 |
| | | | | | | | | | | | | | |
Resources - Ransomware
"Ransomware" is a sub-category of malicious software that encrypts its victims data then demands a ransom be paid to decrypt it. The software listed here are free solutions that may be helpful to you if you are a victim. If you know of a free ransomware decryptor product that is not listed here, please contact us.
Guides and other useful information
![[Canadian Centre for Cyber Security (CCCS) logo]](cccs.jpeg)
Canadian Centre for Cyber Security's Ransomware Playbook (CCCS)
https://www.cyber.gc.ca/en/guidance/ransomware-playbook-itsm00099- To learn more about Ransomware, the Canadian Government's Centre for Cyber Security publishes an excellent document entitled the "Ransomware playbook (ITSM.00.099)." This playbook is also available in PDF format, which is ideally suited for printing or offline reading.
![[Comparitech logo]](comparitech.png)
History of Ransomware
https://www.comparitech.com/blog/information-security/the-history-of-ransomware/- Comparitech explains that Ransomware is one of the largest threats you can face today, both on your own PC at home, and at work too. This blog article details Ransomware from its humble beginnings to how it has become a massive global business that nets millions, if not billions, of dollars for its creators.
Ransomware decryptors
![[EMSISOFT logo]](emsisoft.svg)
777 Decryptor (EMSISOFT)
https://www.emsisoft.com/en/ransomware-decryption/777- Use this decrypter if your files have been encrypted and renamed to *.777. It may be necessary to select the correct version of the malware in the options tab for the decrypter to work properly.
![[Hasherezade]](hasherezade.jpeg)
7even-HONE$T (Hasherezade)
https://www.github.com/hasherezade/malware_analysis/tree/master/7ev3n- Decoder for 7even-HONE$T ransomware that recovers original file name, recovers content of R4A files, and if possible, recovers content of R5A files (needs additional parameters that are described further)
![[Bitdefender Decryptor Tools]](bitdefender.avif)
Bitdefender Free Decryption Tools
https://www.bitdefender.com/en-us/blog/labs/tag/free-tools- Bitdefender offers a variety of free tools to decrypt files that were encrypted by the following ransomware:
MortalKombat; MegaCortex; RanHassan; Universal LockerGoga; REvil/Sodinokibi; Avaddon; Fonix; Darkside; MamoCrypt; WannaRen; GoGoogle; Shade/Troldesh; Paradise; Ourobors; GandCrab; LockCrypt; and Annabelle.
![[Black Byte Decryptor]](blackbytedecryptor.png)
Black Byte Decryptor - Decryption Tool
https://www.github.com/SpiderLabs/BlackByteDecryptor- This is a decryptor for the ransomware called BlackByte. The encryption key is stored in a file called forest.png, which was downloaded from a web page that's no longer available.
![ESET logo]](eset.svg)
Crysis Ransomware Decryptor (ESET)
https://support.eset.com/en/kb6274-clean-a-crysis-or-wallet-infection-using-the-eset-crysis-decryptor- ESET has prepared a free decryptor for ransomware victims, offering a helping hand to anyone whose data or devices have been hit by the Crysis family (detected by ESET as Win32/Filecoder.Crysis). You can read the full announcement for this decryptor by following this link.
![[QuickHeal logo]](quickheal.svg)
Free Ransomware Decryption Tool (QuickHeal)
https://www.quickheal.com/free-ransomware-decryption-tool- Quick Heal has developed a tool that can help decrypt files encrypted by the following types of ransomware. This tool is free and can be used without any hassle:
Troldesh Ransomware [.xtbl]; Crysis Ransomware [.CrySiS]; Cryptxxx Ransomware [.crypt]; Ninja Ransomware [@aol.com$.777]; Apocalypse Ransomware [.encrypted]; Nemucod Ransomware [.crypted]; ODC Ransomware [.odcodc]; LeChiffre Ransomware [.LeChiffre]; Globe1 Ransomware [.hnyear]; Globe2 Ransomware [.blt]; Globe3 Ransomware [.decrypt2017]; DeriaLock Ransomware [.deria]; Opentoyou Ransomware
[.-opentoyou@india.com]; Globe3 Ransomware [.globe & .happydayzz]; Troldesh Ransomware [.dharma]; Troldesh Ransomware [.wallet]; Troldesh Ransomware [.onion]; Satan DBGer Ransomware [.dbger]; STOP Djvu Ransomware [.shadow/.promok/ .fordan/ .codnat/ .forasom/ .dotmap/ .ferosas/ .rectot/ .skymap/ .rezuc/ .mogera/ .djvu/ .djvuq/ .djvur/ .djvus/ .djvut/ .djvuu/ .pdff/ .tfude/ .tfudeq/ .tro/ .udjvu/ .uudjvu/ .tro/ .udjvu/ .uudjvu/ .tfudet/ .adobe/ .adobee/ .blower/ .promos/ .promok/ .promoz/ .promock/ .promorad/ .promorad2/ .kroput/ .kroput1/ .charck/ .kropun/ .doples/ .luces/ .luceq/ .chech/ .pulsar1/ .proden/ .drume/ .tronas/ .trosak/ .grovas/ .grovat/ .raldug/ .roland/ .etols/ .guvara/ .norvas/ .moresa/ .verasto/ .hrosas/ .kiratos/ .todarius/ .roldat/ .dutan/ .sarut/ .pidon/ .poret/ .davda/ .lanset/ .stone/ .berost/ .heroset/ .gerosan/ .boston/ .muslat/ .vesad/ .neras/ .horon/ .dalle/ .redmat/ .radman/ .lotep/ .truke/ .nusar/ .besub/ .litar/ .lokas/ .cezor/ .hofos/ .godes/ .budak/ .heran/ .berosuce/ .gusau/ .madek/ .Dodoc/ .lapoi/ .tocue/ .todar/ .bopador/ .novasof/ .ndarod/ .access/ .format/ .nelasod/ .mogranos/ .lotej/ .prandel/ .zatrov/ .masok/ .brusaf/ .londec]; GandCrab Ransomware [Random Extension : Need ransom note for decryption]; and Hermatic Ransomware[vote2024forjb@protonmail.com].encryptedJB] (Supports files up to 1 MB).
![[AVG logo]](avg.png)
Free Ransomware Decryption Tools (AVG)
https://www.avg.com/en-ca/ransomware-decryption-tools- AVG's free ransomware decryption tools can help decrypt files encrypted by the following forms of ransomware:
Apocalypse; BadBlock; Bart; Crypt888; Legion; SZFLocker; and TeslaCrypt.
![[Kaspersky Lab logo]](kaspersky_green.png)
Free Ransomware Decryptors (Kaspersky Labs)
https://noransom.kaspersky.com/- Kaspersky Labs, who are probably most famous for their anti-virus and internet security solutions, have teamed up with the National High Tech Crime Unit (NHTCU) of the Netherlands.
![[Avast logo]](avast.svg)
Free Ransomware Tools (Avast)
https://www.avast.com/en-ca/ransomware-decryption-tools- Avast's free ransomware decryption tools can help decrypt files encrypted by the following forms of ransomware:
AES_NI; Alcatraz Locker; Apocalypse; AtomSilo & LockFile; Babuk; BadBlock; Bart; BigBobRoss; BTCWare; Crypt888; CryptoMix (Offline); CrySiS; EncrypTile; FindZip; Fonix; GandCrab; Globe; HermeticRansom; HiddenTear; Jigsaw; LambdaLocker; Legion; NoobCrypt; Prometheus; Stampado; SZFLocker; TargetCompany; TeslaCrypt; Troldesh/Shade; and XData.
![[Emsisoft Nemucod logo]](nemucod.png)
Nemucod Decrypter (Emsisoft)
https://decrypter.emsisoft.com/nemucod/- Nemucod is a JavaScript downloader malware that was previously used to distribute TeslaCrypt, but the more recent Nemucod versions dropped the TeslaCrypt payload in favour of their own ransomware implementation. Since the Nemucod ransomware encrypts the first 2,048 bytes of a file using a 255 bytes XOR key, the decrypter only requires an encrypted file of at least 510 bytes in size as well as its unencrypted version, which are specified with Emsisoft's simple drag-and-drop interface. (Nemucod was recommended by Bleeping Computer.)
![[No More Ransom]](nomoreransom.png)
No More Ransom! - Decryption Tools
https://www.nomoreransom.org/en/decryption-tools.html- Law enforcement and IT Security companies have joined forces to disrupt cybercriminal businesses with ransomware connections. The "No More Ransom" website is an initiative by the National High Tech Crime Unit of the Netherlands' police, Europol's European Cybercrime Centre, Kaspersky Lab, and McAfee with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.
![[PyLocky Decryptor]](pylocky.svg)
PyLocky Decryptor (Cisco Talos)
https://www.talosintelligence.com/pylocky- This PyLocky decryptor tool is intended to restore the computer files to those victims affected by the ransomware PyLocky.
The PyLocky ransomware leverages the usage of a Python script to encrypt all the files of a victim computer with a DES3 cipher and runtime-generated encryption keys that are sent towards the Command and Control server, allowing the bad actors to provide a way to restore the files to the victims that have paid the ransom. This ransomware encrypts a wide range of file types such as photos, videos, documents, music and executable files.
![[TeslaCrypt Decryption Tool]](teslacrypt.svg)
TeslaCrypt Decryption Tool (Cisco Talos)
https://www.talosintelligence.com/teslacrypt_tool- The Cisco Talos TeslaCrypt Decryption Tool is an open-source command-line utility for decrypting TeslaCrypt-ransomware-encrypted files so that users' files can be returned to their original state.
TeslaCrypt malware encrypts the victim's files such as photos, videos, documents, saved game files, and demands a ransom from the victim within a time limit. When the victim pays the ransom they can download a decryption key that will restore their files, otherwise they are permanently lost.
![[Thanatos Decryptor Tool]](thanatos.svg)
Thanatos Decryptor (Cisco Talos)
https://www.talosintelligence.com/thanatos_decryptor- The Cisco Talos Thanatos Decryptor is an open-source utility that attempts to decrypt files that were encrypted by the Thanatos ransomware. The Thanatos malware encrypts a user's files and discards the key, despite displaying a ransom note indicating that the files will be restored once the ransom is paid.
Due to a flaw in the way the encryption keys are generated, though, they can be guessed in several minutes under the right conditions. The Thanatos Decryptor attempts to guess the key and use it to automatically restore files that the malware encrypted.
[Home] [Profile] [Glossary] [Library] [Resources] [Tools] [FAQ] [Site map] [Contact us]
Copyright © 2004-2026 Inter-Corporate Computer & Network Services, Inc. All rights reserved.
All trademarks are the property of their respective owners.