Wanna Cry Removal guide

Navigation de recherche

Navigation

Recherche

How to Decrypt Ransomware

Below we have compiled in several steps the best possible chance you have to recover your files (except for actually paying the criminals). We firmly advise you to not pay the ransom- if you pay it, you simply fund the criminals to create even more advanced ransomware versions.  

Step1

Removal

Before you begin restoring your files you need to make sure that the Ransomware program itself has been neutralized. Use the guide you came from to remove it, or it may encrypt your files again.

Step2

Shadow Clone Restoration

The first thing you can try is to restore your files through their shadow copies. We advise you to do this before resorting to decryptors, as it is risk-free, meaning if it fails, your files won’t be deleted by the ransomware. Some especially nasty ransomware variants threaten to delete your files if they detect any sort of tampering. 

There are several different programs that use shadow volume copies to restore your files. We tested some of them and Data Recovery Pro seems to have the highest chance to help. Unfortunately that comes in the form of cost – you need to purchase the full version to receive its benefits. If you want to try::

Start the program and choose the hard disk you want to scan for recoverable files. Then click “Start Scan” just like in the picture below. 

If you prefer, you can specify a file name in the “Full Scan” section.

After the scan finishes, simply click “Recover” on the bottom right and see if you get your files back.

Step3

Identification

Below you will find a list of free decryption tools that can possibly help you recover your files. However, you need the right tool for the type of encryption used on your files. To learn that, use ID Ransomware – a free online service that will tell you which ransomware is currently messing with your files. You’ll be asked to upload the ransom note file (usually found on your desktop), as well as a sample encrypted file.

Once it’s done analyzing, ID Ransomware will tell you exactly which ransomware version you are dealing with.

Below you will find a list of all known ransomware file decryptors. Browse through the list and look for a decryptor for your particular type of ransomware. They are listed both by virus name and by extension used on your files.

Step4

Decryption

We do not 100% guarantee any of these will work and they are provided by their creators as is, but most of the time they will get the job done!

  • Naturally, before you try any of them it is recommended that you make backups for all files.
  • Autolocky – file extension: .locky
  • Nemucod – file extension: .crypted
  • DMALocker2 – file extension: unchanged
  • DMALocker – file extension: unchanged
  • Gomasom – file extension: .crypt
  • LeChiffre – file extension: .lechiffre
  • KeyBTC – file extension: .keybtc@inbox_com
  • Radamant – file extension: .rdm or .rrk
  • PClock – file extension: unchanged
  • CryptoDefense – file extension: unchanged
  • Harasom – file extension: .HTML
  • Decrypt Protect – file extension: .HTML
  • Apocalypse – .encrypted
  • ApocalypseVM variant – .ecrypted .locked
  • Xorist – .cerber (for the Cerber ransomware including .cerber and .cerber2 look below)
  • Globe ransomware – .globe
  • MRCR or Merry Christmas/Merry Xmas – .pegs1, .mrcr1, .rare1, .merry, .rmcm1

A company called Emsisoft has created decryptors for all above mentioned ransomware programs. Kudos to those guys.

 

MRCR or Merry Christmas/Merry Xmas – file extensions: .pegs1, .mrcr1, .rare1, .merry, .rmcm1

 

HydraCrypt and UmbreCrypt – file extension: .hydracrypt and .umbrecrypt

 

Petya password generator – no extension, whole HDD is locked

 

Operation Global III – file extension: .exe

Click to see how to deal with Operation Global III

TeslaCrypt – file extensions .ECC, .EXX, and .EZZ

 

TeslaCrypt – file extensions .micro, .xxx, .ttt, .mp3 or “unchanged”

Here we handle TeslaCrypt with the .micro, .xxx, .ttt, .mp3 and unchanged extensions

BitCryptor and CoinVault – file extension: 7z.encrypted

 

Kaspersky has also developed decryptors for the following ransomware viruses:

CrySiS – .crysis and .crysis2 file extensions. Use the Rakhni decryptor for this one.

Rector  – file extension: unknown

Rakhni  – file extension: .locked

.kraken; .nochance; .oshit; .oplata@qq_com; .relock@qq_com; .crypto; Cette adresse e-mail est protégée contre les robots spammeurs. Vous devez activer le JavaScript pour la visualiser.; .pizda@qq_com; .dyatel@qq_com; .crypt; .nalog@qq_com; .hifrator@qq_com; .gruzin@qq_com; .troyancoder@qq_com; .encrypted; .cry .AES256; .enc; .coderksu@gmail_com_id371;  .coderksu@gmail_com_id372 .coderksu@gmail_com_id374; .coderksu@gmail_com_id375; .coderksu@gmail_com_id376; .coderksu@gmail_com_id392; .coderksu@gmail_com_id357; .coderksu@gmail_com_id356; .coderksu@gmail_com_id358; .coderksu@gmail_com_id359; .coderksu@gmail_com_id360; .coderksu@gmail_com_id20; Cette adresse e-mail est protégée contre les robots spammeurs. Vous devez activer le JavaScript pour la visualiser._characters; .hb15;

._date-time_$address@domain$.777; .xxx; .ttt; .micro; .mp3

Scatter  – file extensions: .pzdc .crypt .good

Xorist – file extension: unknown

Rannoh  – possible file extensions locked-<original_name>.<four_random_letters> ; <original_name>@<mail server>_<random_set_of_characters> ; <original_name>.crypt

Dharma Ransomware – file extension .dharma. Use the Rakhni decryptor for this one.

The Rector, Rakhni, Scatter, Xoris, Rannoh decryptors can be found here

Trend Micro’s Decrypter will allow you to decrypt files affected by:

TeslaCrypt(v3, v4) – extensions .micro, .xxx, .ttt, .mp3 or “unchanged

AutoLocky – extension: .locky

SNSLockeр – extension: .RSNSlocked

CryptXXX(v1, v2, v3) – extension: .crypt

 

Jigsaw – file extensions: .fun; .kkk; .gws; .btc; .PAYSM 

CryptXXX – file extensions: .crypz and .crypt1 ONLY

The ODCODC ransomware

Breaking Bad themed ransomware with the following file extensions:

.xtbl, .ytbl, .breaking_bad, .heisenberg. 

Cerber ransomware with the following file extensions:

.cerber and .cerber2 

DMA Locker 3.0 

Decryptor tools for 7ev3n Ransomware 

MBRFilter (Ransomware blocker tool for Petya, Satana and Petya+Mischa) 

 

Step5

Waiting for a solution

Neither ransomware viruses nor their creators are perfect or infallible and the above list of decryptors is proof of that. Unfortunately, it usually takes time for security researchers to break into the ransomware code and find the solution we so desperately need. Even if there is no decryptor tool available now this doesn’t mean one won’t be created in the future. Feel free to bookmark this page and check here for newly available ransomware solutions. We’ll add them to the list as we spot them on the Net.