Free Decryption Tools to Retrieve Files Encrypted by Ransomware

Ransomware is an evil malware that encrypts the victim’s files and then requests payment in return for the key to decrypt the encrypted data. Initially popular in Russia, the use of ransomware has grown internationally and has gone mainstream with several high-profile attacks. While many victims are paying the ransom trying to get their data back, many security firms have been working hard on the solutions to stop this cyber criminal.

ransomware-expert-tips-featured

AVG Virus Lab recently released six free decryption tools for recent ransomware strains. Good news for the victims of these six kinds of ransomware because they can take back what’s theirs without paying a cent to the criminals.

Before you run these tools to recover your data, it’s recommended you run a full scan of the infected computer and back up the encrypted files to an external storage so you can do the decryption on an uninfected computer. You will also need to identify the strain that causes the problem, and run the appropriate decryption tool.

Apocalypse

The Apocalypse ransomware appends “.encrypted”, “.locked”, or “.SecureCrypted” to names of encrypted files and creates ransom messages in files with extensions “.How_To_Decrypt.txt”, “.README.Txt”, or “.Contact_Here_To_Recover_Your_Files.txt”.

There are two separate decryption tools for this strain, one for the early version of Apocalypse and the other one for the current version.

BadBlock

badblock02

If you see this popping up on your computer, you are the victim to the BadBlock. But there is hope in the decryption tool, 32-bit and 64-bit.

Crypt888

Crypt888, aka Mircop, creates encrypted files with the prepended name “Lock.” and changes your desktop’s wallpaper to the following image:

crypt888

The decryption tool can be downloaded here.

Note that Crypt888 is a badly-written piece of software that can’t even decrypt some of the encrypted files it created. So, AVG’s decryption may not be effective.

Legion

Legion encrypts and renames your files with names like “example.docx._23-06-2016-20-27-23_$f_tactics@aol.com$.legion“, and changes the desktop wallpaper with a warning block about your encrypted files:

legion01

The decryption tool is available here.

SZFlocker

The name of this ransomware originates from a string that is appended to the names of encrypted files (e.g. example.docx.szf). The original files are rewritten with the following Polish message:

szflocker

You can find the decryption tool here.

TeslaCrypt

The encrypted files come with different extensions, such as .vvv, .micro, .mp3, or with the original name only. It also displays a message like the following:

teslacrypt01

The decryption tool is available here and only supports decryptions of files encrypted by TeslaCrypt v3 and v4.

RakhniDecryptor

This tool is designed to decrypt files encrypted by the following methods:

  • Chimera;
  • Rakhni;
  • Agent.iih;
  • Aura;
  • Autoit;
  • Pletor;
  • Rotor;
  • Lamer;
  • Lortok;
  • Cryptokluchen;
  • Democry;
  • Bitman (TeslaCrypt) version 3 and 4.

Read the How-To Guide before downloading the tool and using it. See more details here about this ransomware.

ShadowDecryptor

It decrypts the files encrypted with the following extensions:

  • .xtbl
  • .ytbl
  • .breaking_bad
  • .heisenberg

Read the How-To Guide before downloading the tool here by Kaspersky Lab or by Intel Security.

CoinVault

The CoinVault decryption tool decrypts the files encrypted by Coinvault and Bitcryptor.

Read the How-To Guide before downloading the tool.

RannohDecryptor

RannohDecryptor tool is designed to decrypt files encrypted by:

  • Rannoh;
  • AutoIt;
  • Fury;
  • Crybola;
  • Cryakl;
  • CryptXXX versions 1 and 2 (files encrypted by Trojan-Ransom.Win32.CryptXXX version 3 are detected, but not decrypted).

Read the How-To Guide before downloading the tool.

TeleCrypt

A new ransomware, TeleCrypt appeared recently carrying some new ideas. While most ransomware communicates with their C&C over simple HTTP-based protocols, Telecrypt abuses for this purpose the API of a popular messenger, Telegram.

Fortunately, the encryption used in this ransomware wasn’t strong and the engineer at Malwarebytes was able to develop a decryption tool allowing the victims to recover their files without paying the ransom.

decryptor1

See more details about TeleCrypt here and download the tool here.

A few words

Obviously, the tools listed here won’t be able to cover all of the variations of the ransomware family. In fact, it’s still hopeless if you are hit by one of the top 3 ransomware in the wild today. But it’s a start. We intend to keep this post up-to-date as new decryption tools made available to the public. And if you know something that is not listed here, please share them in the comment.

The more details about the ransomware, check out this new website called No More Ransom.

/update on Aug. 26, 2016/

It’s also not too late to install a free Anti-Ransomware on your Windows computer.

Kent Chen

Microsoft MVP, IT Professional, Developer, Geek, and the co-founder of Next of Windows.

Last updated: 11/24/2016

Posted in: Security
Discover more: , , , ,

Leave a Reply

Notify of
avatar
wpDiscuz
Today's Top Picks for Our Readers:
Recommended by Recommended by NetLine