Ransomware is an evil malware that encrypts the victim’s files and then requests payment in return for the key to decrypt the encrypted data. Initially popular in Russia, the use of ransomware has grown internationally and has gone mainstream with several high-profile attacks. While many victims are paying the ransom trying to get their data back, many security firms have been working hard on the solutions to stop this cyber criminal.
AVG Virus Lab recently released six free decryption tools for recent ransomware strains. Good news for the victims of these six kinds of ransomware because they can take back what’s theirs without paying a cent to the criminals.
Before you run these tools to recover your data, it’s recommended you run a full scan of the infected computer and back up the encrypted files to an external storage so you can do the decryption on an uninfected computer. You will also need to identify the strain that causes the problem, and run the appropriate decryption tool.
The Apocalypse ransomware appends “.encrypted”, “.locked”, or “.SecureCrypted” to names of encrypted files and creates ransom messages in files with extensions “.How_To_Decrypt.txt”, “.README.Txt”, or “.Contact_Here_To_Recover_Your_Files.txt”.
Crypt888, aka Mircop, creates encrypted files with the prepended name “Lock.” and changes your desktop’s wallpaper to the following image:
The decryption tool can be downloaded here.
Note that Crypt888 is a badly-written piece of software that can’t even decrypt some of the encrypted files it created. So, AVG’s decryption may not be effective.
Legion encrypts and renames your files with names like “example.docx[email protected]$.legion“, and changes the desktop wallpaper with a warning block about your encrypted files:
The decryption tool is available here.
The name of this ransomware originates from a string that is appended to the names of encrypted files (e.g. example.docx.szf). The original files are rewritten with the following Polish message:
You can find the decryption tool here.
The encrypted files come with different extensions, such as .vvv, .micro, .mp3, or with the original name only. It also displays a message like the following:
The decryption tool is available here and only supports decryptions of files encrypted by TeslaCrypt v3 and v4.
This tool is designed to decrypt files encrypted by the following methods:
- Bitman (TeslaCrypt) version 3 and 4.
It decrypts the files encrypted with the following extensions:
The CoinVault decryption tool decrypts the files encrypted by Coinvault and Bitcryptor.
RannohDecryptor tool is designed to decrypt files encrypted by:
- CryptXXX versions 1 and 2 (files encrypted by Trojan-Ransom.Win32.CryptXXX version 3 are detected, but not decrypted).
A new ransomware, TeleCrypt appeared recently carrying some new ideas. While most ransomware communicates with their C&C over simple HTTP-based protocols, Telecrypt abuses for this purpose the API of a popular messenger, Telegram.
Fortunately, the encryption used in this ransomware wasn’t strong and the engineer at Malwarebytes was able to develop a decryption tool allowing the victims to recover their files without paying the ransom.
A few words
Obviously, the tools listed here won’t be able to cover all of the variations of the ransomware family. In fact, it’s still hopeless if you are hit by one of the top 3 ransomware in the wild today. But it’s a start. We intend to keep this post up-to-date as new decryption tools made available to the public. And if you know something that is not listed here, please share them in the comment.
The more details about the ransomware, check out this new website called No More Ransom.
/update on Aug. 26, 2016/
It’s also not too late to install a free Anti-Ransomware on your Windows computer.