransomware name and version

This, however, is the exception rather than the rule. In case there is no direct indication of the name in the ransom demands, the format of encrypted files or the linked-to payment page, it’s recommended to use services like ID Ransomware by MalwareHunterTeam. This website provides two ways to identify a ransom Trojan. One way is to upload the .txt, .hta, .html, or .bmp ransom note, which is usually added to the desktop of a contaminated computer. The other method is to upload a sample encrypted file. Having processed this information, the service will return the name of your digital adversary. At this point, ID Ransomware detects 281 strains of ransomware.

ID Ransomware service

Crypto Sheriff is another resource enabling ransomware victims to identify the sample they are confronted with. It is part of the remarkable international No More Ransom initiative. Users have several options: to upload two encrypted files, which are less than 1 MB in size; to type an email address and/or URL indicated in the ransom notes; or to upload the .txt or .html ransom manual dropped by the infection.

Crypto Sheriff homepage

If a match is found in Crypto Sheriff’s database, the service will display a page defining the type of the ransomware. Furthermore, it provides a button to download the appropriate free decryption tool if available. Users can also report the crime to their local law enforcement agency.

Results generated by Crypto Sheriff

As opposed to ransomware identification, attack attribution isn’t really a component of the data decryption chain proper. However, it provides food for thought about who the adversary is. According to statistics provided by Kaspersky Lab, 47 out of 62 ransomware strains spotted in 2016 were created by Russian-speaking crooks. It means that 75% of all file-encrypting malware samples originate from Russia. These perpetrating programs infected at least 1.4 million people last year. The takeaway is that online extortion has a language. It’s Russian.

75% of all file-encrypting malware samples originate from Russia

Keep in mind that determining what ransomware specimen is on board your computer is half the battle. The next move is to find out whether antimalware labs or security enthusiasts have a free decryption tool in store for the infection.

Step 4: Decrypt your files

Now that you know the name of your cyber adversary, it’s time to figure out if there is a file recovery solution that doesn’t presuppose submitting the ransom. Unfortunately, few strains of ransomware can be decrypted for free, as compared to the whopping general quantity of these infections on the loose. The security companies that have had the most success in the ransomware cracking initiative include Emsisoft, Kaspersky, Avast, AVG, and Trend Micro. The list of available free decryptors below, along with brief descriptions of the corresponding ransomware samples, is the starting point for your troubleshooting:

.777 ransomware Appends file extensions in the following format: [filename]_[timestamp]_$[email_address]$.777, where the email address may be seven_legion@india.com, ninja.gaiver@aol.com, or kaligula.caesar@aol.com
7even-HONE$T Renames files to sequential numbers followed by the .R5A extension and creates FILES_BACK.txt ransom note
.8lock8 ransomware Appends the .8lock8 extension to encrypted files and leaves READ_IT.txt ransom note
Alma Locker Concatenates a random file extension consisting of 5 hexadecimal characters and drops Unlock_files_[victim_ID].html/txt ransom notes
Al-Namrood Uses the .access_denied, .unavailable, or [victim_ID][cryptservice@inbox.ru].rga2adi file extension; creates Read_Me.txt ransom note for every encoded file
Alpha Ransomware Appends the .bin extension to mutilated entries and leaves README HOW TO DECRYPT YOUR FILES.html/txt ransom manuals
(or alternative)
Files are suffixed with the .encrypted, .Encryptedfile, .FuckYourData, or .SecureCrypted string; ransom notes are Contact_Here_To_Recover_Your_Files.txt, How_To_Decrypt.txt, How_to_Recover_Data.txt, or Where_my_files.txt
ApocalypseVM Appends the .encrypted or .locked file extension and drops one of the following ransom notes: How_To_Decrypt.txt, How_to_Decrypt_Your_Files.txt, How_To_Get_Back.txt, or README.txt
Aura ransomware Uses the .[victim_ID]_blockchain@inbox.com file extension and sets a desktop wallpaper with a picture of Edward Snowden on it
AutoIt Appends the [email_address]_.[random_8_characters] extension to encrypted files
AutoLocky Concatenates the .locky extension to scrambled files and creates info.txt/html ransom notes
(or another one)
Encrypts files but does not rename them; the ransom note is “Help Decrypt.html
Bart ransomware Appends the .bart.zip extension to original filenames and drops recover.bmp/txt ransom notes on the desktop
BitCryptor Does not change filenames, displays a warning GUI with payment deadline countdown and decryption instructions
BitStak Renames victim’s files to strings of random hexadecimal characters followed by the .bitstak extension and locks the screen with an image providing decryption steps
Chimera ransomware Uses the .crypt extension to stain affected files and leaves YOUR_FILES_ARE_ENCRYPTED.html ransom note
CoinVault Does not affect filenames and replaces desktop wallpaper with an image reading, “Your files have been encrypted!”
Cryakl ransomware Adds the {CRYPTENDBLACKDC} tag at the end of every encrypted filename
Crybola Uses random extensions composed of hexadecimal characters
CrypBoss Concatenates the .crypt or .R16M01D05 extension to files and drops HELP_DECRYPT.jpg/txt ransom notes
Crypren Uses the .encrypted file extension and creates a ransom note called READ_THIS_TO_DECRYPT.html
Crypt888 (aka Mircop) Prepends filenames with the “Lock.” string and changes desktop wallpaper to one of 7 possible images containing recovery directions
CryptConsole Uses the following email addresses for communication: unCrypte@outlook.com, decipher_ne@outlook.com, or decipher_ne@india.com. Ransom note is called How decrypt files.hta
CryptInfinite Uses the .crinf file extension and leaves ReadDecryptFilesHere.txt ransom note
CryptoDefense While not changing original filenames, the ransomware creates HOW_DECRYPT.txt/html/url combo of decryption manuals
CryptoHost Moves certain file types to a password-protected RAR archive located in %AppData% directory and displays a warning screen providing the size of the ransom and payment steps
CryptoMix / CryptoShield Appends the .cryptoshield, .code, .lesli, .rmd, .rdmk, .scl, or .rscl extension to files; drops ransom notes called # RESTORING FILES #.txt/.html or # HELP_DECRYPT_YOUR_FILES #.txt/.html
CryptON ransomware Uses the following file extensions .id-_locked, .id-_locked_by_krec, .id-_locked_by_perfect, .id-_x3m, .id-_r9oj, .id-_garryweber@protonmail.ch, .id-_steaveiwalker@india.com_, .id-_julia.crown@india.com, .id-_tom.cruz@india.com_, .id-_CarlosBoltehero@india.com_, or .id-_maria.lopez1@india.com_
CryptXXX (versions 1, 2, 3) Adds the .crypt, .crypz or .cryp1 extension to encrypted files and creates !Recovery_[victim_ID].txt/html ransom notes
CrySiS ransomware Appends files with victim ID and attackers’ email address followed by the .CrySiS, .cry, .enc, .hb15, .locked or .xtbl extension; the ransom demands are provided in a desktop wallpaper that replaces the original one
CTB-Locker (website version) Substitutes a website’s index.php/html file with a rogue one called original_index.php/html and replaces the content with a ransom message
Democry ransomware Concatenates one of the following strings to encoded files: ._[timestamp_$email_address$].777 or ._[timestamp_$email_address$].legion; the ransom note is called read_this_file.txt
Dharma ransomware Uses the .dharma, .wallet, or .zzzzz extension to stain skewed files and creates Info.hta or README.txt/jpg ransom notes
DMA Locker Does not change encrypted filenames and displays a warning window titled “DMA Locker”
Fabiansomware Uses the .encrypted file extension and leaves How_To_Decrypt_Your_Files.txt ransom note
FenixLocker Appends the .centrumfr@india.com!! extension to locked files and creates CryptoLocker.txt or “Help to decrypt.txt” ransom manuals
Fury ransomware Does not affect the names of encrypted files, displays a desktop wallpaper with recovery steps
GhostCrypt Appends files with the .Z81928819 extension and drops READ_THIS_FILE.txt ransom note
Globe / Purge ransomware Uses the .globe, .purge or .xtbl file extension and “How to restore files.hta” ransom note
Globe3 ransomware Uses the .decrypt2017 or .hnumkhotep extension to label scrambled data
GlobeImposter ransomware Adds the .crypt extension to locked files and drops HOW_OPEN_FILES.hta ransom manual
Gomasom Appends the .crypt extension to every locked file and does not create ransom notes, providing the attackers’ email address in tweaked filenames instead
Harasom Changes the format of encrypted files to HTML and displays a ransom note whenever this object is double-clicked
HydraCrypt Concatenates the .hydracrypt_ID_[8-character_victim_ID] extension to files and creates README_DECRYPT_HYDRA_ID_[victim_ID].txt ransom note
Jigsaw ransomware
(or alternative)
Uses the .kkk, .btc, .gws, .J, .encrypted, .porno, .payransom, .pornoransom, .epic, .gefickt, .xyz, .versiegelt, .encrypted, .payb, .pays, .payms, .paymds, .paymts, .paymst, .payrms, .payrmts, .paymrts, .paybtcs, .fun, .hush, or .uk-dealer@sigaint.org file extensions
KeRanger (Mac ransomware) Targets Mac OS X, appends the .encrypted extension to files, and leaves README_FOR_DECRYPT.txt ransom note
KeyBTC ransomware Does not append any extension to original filenames, drops DECRYPT_YOUR_FILES.txt ransom note
Lamer ransomware Encrypts files but does not change filenames; ransom demands are explicated in a warning window
LeChiffre ransomware
(or alternative)
Appends the .LeChiffre extension to files and leaves ransom notes called “_How to decrypt LeChiffre files.html” in all folders with locked data
Legion ransomware Concatenates the ._[timestamp]_$[email_address]$.legion extension to files and uses a new desktop wallpaper as the ransom note
Linux.Encoder Appends the .encrypted file extension and creates README_FOR_DECRYPT-[random_number].txt help file
Lock Screen ransomware Blocks access to operating system, displays a lock screen
Lortok ransomware Appends files with the .crime extension or string of random hexadecimal characters; ransom notes are in Russian
Marlboro ransomware Concatenates the .oops string to encrypted files and leaves _HELP_Recover_Files.html ransom how-to
Merry X-Mas ransomware Aka MRCR, appends files with the .merry, .mrcr1, .pegs1, .rare1, or .rmcm1 extension; uses MERRY_I_LOVE_YOU_BRUCE.hta or YOUR_FILES_ARE_DEAD.hta ransom note
Nanolocker Does not add any extension to encrypted filenames; creates the ATTENTION.rtf ransom note on the desktop
Nemucod Adds the .crypted extension and DECRYPT.txt ransom manual
NMoreira Appends files with the ._AiraCropEncrypted! or .maktub extension and drops “How to decrypt your files.txt” or “Recupere seus arquivos. Leia-me!.txt” ransom note
ODCODC ransomware Changes filenames according to the following pattern: C-email-[email_address]-[original_filename]-.odcodc; creates Readthis.txt help file
OzozaLocker Appends scrambled files with the .locked or .VOZMEZD IE_ZA_DNR extension. Also leaves “HOW TO DECRYPT YOUR FILES.txt” ransom note, which instructs victims to send email to santa_helper@protonmail.com or parkerm@protonmail.com
PClock Does not change filenames, stores the list of scrambled data inside enc_files.txt document
Petya ransomware Encrypts master file table and blocks an infected system, displaying an ASCII art warning screen
Philadelphia ransomware Replaces original filenames with random hexadecimal characters and appends the .locked extension to encrypted files; ransom demands are explained in a warning window
PizzaCrypts / JuicyLemon Appends the .id-[victim_ID]_maestro@pizzacrypts.info extension to files and creates “Pizzacrypts Info.txt” ransom note
Pletor ransomware Mostly affects Android devices, locking the screen and demanding a fine for alleged law violations
Radamant Appends files with the .rdm or .rrk extension and creates YOUR_FILES.url ransom manual on the desktop
Rakhni ransomware Concatenates the .id-[random_10_digits]_helpme@freespeechmail.org extension to encrypted files and lists ransom demands on a desktop wallpaper
Rannoh ransomware Uses the .locked-[original_filename].[random_4_chars] extension and sets a desktop wallpaper containing recovery steps
Rotor ransomware Appends filenames with one of the following extensions: “!____cocoslim98@gmail.com____.tar”, “!____glok9200@gmail.com____.tar”, or “!__recoverynow@india.com__.v8”, encouraging victims to negotiate the terms of decryption over email
Shade / Troldesh
(or alternative)
Appends the .7h9r, .better_call_saul, .breaking_bad, .da_vinci_code, .heisenberg, .no_more_ransom, .windows10, .xtbl, or .ytbl extension to encrypted files; sprinkles multiple copies of README.txt ransom note across the system
SNSLocker Concatenates the .RSNSlocked extension to files and displays a warning page with countdown timer and payment steps
Stampado Uses the .locked file extension and instructs victims to reach the threat actors at clesline@212@openmailbox.org, getfiles@tutanota.com, paytodecrypt@sigaint.org, ransom64@sigaint.org, or success!@qip.ru
SZFLocker Appends files with the .szf extension and triggers a .BAT file with the attackers’ address in it when a victim tries to open an arbitrary encrypted object
TeleCrypt Targets Russian users, appends .Xcri to files or no extension at all, and displays a ransom note called “Informer” spelled out in Russian
TeslaCrypt Does not change filenames and creates one of the following ransom notes: HELP_TO_DECRYPT_YOUR_FILES.bmp/html/txt, Howto_Restore_FILES.bmp/html/txt, or _how_recover_.bmp/html/txt
UmbreCrypt Appends the .umbrecrypt_ID_[8-character_victim_ID] extension to affected files and drops README_DECRYPT_UMBRE_ID_[victim_ID].txt ransom note
Wildfire Locker Adds the .wflx string at the end of encrypted files and creates HOW_TO_UNLOCK_FILES_README_[victim_ID].txt decryption manual
XORBAT Appends the .crypted extension to victim’s files and leaves Readme.txt ransom note
Xorist ransomware Concatenates the .6FKR8d, .73i87A, .@EnCrYpTeD2016@, .antihacker2017, .ava, .EnCiPhErEd, .encoderpass, .error, .errorfiles, .fileiscryptedhard, .p5tkjw, .pa2384259, .PoAr2w, or .xorist extension to filenames and creates HOW TO DECRYPT FILES.txt ransom manual

Most of these decryption tools are easy to use. The ones by Emsisoft, for instance, require that ransomware victims drag and drop an arbitrary encrypted file and its original version onto the decryptor’s window. With some utilities, however, more advanced tech skills are necessary, such as the use of command prompt and the like. Furthermore, ransomware authors tend to tweak their code once in a while in order to defeat previously released decryptors. In any case, the list above should come in handy.

An additional recommendation is to look up the name of the ransomware on search engines, browse dedicated forums such as Bleeping Computer, and use the above-mentioned ID Ransomware and No More Ransom services. The best prevention tips are as follows: maintain regular data backups, do not open fishy email attachments, and use reliable security software that goes equipped with an anti-ransomware module.

  • Locky ransomware evolution

    There are ransomware samples out there whose devs cannot boast professional data encryptio…
  • Cerber ransomware evolution

    The abnormally rapid progress of the crypto ransomware industry over the past several year…

Leave a Reply

Your email address will not be published. Required fields are marked *

Check Also

How to decrypt ransomware

File-encrypting ransomware is undoubtedly the worst type of malicious code as of yet. In c…