How to Decrypt Ransomware
Below we have compiled in several steps the best possible chance you have to recover your files (except for actually paying the criminals). We firmly advise you to not pay the ransom- if you pay it, you simply fund the criminals to create even more advanced ransomware versions.
Before you begin restoring your files you need to make sure that the Ransomware program itself has been neutralized. Use the guide you came from to remove it, or it may encrypt your files again.
Shadow Clone Restoration
The first thing you can try is to restore your files through their shadow copies. We advise you to do this before resorting to decryptors, as it is risk-free, meaning if it fails, your files won’t be deleted by the ransomware. Some especially nasty ransomware variants threaten to delete your files if they detect any sort of tampering.
There are several different programs that use shadow volume copies to restore your files. We tested some of them and Data Recovery Pro seems to have the highest chance to help. Unfortunately that comes in the form of cost – you need to purchase the full version to receive its benefits. If you want to try::
Start the program and choose the hard disk you want to scan for recoverable files. Then click “Start Scan” just like in the picture below.
If you prefer, you can specify a file name in the “Full Scan” section.
After the scan finishes, simply click “Recover” on the bottom right and see if you get your files back.
Below you will find a list of free decryption tools that can possibly help you recover your files. However, you need the right tool for the type of encryption used on your files. To learn that, use ID Ransomware – a free online service that will tell you which ransomware is currently messing with your files. You’ll be asked to upload the ransom note file (usually found on your desktop), as well as a sample encrypted file.
Once it’s done analyzing, ID Ransomware will tell you exactly which ransomware version you are dealing with.
Below you will find a list of all known ransomware file decryptors. Browse through the list and look for a decryptor for your particular type of ransomware. They are listed both by virus name and by extension used on your files.
We do not 100% guarantee any of these will work and they are provided by their creators as is, but most of the time they will get the job done!
- Naturally, before you try any of them it is recommended that you make backups for all files.
- Autolocky – file extension: .locky
- Nemucod – file extension: .crypted
- DMALocker2 – file extension: unchanged
- DMALocker – file extension: unchanged
- Gomasom – file extension: .crypt
- LeChiffre – file extension: .lechiffre
- KeyBTC – file extension: .keybtc@inbox_com
- Radamant – file extension: .rdm or .rrk
- PClock – file extension: unchanged
- CryptoDefense – file extension: unchanged
- Harasom – file extension: .HTML
- Decrypt Protect – file extension: .HTML
- Apocalypse – .encrypted
- ApocalypseVM variant – .ecrypted .locked
- Xorist – .cerber (for the Cerber ransomware including .cerber and .cerber2 look below)
- Globe ransomware – .globe
- MRCR or Merry Christmas/Merry Xmas – .pegs1, .mrcr1, .rare1, .merry, .rmcm1
A company called Emsisoft has created decryptors for all above mentioned ransomware programs. Kudos to those guys.
MRCR or Merry Christmas/Merry Xmas – file extensions: .pegs1, .mrcr1, .rare1, .merry, .rmcm1
HydraCrypt and UmbreCrypt – file extension: .hydracrypt and .umbrecrypt
Petya password generator – no extension, whole HDD is locked
Operation Global III – file extension: .exe
TeslaCrypt – file extensions .ECC, .EXX, and .EZZ
TeslaCrypt – file extensions .micro, .xxx, .ttt, .mp3 or “unchanged”
BitCryptor and CoinVault – file extension: 7z.encrypted
Kaspersky has also developed decryptors for the following ransomware viruses:
CrySiS – .crysis and .crysis2 file extensions. Use the Rakhni decryptor for this one.
Rector – file extension: unknown
Rakhni – file extension: .locked
._date-time_$address@domain$.777; .xxx; .ttt; .micro; .mp3
Scatter – file extensions: .pzdc .crypt .good
Xorist – file extension: unknown
Rannoh – possible file extensions locked-<original_name>.<four_random_letters> ; <original_name>@<mail server>_<random_set_of_characters> ; <original_name>.crypt
Dharma Ransomware – file extension .dharma. Use the Rakhni decryptor for this one.
Trend Micro’s Decrypter will allow you to decrypt files affected by:
TeslaCrypt(v3, v4) – extensions .micro, .xxx, .ttt, .mp3 or “unchanged”
AutoLocky – extension: .locky
SNSLockeр – extension: .RSNSlocked
CryptXXX(v1, v2, v3) – extension: .crypt
Jigsaw – file extensions: .fun; .kkk; .gws; .btc; .PAYSM
CryptXXX – file extensions: .crypz and .crypt1 ONLY
The ODCODC ransomware
Breaking Bad themed ransomware with the following file extensions:
.xtbl, .ytbl, .breaking_bad, .heisenberg.
Cerber ransomware with the following file extensions:
.cerber and .cerber2
DMA Locker 3.0
Decryptor tools for 7ev3n Ransomware
MBRFilter (Ransomware blocker tool for Petya, Satana and Petya+Mischa)
Waiting for a solution
Neither ransomware viruses nor their creators are perfect or infallible and the above list of decryptors is proof of that. Unfortunately, it usually takes time for security researchers to break into the ransomware code and find the solution we so desperately need. Even if there is no decryptor tool available now this doesn’t mean one won’t be created in the future. Feel free to bookmark this page and check here for newly available ransomware solutions. We’ll add them to the list as we spot them on the Net.