How to decrypt or get back encrypted files infected by known encrypting ransomware viruses.

In the last years, cybercriminals distribute a new type of viruses that can encrypt files on your computer (or your network) with the purpose of earning easy money from their victims. This type of viruses are called “Ransomware” and they can infect computer systems if the computer's user doesn’t pay attention when opening attachments or links from unknown senders or sites that have been hacked by cybercriminals. According to my experience, the only safe way to keep oneself protected from this type of viruses, is to have clean backups of your files stored in a separate place from your computer. For example, in an unplugged external USB hard drive or in DVD-Rom’s.

This article contains important information of some known encrypting ransomware –crypt- viruses that were designed to encrypt critical files plus the available options & utilities in order to decrypt your encrypted files upon infection. I wrote this article in order to keep all the information for the available decrypt tools in one place and I will try to keep this article updated. Please share with us your experience and any other new information you may know in order to help each other.

How to decrypt files encrypted from Ransomware – Description & Known Decryption Tools – Methods:

 

Updates June 2016: 

1. Trend Micro has released a Ransomware File Decryptor tool to attempt to decrypt files encrypted by the following ransomware families:

CryptXXX V1, V2, V3*  <original filename>.crypt , crypz, or 5 hexadecimal characters
CryptXXX V4, V5  <MD5 Hash>.5 Hexadecimal Characters
TeslaCrypt V1  <original filename>.ECC
TeslaCrypt V2  <original filename>.VVV, CCC, ZZZ, AAA, ABC, XYZ
TeslaCrypt V3  <original filename>.XXX or TTT or MP3 or MICRO
TeslaCrypt V4  <original filename>.<original extension>
SNSLocker <original filename>.RSNSLocked
AutoLocky <original filename>.locky
BadBlock <Original file name>
777 <Original file name>.777
XORIST  <original filename>.xorist or random extension
XORBAT  <original filename>.crypted
CERBER V1  <10 Random Characters>.cerber
Stampado  <original filename>.locked
Nemucod  <original filename>.crypted
Chimera  <original filename>.crypt

 

* Note: Applies to CryptXXX V3  ransomware: Due to the advanced encryption of this particular Crypto-Ransomware, only partial data decryption is currently possible on files affected by CryptXXX V3, and you have to use a thrird party repair tool to repair your files like: http://www.stellarinfo.com/file-repair/file-repair-toolkit.php

To download Trend Micro’s Ransomware File Decrypter tool (and read the instructions on how to use it), navigate to this page: Downloading and Using the Trend Micro Ransomware File Decryptor

2. Kasperky has released the following decryptor tools:

A. Kaspersky's RakhniDecryptor tool  is designed to decrypt files affected by*:

* Note: RakhniDecryptor utility is always updated to decrypt files from several ransomware families. Visit the RakhniDecryptor's utility webpage, to view all the updated information.

Rakhni
Agent.iih
Aura
Autoit
Pletor
Rotor
Lamer
Lortok
Cryptokluchen
Democry
Bitman – TeslaCrypt version 3 and 4

B. Kaspersky's RannohDecryptor tool  (How to Guide) is designed to decrypt files affected by:

Rannoh
AutoIt
Fury
Crybola
Cryakl
CryptXXX versions 1 and 2

 

Cryptowalll – Virus Information & Decryption Options.

The Cryptowall (or “Cryptowall Decrypter”) virus is the new variant of Cryptodefense ransomware virus. When a computer is infected with Cryptowall ransomware, then all the critical files on the computer (including the files on mapped –network- drives if you're logged in a network) become encrypted with strong encryption, that makes it practically impossible to decrypt them. After the Cryptowall encryption, the virus creates and sends the private key (password) to a private server in order to be used from the criminal to decrypt your files. After that, the criminals inform their victims that all their critical files are encrypted and the only way to decrypt them is to pay a ransom of 500$ (or more) in a defined time period, otherwise the ransom will be doubled or their files will be lost permanently.

How to decrypt Cryptowall infected files and get your files back:

If you want to decrypt Cryptowall encrypted files and get your files back, then you have these options:

A. The first option is to pay the ransom. If you decide to do that, then proceed with the payment at your own risk because according to our research some users get their data back and some others don’t. Keep in mind that criminals are not the most trustworthy people in the planet.

B. The second option is to clean the infected computer and then to restore your infected files from a clean backup (if you have one).

C.  If you don’t have a clean backup, then the only option that remains is to restore your files in previous versions from “Shadow Copies”. Observe that this procedure works only in Windows 8, Windows 7 and Vista OS and only if the “System Restore” feature was previously enabled on your computer and was not disabled after the Cryptowall infection.

A detailed analysis of Cryptowall ransomware infection and removal can be found in this post:

 

 

CryptoDefense & How_Decrypt – Virus Information & Decryption.

Cryptodefense is another ransomware virus that can encrypt all the files on your computer regardless of their extension (file type) with strong encryption so that it makes it practically impossible to decrypt them. The virus may disable the “System Restore” feature on the infected computer and may delete all “Shadow Volume Copies” files, so you cannot restore your files to their previous versions. Upon infection Cryptodefense ransomware virus, creates two files on every infected folder (“How_Decrypt.txt” and “How_Decrypt.html”) with detailed instructions on how to pay the ransom in order to decrypt your files and sends the private key (password) to a private server in order to be used by the criminal to decrypt your files.

A detailed analysis of Cryptodefense ransomware infection and removal can be found in this post:

 

How to decrypt Cryptodefense encrypted files and get your files back:

In order to decrypt Cryptodefense infected files you have these options:

A. The first option is to pay the ransom. If you decide to do that, then proceed with the payment at your own risk because according to our research, some users get their data back and some others don’t. Keep in mind that criminals are not the most trustworthy people in the planet.

B. The second option is to clean the infected computer and then to restore your infected files from a clean backup (if you have one).

C. If you don’t have a clean backup then you can try to restore your files in previous versions from “Shadow Copies”. Observe that this procedure works only in Windows 8, Windows 7 and Vista OS and only if the “System Restore” feature was previous enabled on your computer and was not disabled after the Cryptodefense infection.

D. Finally, if you don’t have a clean backup and you aren’t able to restore your files from “Shadow Copies”, then you can try to decrypt Cryptodefense’s encrypted files by using the Emsisoft’s Decryptor utility. To do that:

Important Notice: This utility works only for computers infected before 1st April 2014.

1. DownloadEmsisoft Decrypter” utility to your computer (e.g. your Desktop).

b2xhvuud_thumb1

 

2. When download is completed, navigate to your Desktop and “Extract” the “decrypt_cryptodefense.zip” file.

decrypt files

3. Now double-click to run the “decrypt_cryptodefense” utility.

wqv2umur_thumb3

 

4. Finally press the “Decrypt” button to decrypt your files.

vfdjlsa4_thumb

 

Source – Additional information: A detailed tutorial on how to decrypt CryptoDefense encrypted files using Emsisoft’s decrypter utility can be found here: http://www.bleepingcomputer.com/virus-removal/cryptodefense-ransomware-information#emsisoft

 

 

Cryptorbit or HowDecrypt – Virus Information & Decryption.

Cryptorbit or HowDecrypt virus is an ransomware virus that can encrypt all the files on your computer. Once your computer is infected with Cryptorbit virus all your critical files are encrypted regardless of their extension (file type) with strong encryption that makes it practically impossible to decrypt them. The virus also creates two files on every infected folder on your computer (“HowDecrypt.txt” and “HowDecrypt.gif”) with detailed instructions on how you can pay the ransom and decrypt your files.

A detailed analysis of Cryptorbit ransomware infection and removal can be found in this post:

 

How to decrypt Cryptorbit infected files and get your files back:

In order to decrypt Cryptorbit encrypted files you have these options:

A. The first option is to pay the ransom. If you decide to do that, then proceed with the payment at your own risk because according to our research some users get their data back and some others don’t.

B. The second option is to clean the infected computer and then to restore your infected files from a clean backup (if you have one).

C. If you don’t have a clean backup, then you can try to restore your files in previous versions from “Shadow Copies”. Observe that this procedure works only in Windows 8, Windows 7 and Vista OS and only if the “System Restore” feature was previous enabled on your computer and was not disabled after the Cryptorbit infection.

D. Finally, if you don’t have a clean backup and you aren’t able to restore your files from “Shadow Copies” then you can try to decrypt Cryptorbit’s encrypted files by using the Anti-CryptorBit utility. To do that:

1. DownloadAnti-CryptorBit” utility to your computer (e.g. your Desktop)

anticryptobit-download3_thumb1

 

2. When download is completed, navigate to your Desktop and “Extract” the “Anti-CryptorBitV2.zip” file.

sjfeqisk_thumb1

 

3. Now double-click to run the Anti-CryptorBitv2 utility.

Anti-CryptorBit-V2_thumb1

 

4. Choose what type of files you want to recover. (e.g. “JPG”)

2driv1i3_thumb

5. Finally choose the folder that contains the corrupted/encrypted (JPG) files & then press the “Start” button to to fix them.

decrypt-cryptorbit-files_thumb

 

 

Cryptolocker – Virus Information & Decryption.

Cryptolocker (also known as “Troj/Ransom-ACP”, “Trojan.Ransomcrypt.F”) is a Ransomware nasty virus (TROJAN) and  when it infects your computer, it encrypts all the files regardless of their extension (file type). The bad news with this virus is that, once it infects your computer, your critical files are encrypted with strong encryption and it is practically impossible to decrypt them. Once a computer is infected with Cryptolocker virus, then an information message appears on the victim’s computer demanding a payment (ransom) of 300$ (or more) in order to decrypt your files.

A detailed analysis of Cryptolocker ransomware infection and removal can be found in this post:

How to decrypt Cryptolocker infected files and get your files back:

In order to decrypt Cryptolocker infected files you have these options:

A. The first option is to pay the ransom. If you decide to do that, then proceed with the payment at your own risk because according to our research some users get their data back and some others don’t.

B. The second option is to clean the infected computer and then to restore your infected files from a clean backup (if you have one).

C. If you don’t have a clean backup, then you can try to restore your files in previous versions from “Shadow Copies”. Observe that this procedure works only in Windows 8, Windows 7 and Vista OS and only if the “System Restore” feature was previous enabled on your computer and was not disabled after the Cryptolocker infection.

D. In August 2014, FireEye & Fox-IT have released a new service that retrieves the private decryption key for users that were infected by the CryptoLocker ransomware. The service is called 'DecryptCryptoLocker', it is available globally and does not require users to register or provide contact information in order to use it.

In order to use this service you have to visit this site: https://www.decryptcryptolocker.com/ and upload one encrypted CryptoLocker file from the infected computer (Notice: upload a file that doesn’t contain sensitive and/or private information). After you do that, you have to specify an email address in order to receive your private key and a link to download the decryption tool. Finally run the downloaded CryptoLocker decryption tool (locally on your computer) and enter your private key to decrypt your CryptoLocker encrypted files.

More information about this service can be found here: FireEye and Fox-IT Announce New Service to Help CryptoLocker Victims.

DecryptCryptoLocker

CryptXXX V1, V2, V3 (Variants: .crypt , crypz, or 5 hexadecimal characters).

  • CryptXXX V1 & CryptXXX V2  ransomware encrypts your files and adding the ".crypt" extension at the end of each file after infection.
  • CryptXXX v3 adds the ".cryptz" extension after encryption of your files.

The trojan CryptXXX encrypts the following types of files:

.3DM, .3DS, .3G2, .3GP, .7Z, .ACCDB, .AES, .AI, .AIF, .APK, .APP, .ARC, .ASC, .ASF, .ASM, .ASP, .ASPX, ASX, .AVI, .BMP, .BRD, .BZ2, .C, .CER, .CFG, .CFM, .CGI, .CGM, .CLASS, .CMD, .CPP, .CRT,  .CS, .CSR, .CSS, .CSV, .CUE, .DB, .DBF, .DCH, .DCU, .DDS, .DIF, .DIP, .DJV, .DJVU, .DOC, .DOCB, .DOCM, .DOCX, .DOT, .DOTM, .DOTX, .DTD, .DWG, .DXF, .EML, .EPS, .FDB, .FLA, .FLV, .FRM, .GADGET, .GBK, .GBR, .GED, .GIF, .GPG, .GPX, .GZ, .H, .H, .HTM, .HTML, .HWP, .IBD, .IBOOKS, .IFF, .INDD, .JAR, .JAVA, .JKS, .JPG, .JS,  .JSP, .KEY, .KML, .KMZ, .LAY, .LAY6, .LDF, .LUA, .M, .M3U, .M4A, .M4V, .MAX, .MDB, .MDF, .MFD, .MID, .MKV, .MML, .MOV, .MP3, .MP4, .MPA, .MPG, .MS11, .MSI, .MYD, .MYI, .NEF, .NOTE, .OBJ, .ODB, .ODG, .ODP, .ODS, .ODT, .OTG, .OTP, .OTS, .OTT, .P12, .PAGES, .PAQ, .PAS, .PCT, .PDB, .PDF, .PEM, .PHP, .PIF, .PL, .PLUGIN, .PNG, .POT, .POTM, .POTX, .PPAM, .PPS, .PPSM, .PPSX, .PPT, .PPTM, .PPTX, .PRF, .PRIV,  .PRIVAT, .PS, PSD, .PSPIMAGE, .PY, .QCOW2, .RA, .RAR, .RAW, .RM, .RSS, .RTF, .SCH, .SDF, .SH, .SITX,  .SLDX, .SLK, .SLN, .SQL, .SQLITE, .SQLITE, .SRT, .STC, .STD, .STI, .STW, .SVG, .SWF, .SXC, .SXD, .SXI,   .SXM, .SXW, .TAR, .TBK, .TEX, .TGA, .TGZ, .THM, .TIF, .TIFF, .TLB, .TMP, .TXT,  .UOP, .UOT, .VB, .VBS,  .VCF, .VCXPRO, .VDI, .VMDK, .VMX,  .VOB, .WAV, .WKS,  .WMA, .WMV, .WPD,  .WPS,  .WSF,  .XCODEPROJ, .XHTML, .XLC, .XLM, .XLR, .XLS, .XLSB, .XLSM, .XLSX, .XLT,  .XLTM, .XLTX, .XLW,  .XML,  .YUV,.ZIP,  .ZIPX

 

How to decrypt CryptXXX files.

If you are infected with CryptXXX Version 1 or Version 2, then use Kaspersky's RannohDecryptor tool  to decrypt your files. (How to Guide).

If f you are infected with CryptXXX Version 3, then use Trend Micro's Ransomware File Decryptor. *

Note: Due to the advanced encryption of CryptXXX V3 virus, only partial data decryption is currently possible and you have to use a thrird party repair tool to repair your files like: http://www.stellarinfo.com/file-repair/file-repair-toolkit.php

 

Locky & AutoLocky (Variants: .locky)

Locky ransomware encrypts your files using RSA-2048 and AES-128 encryption and after the infection all your files are renamed with a unique – 32 characters- file name with the extension ".locky" (e.g. "1E776633B7E6DFE7ACD1B1A5E9577BCE.locky").  Locky virus can infect local or network drives and during infection  creates a file named "_HELP_instructions.html" on every infected folder, with instructions on how you can pay the ransom and decrypt your files using the TOR browser.

AutoLocky is another variant of Locky virus. The main difference between Locky and Autolocky is that Autolocky will not change the original name of the file during infection. (e.g. If a file is named "Document1.doc" before infection, the Autolocky renames it to "Document1.doc.locky")

How to decrypt .LOCKY files:

  1. The first option is to clean the infected computer and then to restore your infected files from a clean backup (if you have one).
  2. The second option, if you don’t have a clean backup, is to restore your files in previous versions from “Shadow Copies”. How to restore your files from Shadow Copies.
  3. The 3rd option, is to use the Emsisoft's Decrypter for AutoLocky to decrypt your files. (The decrypter tool is working only for Autolocky).

 

Trojan-Ransom.Win32.Rector – Virus Information & Decryption.

The Trojan Rector encrypts files with the following extensions: .doc, .jpg, .pdf .rar, and after the infection it makes them unusable. Once your files are infected with Trojan Rector, then the extensions of the infected files are changed to .VSCRYPT, .INFECTED, .KORREKTOR or .BLOC and this makes them unusable. When you try to open the infected files, then a message in Cyrillic characters is displayed on your screen which contains the ransom demand and the details for the payment. The cybercriminal who makes the Trojan Rector called “††KOPPEKTOP†† and asks to communicate with him via email or ICQ (EMAIL: v-martjanov@mail.ru / ICQ: 557973252 or 481095) to give instructions on how to unlock your files.

How to decrypt files infected with Trojan Rector and get your files back:

Advice: Copy all the infected files to a separate directory and close all open programs before proceeding to scan and decrypt the affected files.

1. Download Rector Decryptor utility (from Kaspersky Labs) to your computer.

2. When the download is completed, run RectorDecryptor.exe.

3.  Press the “Start Scan” button to scan your drives for the encrypted files.

image

4. Let the RectorDecryptor utility to scan and decrypt the encrypted files (with extensions .vscrypt, .infected, .bloc, .korrektor) and then select the option to “Delete crypted files after decryption” if the decryption was successful. *

* After the decryption you can find a report log of the scanning/decryption process to the root of your C:\ drive (e.g. “C:\RectorDecryptor.2.3.7.0_10.02.2011_15.31.43_log.txt”).

5. Finally continue to check and clean your system from malware programs that may exist on it.

Source – Additional information: http://support.kaspersky.com/viruses/disinfection/4264#block2

 

Trojan-Ransom. Win32.Xorist, Trojan-Ransom.MSIL.Vandev – Virus Information & Decryption.

The Trojan Ransom Xorist  & Trojan Ransom Valdev, encrypts files with the following extensions:

doc, xls, docx, xlsx, db, mp3, waw, jpg, jpeg, txt, rtf, pdf, rar, zip, psd, msi, tif, wma, lnk, gif, bmp, ppt, pptx, docm, xlsm, pps, ppsx, ppd, tiff, eps, png, ace, djvu, xml, cdr, max, wmv, avi, wav, mp4, pdd, html, css, php, aac, ac3, amf, amr, mid, midi, mmf, mod, mp1, mpa, mpga, mpu, nrt, oga, ogg, pbf, ra, ram, raw, saf, val, wave, wow, wpk, 3g2, 3gp, 3gp2, 3mm, amx, avs, bik, bin, dir, divx, dvx, evo, flv, qtq, tch, rts, rum, rv, scn, srt, stx, svi, swf, trp, vdo, wm, wmd, wmmp, wmx, wvx, xvid, 3d, 3d4, 3df8, pbs, adi, ais, amu, arr, bmc, bmf, cag, cam, dng, ink, jif, jiff, jpc, jpf, jpw, mag, mic, mip, msp, nav, ncd, odc, odi, opf, qif, qtiq, srf, xwd, abw, act, adt, aim, ans, asc, ase, bdp, bdr, bib, boc, crd, diz, dot, dotm, dotx, dvi, dxe, mlx, err, euc, faq, fdr, fds, gthr, idx, kwd, lp2, ltr, man, mbox, msg, nfo, now, odm, oft, pwi, rng, rtx, run, ssa, text, unx, wbk, wsh, 7z, arc, ari, arj, car, cbr, cbz, gz, gzig, jgz, pak, pcv, puz, r00, r01, r02, r03, rev, sdn, sen, sfs, sfx, sh, shar, shr, sqx, tbz2, tg, tlz, vsi, wad, war, xpi, z02, z04, zap, zipx, zoo, ipa, isu, jar, js, udf, adr, ap, aro, asa, ascx, ashx, asmx, asp, aspx, asr, atom, bml, cer, cms, crt, dap, htm, moz, svr, url, wdgt, abk, bic, big, blp, bsp, cgf, chk, col, cty, dem, elf, ff, gam, grf, h3m, h4r, iwd, ldb, lgp, lvl, map, md3, mdl, mm6, mm7, mm8, nds, pbp, ppf, pwf, pxp, sad, sav, scm, scx, sdt, spr, sud, uax, umx, unr, uop, usa, usx, ut2, ut3, utc, utx, uvx, uxx, vmf, vtf, w3g, w3x, wtd, wtf, ccd, cd, cso, disk, dmg, dvd, fcd, flp, img, iso, isz, md0, md1, md2, mdf, mds, nrg, nri, vcd, vhd, snp, bkf, ade, adpb, dic, cch, ctt, dal, ddc, ddcx, dex, dif, dii, itdb, itl, kmz, lcd, lcf, mbx, mdn, odf, odp, ods, pab, pkb, pkh, pot, potx, pptm, psa, qdf, qel, rgn, rrt, rsw, rte, sdb, sdc, sds, sql, stt, t01, t03, t05, tcx, thmx, txd, txf, upoi, vmt, wks, wmdb, xl, xlc, xlr, xlsb, xltx, ltm, xlwx, mcd, cap, cc, cod, cp, cpp, cs, csi, dcp, dcu, dev, dob, dox, dpk, dpl, dpr, dsk, dsp, eql, ex, f90, fla, for, fpp, jav, java, lbi, owl, pl, plc, pli, pm, res, rnc, rsrc, so, swd, tpu, tpx, tu, tur, vc, yab, 8ba, 8bc, 8be, 8bf, 8bi8, bi8, 8bl, 8bs, 8bx, 8by, 8li, aip, amxx, ape, api, mxp, oxt, qpx, qtr, xla, xlam, xll, xlv, xpt, cfg, cwf, dbb, slt, bp2, bp3, bpl, clr, dbx, jc, potm, ppsm, prc, prt, shw, std, ver, wpl, xlm, yps, md3.

After the infection, Trojan Ransom Xorist compromises your computer's security, makes your computer unstable and displays messages on your screen demanding a ransom in order to decrypt the infected files. The messages contain also information on how to pay the ransom in order to get the decryption utility from the cybercriminals.

How to decrypt files infected with Trojan Win32.Xorist or Trojan MSIL.Vandev:

Advice: Copy all the infected files to a separate directory and close all open programs before proceeding to scan and decrypt the affected files.

1. Download Xorist Decryptor utility (from Kaspersky Labs) to your computer.

2. When the download is completed, run XoristDecryptor.exe.

Note: If you want to delete the encrypted files when the decryption is completed, then click the “Change parameters” option and check the “Delete crypted files after decryption” check box under “Additional Options”.

3.  Press the “Start Scan” button.

image

4. Enter the path of at least one encrypted file and then wait until the utility decrypts the encrypted files.

5. If the decryption was successful, reboot your computer and then scan and clean your system from malware programs that may exist on it.

Source – Additional information: http://support.kaspersky.com/viruses/disinfection/2911#block2

 

Trojan-Ransom.Win32.Rakhni – Virus Information & Decryption.

The Trojan Ransom Rakhni encrypts files by changing files extensions as follows:

<filename>.<original_extension>.<locked>
<filename>.<original_extension>.<kraken>
<filename>.<original_extension>.<darkness>
<filename>.<original_extension>.<nochance>
<filename>.<original_extension>.<oshit>
<filename>.<original_extension>.<oplata@qq_com>
<filename>.<original_extension>.<relock@qq_com>
<filename>.<original_extension>.<crypto>
<filename>.<original_extension>.<helpdecrypt@ukr.net>
<filename>.<original_extension>.pizda@qq_com

After the encryption, your files are unusable and your system security is compromised. Also the Trojan-Ransom.Win32.Rakhni creates a file on your %APPDATA% folder named “exit.hhr.oshit” that contains the encrypted password for the infected files.

Warning: The Trojan-Ransom.Win32.Rakhni creates the “exit.hhr.oshit” file that contains an encrypted password to the user's files. If this file remains on the computer, it will make decryption with the RakhniDecryptor utility faster. If the file has been removed, it can be recovered with file recovery utilities. After the file is recovered, put it into %APPDATA% and run the scan with the utility once again.

%APPDATA% folder location:

  • Windows XP: C:\Documents and Settings\<username>\Application Data
  • Windows 7/8: C:\Users\<username>\AppData\Roaming

 

How to decrypt files infected with Trojan Rakhni and get your files back:

1. Download Rakhni Decryptor utility (from Kaspersky Labs) to your computer.

2. When the download is completed, run RakhniDecryptor.exe.

Note: If you want to delete the encrypted files when the decryption is completed, then click the “Change parameters” option and check the “Delete crypted files after decryption” check box under “Additional Options”.

3.  Press the “Start Scan” button to scan your drives for encrypted files.

image

4. Enter the path of at least one encrypted file (e.g. “file.doc.locked”) and then wait until the utility recovers the password from the “exit.hhr.oshit” file (mind the Warning) and decrypts your files.

Source – Additional information: http://support.kaspersky.com/viruses/disinfection/10556#block2

 

 

 

Trojan-Ransom.Win32.Rannoh (Trojan-Ransom.Win32.Cryakl) – Virus Information & Decryption.

The Trojan Rannoh or Trojan Cryakl encrypts all files on your computer in the following way:

  • In case of a Trojan-Ransom.Win32.Rannoh infection, file names and extensions will be changed according to the template locked-<original name>.<four random letters>.
  • In case of a Trojan-Ransom.Win32.Cryakl infection, the tag {CRYPTENDBLACKDC} is added to the end of file names.

How to decrypt files infected with Trojan Rannoh or Trojan Cryakl and get your files back:

Important: The Rannoh Decryptor utility decrypts files by comparing one encrypted and one decrypted file. So if you want to use the Rannoh Decryptor utility to decrypt files you must own an original copy of at least one encrypted file before the infection (e.g. from a clean backup).

1. Download Rannoh Decryptor utility to your computer.

2. When the download is completed, run RannohDecryptor.exe

Note: If you want to delete the encrypted files once the decryption is completed, then click the “Change parameters” option and check the “Delete crypted files after decryption” check box under “Additional Options”.

3.  Press the “Start Scan” button.

image

4. Read the “Information required” message and then click “Continue” and specify the path to an original copy of at least one encrypted file before the infection (clean – original – file) and the path to the encrypted file (infected – encrypted -file).

image

5. After the decryption, you can find a report log of the scanning/decryption process to the root of your C:\ drive. (e.g. “C:\RannohDecryptor.1.1.0.0_02.05.2012_15.31.43_log.txt”).

Source – Additional information: http://support.kaspersky.com/viruses/disinfection/8547#block1

TeslaCrypt (Variants: .ecc, .ezz, .exx, .xyz, .zzz,. aaa, .abc, .ccc, & .vvv)

The TeslaCrypt ransomware virus adds the following extensions to your files: .ecc, .ezz, .exx, .xyz, .zzz,. aaa, .abc, .ccc, & .vvv.

How to decrypt TeslaCrypt files:

If you are infected with TeslaCrypt virus then use one of these tools to decrypt your files:

  1.  TeslaDecoder: More information and instructions about using TeslaDecoder can be found in this article:  http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/
  2. Trend Micro Ransomware File Decryptor.

TeslaCrypt V3.0 (Variants:  .xxx, .ttt, .micro, .mp3)

The TeslaCrypt 3.0 ransomware virus adds the following extensions to your files: .xxx, .ttt, .micro & .mp3

How to decrypt TeslaCrypt V3.0 files:

If you 're infected with TeslaCrypt 3.0 then attempt to recover your files with:

  1. Trend's Micro Ransomware File Decryptor tool.
  2. RakhniDecryptor (How to Guide)
  3. Tesla Decoder (How to Guide)
  4. Tesladecrypt – McAfee

TeslaCrypt V4.0 (File name and extension are unchanged)

To decrypt TeslaCrypt V4 files, try one of the following utilities:

  1. Trend's Micro Ransomware File Decryptor tool.
  2. RakhniDecryptor (How to Guide)
  3. Tesla Decoder (How to Guide)

 

If this article was useful for you, please consider supporting us by making a donation. Even $1 can a make a huge difference for us in our effort to continue to help others while keeping this site free: