Post by GuiltySpark on Jan 26, 2016 14:29:57 GMT
Not sure what Ransomware you have?
You can now check with this Website.
ID-Ransomware >>>
LeChiffre
LeChiffre is a ransomware family that is used by hackers in targetted attacks via the remote desktop service.
After encryption files will be renamed to *.LeChiffre and various ransom notes named "_How to decrypt LeChiffre files.html"
in all directories it encrypted files in.
The ransom note will ask to contact decrypt.my.files@gmail.com for advice on how to decrypt the files.
Download LeChiffre Decryptor >>>
Gomason
Gomasom is a ransomware family that targets Windows.
There have been reports of targetted attacks via remote desktop as well as social engineering attacks through email.
The malware authors seem to specifically target companies and company servers.
Files are encrypted and renamed to *.crypt.
There are no ransom notes but all encrypted files will also include an email address
(usually a Google Mail address) to contact for decryption in their file name.
Download Gomason Decryptor >>>
DecryptorMax
CryptInfinite or DecryptorMax is a ransomware family targetting Windows.
It creates ransom notes called ReadDecryptFilesHere.txt on your system and encrypts the following file types:
Download DecryptorMax Decryptor >>>
NanoLocker
NanoLocker is distributed via email attachments where when opened,
creates a Fake PDF Error.
In reality, though, the program is now running silently in the background and scanning your drives for data to encrypt.
When it finds a targeted data file it will encrypt it using AES encryption and then an add the filename and its path to the %LocalAppData%\lansrv.ini file.
The file extensions targeted by NanoLocker are:
For details on How To Use see here >>>
Download NanoLocker Decryptor >>>
CryptInfinite
CryptInfinite or DecryptorMax is a ransomware family targetting Windows.
It creates ransom notes called ReadDecryptFilesHere.txt on your system and encrypts the following file types:
Download CryptInfinite Decryptor >>>
HydraCrypt & UmbreCrypt
HydraCrypt and UmbreCrypt belong to the CrypBoss ransomware family.
Encrypted files will be renamed to either *.hydracrypt* or *.umbrecrypt*.
Download Hydra & Umbre Decryptor >>>
DMALocker2
DMALocker is a ransomware targetting Windows.
Files are encrypted but are not renamed.
The malware will identify itself as DMA Locker and display an ID.
This decrypter is specifically designed to decrypt files of infections with ID "DMALOCK 43:41:90:35:25:13:61:92".
Download DMALocker2 Decryptor >>>
DMALocker
DMALocker is a ransomware targetting Windows.
Files are encrypted but are not renamed.
The malware will identify itself as DMA Locker and display an ID.
This decrypter is specifically designed to decrypt files of infections with ID "DMALOCK 41:55:16:13:51:76:67:99".
Download DMALocker Decryptor >>>
CrypBoss
CrypBoss is a ransomware family targetting Windows.
Encrypted files are renamed to either *.crypt or *.R16M01D05.
The malware drops ransom notes named HELP_DECRYPT.jpg or HELP_DECRYPT.txt into various locations on the system.
The ransom notes instruct to contact a @dr.com email address.
Download CrypBoss Decryptor >>>
KeyBTC
KeyBTC is a ransomware family that arrives as a JavaScript on the system.
It encrypts the first 2048 bytes of files it targets.
File extensions are not changed upon encryption and a ransom note is stored inside DECRYPT_YOUR_FILES.txt on your Desktop.
Download KeyBTC Decryptor >>>
Radamant
Radamant is a ransomware-as-a-service toolkit offered within hacker forums that targets Windows.
Encrypted files will be renamed to either *.rdm or *.rrk.
The ransom note will be stored inside "YOUR_FILES.url" on your Desktop.
Download Radamant Decryptor >>>
PClock
PClock is a ransomware that tries to pass as "CryptoLocker" when infecting the system.
It does not rename any files and stores a list of all encrypted files inside "%UserProfile\enc_files.txt".
Download PClock Decryptor >>>
CryptoDefense
CryptoDefense is a ransomware family targetting Windows.
Files encrypted by CryptoDefense will have no change in extension.
The malware will identify itself as CryptoDefense and create ransom notes named HOW_DECRYPT.txt,
HOW_DECRYPT.html and HOW_DECRYPT.url on your Desktop and other directories.
Download CryptoDefense Decryptor >>>
Harasom
Harasom is a family of infections that are classified as Ransomware because they block you from gaining access to your Windows desktop, applications,
or files until you pay a ransom.
This family of infections will also encrypt all of your data files and change them to a HTML file.
When you double-click on one of these files,
the HTML file will open showing you an image that states that the file is encrypted.
The types of files that this infection encrypts include:
Download Harasom Decryptor >>>
PClock2
PClock2 usually enters the user’s system via infected torrent downloads.
Once on a victim’s computer, PClock2 establishes persistence on the system using the following Registry entry:
PClock2 targets 2583 file extensions.
Download PClock2 Decryptor >>>
CoinVault
A tool for reversing the encryption process of CoinVault crypto-malware is currently available for download,
with new decryption keys being added as the investigation advances.
How To Use Guide PDF >>>
Download CoinVault Decryptor ZIP file >>>
Nemucod
Nemucod is a JavaScript downloader malware that used to be used by TeslaCrypt
for distributing TeslaCrypt binaries.
Recent Nemucod versions dropped the TeslaCrypt payload in favour of its own ransomware implementation.
The Nemucod ransomware encrypts the first 2048 bytes of a file using a 255 bytes XOR key.
To use the decrypter you will require an encrypted file of at least 510 bytes in size as well as its unencrypted version.
To start the decrypter select both the encrypted and unencrypted file and drag and drop them onto the decrypter executable.
Download Nemucod Decryptor >>>
JigSaw
When the Jigsaw ransomware is launched it will scan your drives for certain file extension,
encrypt them using AES encryption, and append a .FUN, .KKK, or, .BTC extension to the filename depending on the version.
The files targeted by the Jigsaw ransomware are:
Download JigSaw Decryptor >>>
How To Use >>>
Petya
Petya Ransomware is a little different to other forms of ransom
in that it will not just settle for encrypting files, but it will actually run at start up and infect
a systems MBR.
Luckily an individual by the name of Leo Stone and Fabian Wosar (Emsisoft)
have created a way to decrypt such an infection albeit a little fiddly.
Petya Decryptor >>>
Alternative Decryptor >>>
How to Use >>>
AutoLocky
AutoLocky is a new ransomware written in the popular scripting language AutoIt.
It tries to imitate the complex and sophisticated Locky ransomware,
but is nowhere near as complex and sophisticated,
which makes decryption feasible.
Victims of AutoLocky will find their files encrypted and renamed to *.locky.
Unlike the real Locky ransomware however,
AutoLocky will not change the base name of the file.
So if a file named picture.jpg is encrypted,
AutoLocky will rename it to picture.jpg.locky while the actual Locky ransomware will change it to a random name.
In addition victims will find a ransom note on their Desktop with the file name info.txt or info.html.
AutoLocky Decryptor >>>
Xorist
From the family of Malware known as Trojan-Ransom.Win32.Xorist, Trojan-Ransom.MSIL.Vandev.
It's designed for unauthorized modification of data on a victims computer.
It makes computers uncontrollable or blocks its normal performance.
The user is displayed with messages demanding to send an SMS to decrypt the files.
Another sign is presence of a file named “Read Me: how to decrypt files” on disk C.
There is a file in the folder Windows named CryptLogFile.txt.
The trojan program encrypts all files with the following extensions:
XoristDecryptor.exe >>>
Alternative Decryptor >>>
Rector
Cybercriminals use Trojan-Ransom.Win32.Rector for disrupting normal performance of computers
and for unauthorized modification of data making it unusable.
Once the data has been “taken hostage” (blocked), its owner (user) receives a ransom demand.
The malicious program Trojan-Ransom.Win32.Rector encrypts files with extensions .jpg, .doc, .pdf, .rar.
An offers to unblock files comes in from a cybercriminal named “††KOPPEKTOP††”.
He is offering to communicate with him using the following contacts:
Sometimes he asks to leave a message in the guest book of one of his websites:
RectorDecryptor.exe >>>
Scraper
The malicious program Trojan-Ransom.Win32.Scraper encrypts user files to block access to them.
After the data has been blocked, the user is required to pay a ransom.
ScraperDecryptor.zip >>>
Alpha
When this ransomware infects your computer it will place the main executable at %APPDATA%\Windows\svchost.exe
and create an autorun called Microsoft.
This autorun allows the ransomware to continue the encryption process if the computer is rebooted.
This ransomware executable will automatically be removed after the ransomware finishes encrypting the victim's data.
This ransomware has somewhat of a bizarre encryption routine.
On the computer's SystemDrive, which is usually the C: drive,
it will only encrypt certain file types in the Desktop, My Pictures, and Cookies folders.
All other folders on the SystemDrive will not be encrypted.
The targeted file types for the SystemDrive are:
Alpha Decryptor >>>
777 Ransomware
Use this decrypter if your files have been encrypted and renamed to *.777.
777 Decryptor >>>
TeslaCrypt
TeslaCrypt now has a decryptor available thanks to the creators seemingly having a change of heart.
Both Eset and BloodDolly of BC have come up with their versions of a decryptor.
TeslaCrypt Decryptor >>>
How to use >>>
Alternative Decryptor >>>
How to use >>>
BadBlock
Use this decrypter if your files have been encrypted but not renamed.
The malware identifies itself as BadBlock both in the red ransomware screen as well as in the ransomnote "Help Decrypt.html" that can be found on the Desktop.
You will need an encrypted file as well as its unencrypted version.
Just select both the encrypted and original version at the same time and drag and drop them onto the decrypter executable.
The key finding process may take a while, so please be patient.
BadBlock Decryptor >>>
Apocalypse
Use this decrypter if your files have been encrypted and renamed to *.encrypted,
*.FuckYourData or *.SecureCrypted with ransom notes named *.How_To_Decrypt.txt,
*.Where_my_files.txt or *.Contact_Here_To_Recover_Your_Files.txt created for each encrypted file.
The ransom note asks you to contact "decryptionservice@mail.ru" or "recoveryhelp@bk.ru".
Apocalypse Decryptor >>>
ApocalypseVM
Use this decrypter if your files have been encrypted and renamed to *.encrypted or *.locked with ransom notes named *.How_To_Decrypt.txt,
*.README.txt or *.How_To_Get_Back.txt created for each encrypted file.
The ransom note asks you to contact "decryptionservice@inbox.ru" or "decryptdata@inbox.ru" and contains a personal ID.
To use the decrypter you will require an encrypted file of at least 4096 bytes in size as well as its unencrypted version.
To start the decrypter select both the encrypted and unencrypted file and drag and drop them onto the decrypter executable.
ApocalypseVM Decryptor >>>
Stampado
Stampado is a ransomware kit offered within various hacking communities.
Written in AutoIt, it encrypts files using AES-256 encryption and renames them to *.locked.
Known variants of this ransomware ask victims to contact paytodecrypt@sigaint.org or ransom64@sigaint.org to facilitate payment.
In order for the decrypter to work you will require both the email you are asked to contact as well as your ID.
Please keep in mind that both are case sensitive, so proper capitalization does matter.
Please put both information into the appropriate fields in the options tab.
Stampado Decryptor >>>
Combat Shade
ShadeDecryptor tool is designed to decrypt files affected by Shade version 1 and version 2.
Shade Decryptor >>> (zipped)
How To Use >>> (pdf)
Fight Rakhni & Friends
RakhniDecryptor tool is designed to decrypt files affected by:
Rakhni Decryptor >>>
How To Use >>> (pdf)
Smash Rannoh & Co
RannohDecryptor tool is designed to decrypt files affected by:
Rannoh Decryptor >>>
How To Use >>> (pdf)
Crypt38
When using this decryptor you will also be given the choice to delete the encrypted files after they are decrypted and to remove the associated ransom notes.
Crypt38 Decryptor >>>
Philadelphia
Philadelphia is a ransomware kit offered within various hacking communities.
Written in AutoIt, it encrypts files using AES-256 encryption, file names using RC4 encryption and uses the *.locked file extension.
It is based on a similar ransomware kit called "Stampado" that is written by the same author.
To use the decrypter you will require a file pair containing both an encrypted file and its non-encrypted original version.
Due to the file name encryption this can be a bit tricky.
The best way is to simply compare file sizes.
Encrypted files will have the size of the original file rounded up to the next 16 byte boundary.
So if a the original file was 1020 bytes large, the encrypted file will be 1024.
Select both the encrypted and non-encrypted file and drag and drop both of them onto the decrypter file in your download directory.
Philadelphia decryptor >>>
Fabiansomware
Use this decrypter if your files have been encrypted and renamed to
with ransom notes named
The ransom note asks you to contact
"decryptioncompany@inbox.ru" or "fabianwosar@mail.ru".
To use the decrypter you will require a file pair containing both an encrypted file and its non-encrypted original version.
Select both the encrypted and unencrypted file and drag and drop both of them onto the decrypter file in your download directory.
Fabiansomware Decryptor >>>
Fenix Locker
Use this decrypter if your files have been encrypted by the FenixLocker ransomware.
FenixLocker encrypts files and renames them by appending the ".centrumfr@india.com!!" extension.
It leaves behind a ransom note named "CryptoLocker.txt" or "Help to decrypt.txt" on your Desktop,
instructing you to contact "centrumfr@india.com". For example:
To start the decrypter simply drag and drop one of your encrypted files onto the decrypter executable.
Fenix Locker Decryptor >>>
Al-Namrood
The Al-Namrood ransomware is a fork of the Apocalypse ransomware.
The group behind it primarily attacks servers that have remote desktop services enabled.
Encrypted files are renamed to *.unavailable and for each file a ransom note is created with the name *.Read_Me.Txt.
The ransomware asks the victim to contact "decryptioncompany@inbox.ru".
An example can be found below:
To decrypt your files the decrypter requires your ID.
The ID can be set within the "Options" tab.
By default the decrypter will set the ID to the ID that corresponds to the system the decrypter runs on.
However, if that is not the same system the malware infection and encryption took place on, make sure to put in the ID as specified in the ransom note.
Al-Namrood Decryptor >>>
Globe
Globe is a ransomware kit that was first discovered at the end of August.
Files are encrypted using Blowfish.
Since the extension of encrypted files is configurable, several different file extensions are possible.
The most commonly used extensions are .purge, .globe and .okean-1955@india.com.!dsvgdfvdDVGR3SsdvfEF75sddf#xbkNY45fg6}P{cg.xtbl.
Ransom notes are stored in .hta files.
An example ransom note looks like this:
To use the decrypter you will require a file pair containing both an encrypted file and its non-encrypted original version.
It is important to use a file pair that is as large as possible, as it determines the maximum file size up to which the decrypter will be able to decrypt your files.
Select both the encrypted and unencrypted file and drag and drop both of them onto the decrypter file in your download directory.
Globe Decryptor >>>
Globe2
Globe2 is a ransomware kit that was first discovered at the beginning of October.
Globe2 encrypts files and optionally file names using RC4.
Since the extension of encrypted files is configurable, several different file extensions are possible.
The most commonly used extensions are .raid10, .blt, .globe, .encrypted and .[mia.kokers@aol.com].
To use the decrypter you will require a file pair containing both an encrypted file and its non-encrypted original version.
Select both the encrypted and unencrypted file and drag and drop both of them onto the decrypter file in your download directory.
If file names are encrypted, please use the file size to determine the correct file.
Encrypted and original file will have exactly the same size.
Globe2 Decryptor >>>
OzozaLocker
Use this decrypter if your files have been renamed to *.locked and you find a ransom note named "HOW TO DECRYPT YOU FILES.txt" on your desktop.
Double clicking an encrypted file will also display a message box instructing you to contact "santa_helper@protonmail.com".
To use the decrypter you will require an encrypted file of at least 510 bytes in size as well as its unencrypted version.
To start the decrypter select both the encrypted and unencrypted file and drag and drop them onto the decrypter executable.
OzozaLocker Decryptor >>>
NMoreira
NMoreira, also known as XRatTeam or XPan, is a file encrypting ransomware.
It uses a mix of RSA and AES-256 to encrypt your files.
Encrypted files have either the extension *.maktub or *.__AiraCropEncrypted!.
In addition, the ransomware will create one of the following ransom notes.
Portugese version used by the *.maktub variant using the file name "Recupere seus arquivos. Leia-me!.txt":
English version used by the *.__AiraCropEncrypted! variant using the file name "How to decrypt your files.txt":
Keep in mind that due to the complexity of the used encryption scheme, decrypting files can be very time-consuming.
In addition, due to the fact that the ransomware doesn't leave anything behind, that would allow verification that the file was decrypted properly,
the decrypter tries to guess whether or not the file has been decrypted properly.
This guessing process can be prone to error and may not work correctly.
It also means, that if the decrypter does not know the file format, it will also be unable to decrypt it reliably.
At the moment the decrypter supports over 3000 different binary file formats, but especially text-based formats,
that lack a unique identifier in the first 16 bytes of the file, will not be recognised.
NMoreira Decryptor >>>
OpenToYou
OpenToDecrypt is a ransomware written in the Delphi programming language that encrypts your files using the RC4 encryption algorithm.
Encrypted files get renamed to *.-opentoyou@india.com and a ransom note named "!!!.txt" can be found on your Desktop.
The ransom note contains the following text:
OpenToYou Decryptor >>>
Globe 3
Globe3 is a ransomware kit that we first discovered at the beginning of 2017.
Globe3 encrypts files and optionally filenames using AES-256.
Since the extension of encrypted files is configurable, several different file extensions are possible.
The most commonly used extensions are .decrypt2017 and .hnumkhotep.
To use the decrypter, you will require a file pair containing both an encrypted file and its non-encrypted original version.
Select both the encrypted and unencrypted file and drag and drop both of them onto the decrypter file in your download directory.
If file names are encrypted, please use the file size to determine the correct file.
The encrypted and the original file will have the same size for files greater than 64 kb.
Due to a bug in the ransomware, decrypted files smaller than 64 kb will be up to 15 bytes larger than the originals.
This file size increase is due to the fact, that the ransomware rounds file sizes up to the next 16-byte boundary without saving the original file size.
For most file formats this is unlikely to cause problems.
However, if your applications complain about corrupted file formats,
you may have to manually remove trailing zero bytes at the end of the file using a hex editor.
Globe 3 Decryptor >>>
GlobeImposter
GlobeImposter is a Globe copycat that imitates the ransom notes and file extension found in the Globe ransomware kit.
Encrypted files have the extension *.crypt and the base name of the file is unchanged.
The ransom note is named "HOW_OPEN_FILES.hta" and can be found in all folders that contain encrypted files.
To start the decryption process you will need a file pair consisting of an encrypted file and the non-encrypted version of the same file.
Select both and drag and drop them onto the decrypter binary to start the process.
GlobeImposter Decryptor >>>
Chimera
Chimera is a doxing type of ransomware,
it will come in the form of an email and when deployed will begin to enumerate files across all disks and begin the encryption process.
Kaspersky have created a decryptor for the job.
Chimera Decryptor >>>
How To Guide pdf >>>
DeriaLock
When executed Derialock will use the computers MachineName ID and generate a MD5 hash in order to not infect the malware authors.
It will create a .exe called SystemLock.exe this will display a lockscreen with the message:
DeriaLock will also kill the following processes:
DeriaLock Decryptor >>>
How To Guide pdf >>>
PHP / Heimdall
PHP Ransomware aka Heimdall is known to target and infect compromised servers it is said to be of low risk in the wild but a decryptor is available.
PHP/Heimdall Decryptor >>>
How To Guide pdf >>>
WildFire
WildFire Ransomware is said to be associated with the Kelihos botnet in its rise,
previously there were no decryptors available but both Kaspersky and Intel have created tools to do just that.
WildFire Decryptor >>>
Alternative decryptor >>>
How To Guide pdf >>>
Rakhni V2
This tool is designed decrypt files encrypted by:
Rakhni V2 Decryptor >>>
How To Guide pdf >>>
Trend Micro Ransomware Tool
The Trend Micro Ransomware File Decryptor can decrypt files encrypted by 20+ different ransomware families.
Trend Micro Ransomware Decryption Tool >>>
How To Guide pdf >>>
Linux.Encoder.1
BitDefender have created a decryptor for the Linux.Encoder.1 and Linux.Encoder.3 ransomware.
Linux.Encoder.1 Decryptor >>>
How To Guide pdf >>>
Linux.Encoder.3
BitDefender have created a decryptor for the Linux.Encoder.1 and Linux.Encoder.3 ransomware.
Linux.Encoder.3 Decryptor >>>
How To Guide pdf >>>
Marlboro
The Marlboro ransomware was first seen on January 11th, 2017.
It is written in C++ and uses a simple XOR-based encryption algorithm.
Encrypted files are renamed to ".oops".
The ransom note is stored inside a file named "_HELP_Recover_Files_.html" and includes no further point of contact.
Due to a bug in the malware's code, the malware will truncate up to the last 7 bytes from files it encrypts.
It is, unfortunately, impossible for the decrypter to reconstruct these bytes.
To use the decrypter, you will require an encrypted file of at least 640 bytes in size as well as its unencrypted version.
To start the decrypter select both the encrypted and unencrypted file and drag and drop them onto the decrypter executable.
Marlboro Decryptor >>>
MRCR
MRCR or Merry X-Mas is a ransomware family that first appeared in December last year.
It is written in Delphi and uses a custom encryption algorithm.
Encrypted files will have either ".PEGS1", ".MRCR1", ".RARE1" or ".RMCM1" as an extension.
The ransom note is named "YOUR_FILES_ARE_DEAD.HTA" and asks victims to contact either "comodosec@yandex.ru" or "comodosecurity" via the secure mobile messenger Telegram.
To start the decryption process you will need a file pair consisting of an encrypted file and the non-encrypted version of the same file.
The files need to be between 64 KB and 100 MB in size.
Select both and drag and drop them onto the decrypter executable to start the process.
MRCR Decryptor >>>
Damage
Damage is a ransomware written in Delphi.
It uses a combination of SHA-1 and Blowfish to encrypt the first and last 8 kb of a file.
Encrypted files have the extension ".damage" and the ransom note, which is named "damage@india.com[].txt", asks to contact "damage@india.com".
The ransom note contains the following message:
To use the decrypter, you will require an encrypted file as well as its unencrypted version.
To start the decrypter select both the encrypted and unencrypted file and drag and drop them onto the decrypter executable.
Damage Decryptor >>>
CryptON
CryptON aka Nemesis aka X3M is a ransomware family that is mostly used for targetted attacks via RDP.
Files are encrypted using a mix of RSA, AES-256 and SHA-256.
We have seen the following extensions being used by CryptON:
To use the decrypter, you will require an encrypted file of at least 128 KB in size as well as its unencrypted version.
To start the decrypter select both the encrypted and unencrypted file and drag and drop them onto the decrypter executable.
CryptON Decryptor >>>
Cry9
Cry9 is the successor of the CryptON ransomware family that is mostly used for targetted attacks via RDP.
Files are encrypted using a customized version of AES, RSA and SHA-512.
We have seen the following extensions being used by Cry9:
You can now check with this Website.
ID-Ransomware >>>
LeChiffre
LeChiffre is a ransomware family that is used by hackers in targetted attacks via the remote desktop service.
After encryption files will be renamed to *.LeChiffre and various ransom notes named "_How to decrypt LeChiffre files.html"
in all directories it encrypted files in.
The ransom note will ask to contact decrypt.my.files@gmail.com for advice on how to decrypt the files.
Download LeChiffre Decryptor >>>
Gomason
Gomasom is a ransomware family that targets Windows.
There have been reports of targetted attacks via remote desktop as well as social engineering attacks through email.
The malware authors seem to specifically target companies and company servers.
Files are encrypted and renamed to *.crypt.
There are no ransom notes but all encrypted files will also include an email address
(usually a Google Mail address) to contact for decryption in their file name.
Download Gomason Decryptor >>>
DecryptorMax
CryptInfinite or DecryptorMax is a ransomware family targetting Windows.
It creates ransom notes called ReadDecryptFilesHere.txt on your system and encrypts the following file types:
*.ACCDB, *.BAY, *.DBF, *.DER, *.DNG, *.DOCX, *.DXF, *.ERF, *.INDD, *.MEF, *.MRW, *.ODB, *.ODP, *.PDD, *.PEF, *.PPTM, *.PSD, *.PTX, *.RAW, *.SRF, *.XLK, *.XLS, *.ach, *.aiff, *.arw, *.asf, *.asx, *.avi, *.back, *.backup, *.bak, *.bin, *.blend, *.cdr, *.cer, *.cpp, *.crt, *.crw, *.dat, *.dcr, *.dds, *.des, *.dit, *.doc, *.docm, *.dtd, *.dwg, *.dxg, *.edb, *.eml, *.eps, *.fla, *.flac, *.flvv, *.gif, *.groups, *.hdd, *.hpp, *.iif, *.java, *.kdc, *.key, *.kwm, *.log, *.lua, *.m2ts, *.max, *.mdb, *.mdf, *.mkv, *.mov, *.mpeg, *.mpg, *.msg, *.ndf, *.nef, *.nrw, *.nvram, *.oab, *.obj, *.odc, *.odm, *.ods, *.odt, *.ogg, *.orf, *.ost, *.pab, *.pas, *.pct, *.pdb, *.pdf, *.pem, *.pfx, *.pif, *.png, *.pps, *.ppt, *.pptx, *.prf, *.pst, *.pwm, *.qba, *.qbb, *.qbm, *.qbr, *.qbw, *.qbx, *.qby, *.qcow, *.qcow2, *.qed, *.raf, *.rtf, *.rvt, *.rwl, *.safe, *.sav, *.sql, *.srt, *.srw, *.stm, *.svg, *.swf, *.tex, *.tga, *.thm, *.tlg, *.vbox, *.vdi, *.vhd, *.vhdx, *.vmdk, *.vmsd, *.vmx, *.vmxf, *.vob, *.wav, *.wma, *.wmv, *.wpd, *.wps, *.xlr, *.xlsb, *.xlsm, *.xlsx, *.yuv,*.JPEG,*.jpe, *.jpg
Download DecryptorMax Decryptor >>>
NanoLocker
NanoLocker is distributed via email attachments where when opened,
creates a Fake PDF Error.
In reality, though, the program is now running silently in the background and scanning your drives for data to encrypt.
When it finds a targeted data file it will encrypt it using AES encryption and then an add the filename and its path to the %LocalAppData%\lansrv.ini file.
The file extensions targeted by NanoLocker are:
*.jpg, *.jpeg, *.tif, *.bmp, *.max, *.accdb, *.dbf, *.mdb, *.pdb, *.sql, *.*sav*, *.*spv*, *.*grle*, *.*mlx*, *.*game*, *.*slot*, *.dwg, *.dxf, *.cpp, *.php, *.asp, *.java, *.jar, *.class, *.aaf, *.aep, *.aepx, *.plb, *.prel, *.prproj, *.aet, *.ppj, *.psd, *.indd, *.indl, *.indt, *.indb, *.inx, *.idml, *.pmd, *.xqx, *.eps, *.svg, *.swf, *.fla, *.doc, *.dot, *.docx, *.docm, *.dotx, *.dotm, *.docb, *.rtf, *.wpd, *.wps, *.msg, *.pdf, *.xls, *.xlt, *.xlm, *.xlsx, *.xlsm, *.xltx, *.xltm, *.xlsb, *.xla, *.xlam, *.xll, *.xlw, *.ppt, *.pot, *.pps, *.pptx, *.pptm, *.potx, *.potm, *.ppam, *.ppsx, *.ppsm, *.sldx, *.sldm, *.wav, *.aif, *.iff, *.mid, *.mpa, *.wma, *.avi, *.mov, *.mpeg, *.asf, *.asx, *.flv, *.mpg, *.wmv, *.vob, *.csv, *.efx, *.sdf, *.vcf, *.xml, *.crt, *.pem, *.cer, *.pfx, *.odt, *.ods, *.odp, *.odm, *.odb, *.odc, *.xlk, *.dxg, *.pst, *.mdf, *.cdr, *.arw, *.dng, *.rar, *.zip, *.srf, *.bay, *.crw, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.ptx, *.pef, *.srw, *.der
For details on How To Use see here >>>
Download NanoLocker Decryptor >>>
CryptInfinite
CryptInfinite or DecryptorMax is a ransomware family targetting Windows.
It creates ransom notes called ReadDecryptFilesHere.txt on your system and encrypts the following file types:
*.ACCDB, *.BAY, *.DBF, *.DER, *.DNG, *.DOCX, *.DXF, *.ERF, *.INDD, *.MEF, *.MRW, *.ODB, *.ODP, *.PDD, *.PEF, *.PPTM, *.PSD, *.PTX, *.RAW, *.SRF, *.XLK, *.XLS, *.ach, *.aiff, *.arw, *.asf, *.asx, *.avi, *.back, *.backup, *.bak, *.bin, *.blend, *.cdr, *.cer, *.cpp, *.crt, *.crw, *.dat, *.dcr, *.dds, *.des, *.dit, *.doc, *.docm, *.dtd, *.dwg, *.dxg, *.edb, *.eml, *.eps, *.fla, *.flac, *.flvv, *.gif, *.groups, *.hdd, *.hpp, *.iif, *.java, *.kdc, *.key, *.kwm, *.log, *.lua, *.m2ts, *.max, *.mdb, *.mdf, *.mkv, *.mov, *.mpeg, *.mpg, *.msg, *.ndf, *.nef, *.nrw, *.nvram, *.oab, *.obj, *.odc, *.odm, *.ods, *.odt, *.ogg, *.orf, *.ost, *.pab, *.pas, *.pct, *.pdb, *.pdf, *.pem, *.pfx, *.pif, *.png, *.pps, *.ppt, *.pptx, *.prf, *.pst, *.pwm, *.qba, *.qbb, *.qbm, *.qbr, *.qbw, *.qbx, *.qby, *.qcow, *.qcow2, *.qed, *.raf, *.rtf, *.rvt, *.rwl, *.safe, *.sav, *.sql, *.srt, *.srw, *.stm, *.svg, *.swf, *.tex, *.tga, *.thm, *.tlg, *.vbox, *.vdi, *.vhd, *.vhdx, *.vmdk, *.vmsd, *.vmx, *.vmxf, *.vob, *.wav, *.wma, *.wmv, *.wpd, *.wps, *.xlr, *.xlsb, *.xlsm, *.xlsx, *.yuv,*.JPEG,*.jpe, *.jpg
Download CryptInfinite Decryptor >>>
HydraCrypt & UmbreCrypt
HydraCrypt and UmbreCrypt belong to the CrypBoss ransomware family.
Encrypted files will be renamed to either *.hydracrypt* or *.umbrecrypt*.
Download Hydra & Umbre Decryptor >>>
DMALocker2
DMALocker is a ransomware targetting Windows.
Files are encrypted but are not renamed.
The malware will identify itself as DMA Locker and display an ID.
This decrypter is specifically designed to decrypt files of infections with ID "DMALOCK 43:41:90:35:25:13:61:92".
Download DMALocker2 Decryptor >>>
DMALocker
DMALocker is a ransomware targetting Windows.
Files are encrypted but are not renamed.
The malware will identify itself as DMA Locker and display an ID.
This decrypter is specifically designed to decrypt files of infections with ID "DMALOCK 41:55:16:13:51:76:67:99".
Download DMALocker Decryptor >>>
CrypBoss
CrypBoss is a ransomware family targetting Windows.
Encrypted files are renamed to either *.crypt or *.R16M01D05.
The malware drops ransom notes named HELP_DECRYPT.jpg or HELP_DECRYPT.txt into various locations on the system.
The ransom notes instruct to contact a @dr.com email address.
Download CrypBoss Decryptor >>>
KeyBTC
KeyBTC is a ransomware family that arrives as a JavaScript on the system.
It encrypts the first 2048 bytes of files it targets.
File extensions are not changed upon encryption and a ransom note is stored inside DECRYPT_YOUR_FILES.txt on your Desktop.
Download KeyBTC Decryptor >>>
Radamant
Radamant is a ransomware-as-a-service toolkit offered within hacker forums that targets Windows.
Encrypted files will be renamed to either *.rdm or *.rrk.
The ransom note will be stored inside "YOUR_FILES.url" on your Desktop.
Download Radamant Decryptor >>>
PClock
PClock is a ransomware that tries to pass as "CryptoLocker" when infecting the system.
It does not rename any files and stores a list of all encrypted files inside "%UserProfile\enc_files.txt".
Download PClock Decryptor >>>
CryptoDefense
CryptoDefense is a ransomware family targetting Windows.
Files encrypted by CryptoDefense will have no change in extension.
The malware will identify itself as CryptoDefense and create ransom notes named HOW_DECRYPT.txt,
HOW_DECRYPT.html and HOW_DECRYPT.url on your Desktop and other directories.
Download CryptoDefense Decryptor >>>
Harasom
Harasom is a family of infections that are classified as Ransomware because they block you from gaining access to your Windows desktop, applications,
or files until you pay a ransom.
This family of infections will also encrypt all of your data files and change them to a HTML file.
When you double-click on one of these files,
the HTML file will open showing you an image that states that the file is encrypted.
The types of files that this infection encrypts include:
.ddrw, .pptm, .dotm, .xltx, .text, .docm, .djvu, .potx, .jpeg, .pptx, .sldm, .lnk, .txt, .xlsm, .sldx, .xlsb, .ppam, .xlsx, .ppsm, .ppsx, .docx, .odp, .eml, .ods, .dot, .php, .xla, .pas, .gif, .mpg, .ppt, .bkf, .sda, .mdf, .ico, .dwg, .mbx, .sfx, .mdb, .zip, and .xlt.
Download Harasom Decryptor >>>
PClock2
PClock2 usually enters the user’s system via infected torrent downloads.
Once on a victim’s computer, PClock2 establishes persistence on the system using the following Registry entry:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\]
“wincl” = “%APPDATA%\WinDsk\windsk.exe”
PClock2 saves additional details about the infection, like the Bitcoin payment address, here:
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\CLOCK
“wincl” = “%APPDATA%\WinDsk\windsk.exe”
PClock2 saves additional details about the infection, like the Bitcoin payment address, here:
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\CLOCK
Download PClock2 Decryptor >>>
CoinVault
A tool for reversing the encryption process of CoinVault crypto-malware is currently available for download,
with new decryption keys being added as the investigation advances.
How To Use Guide PDF >>>
Download CoinVault Decryptor ZIP file >>>
Nemucod
Nemucod is a JavaScript downloader malware that used to be used by TeslaCrypt
for distributing TeslaCrypt binaries.
Recent Nemucod versions dropped the TeslaCrypt payload in favour of its own ransomware implementation.
The Nemucod ransomware encrypts the first 2048 bytes of a file using a 255 bytes XOR key.
To use the decrypter you will require an encrypted file of at least 510 bytes in size as well as its unencrypted version.
To start the decrypter select both the encrypted and unencrypted file and drag and drop them onto the decrypter executable.
Download Nemucod Decryptor >>>
JigSaw
When the Jigsaw ransomware is launched it will scan your drives for certain file extension,
encrypt them using AES encryption, and append a .FUN, .KKK, or, .BTC extension to the filename depending on the version.
The files targeted by the Jigsaw ransomware are:
.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp , .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .c, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .Qbw, .QBB, .QBM, .QBI, .QBR , .Cnt, .Des, .v30, .Qbo, .Ini, .Lgb, .Qwc, .Qbp, .Aif, .Qba, .Tlg, .Qbx, .Qby , .1pa, .Qpd, .Txt, .Set, .Iif , .Nd, .Rtp, .Tlg, .Wav, .Qsm, .Qss, .Qst, .Fx0, .Fx1, .Mx0, .FPx, .Fxr, .Fim, .ptb, .Ai, .Pfb, .Cgn, .Vsd, .Cdr, .Cmx, .Cpt, .Csl, .Cur, .Des, .Dsf, .Ds4, , .Drw, .Dwg.Eps, .Ps, .Prn, .Gif, .Pcd, .Pct, .Pcx, .Plt, .Rif, .Svg, .Swf, .Tga, .Tiff, .Psp, .Ttf, .Wpd, .Wpg, .Wi, .Raw, .Wmf, .Txt, .Cal, .Cpx, .Shw, .Clk, .Cdx, .Cdt, .Fpx, .Fmv, .Img, .Gem, .Xcf, .Pic, .Mac, .Met, .PP4, .Pp5, .Ppf, .Xls, .Xlsx, .Xlsm, .Ppt, .Nap, .Pat, .Ps, .Prn, .Sct, .Vsd, .wk3, .wk4, .XPM, .zip, .rar
How To Use >>>
Petya
Petya Ransomware is a little different to other forms of ransom
in that it will not just settle for encrypting files, but it will actually run at start up and infect
a systems MBR.
Luckily an individual by the name of Leo Stone and Fabian Wosar (Emsisoft)
have created a way to decrypt such an infection albeit a little fiddly.
Petya Decryptor >>>
Alternative Decryptor >>>
How to Use >>>
AutoLocky
AutoLocky is a new ransomware written in the popular scripting language AutoIt.
It tries to imitate the complex and sophisticated Locky ransomware,
but is nowhere near as complex and sophisticated,
which makes decryption feasible.
Victims of AutoLocky will find their files encrypted and renamed to *.locky.
Unlike the real Locky ransomware however,
AutoLocky will not change the base name of the file.
So if a file named picture.jpg is encrypted,
AutoLocky will rename it to picture.jpg.locky while the actual Locky ransomware will change it to a random name.
In addition victims will find a ransom note on their Desktop with the file name info.txt or info.html.
AutoLocky Decryptor >>>
Xorist
From the family of Malware known as Trojan-Ransom.Win32.Xorist, Trojan-Ransom.MSIL.Vandev.
It's designed for unauthorized modification of data on a victims computer.
It makes computers uncontrollable or blocks its normal performance.
The user is displayed with messages demanding to send an SMS to decrypt the files.
Another sign is presence of a file named “Read Me: how to decrypt files” on disk C.
There is a file in the folder Windows named CryptLogFile.txt.
The trojan program encrypts all files with the following extensions:
doc, xls, docx, xlsx, db, mp3, waw, jpg, jpeg, txt, rtf, pdf, rar, zip, psd, msi, tif, wma, lnk, gif, bmp, ppt, pptx, docm, xlsm, pps, ppsx, ppd, tiff, eps, png, ace, djvu, xml, cdr, max, wmv, avi, wav, mp4, pdd, html, css, php, aac, ac3, amf, amr, mid, midi, mmf, mod, mp1, mpa, mpga, mpu, nrt, oga, ogg, pbf, ra, ram, raw, saf, val, wave, wow, wpk, 3g2, 3gp, 3gp2, 3mm, amx, avs, bik, bin, dir, divx, dvx, evo, flv, qtq, tch, rts, rum, rv, scn, srt, stx, svi, swf, trp, vdo, wm, wmd, wmmp, wmx, wvx, xvid, 3d, 3d4, 3df8, pbs, adi, ais, amu, arr, bmc, bmf, cag, cam, dng, ink, jif, jiff, jpc, jpf, jpw, mag, mic, mip, msp, nav, ncd, odc, odi, opf, qif, qtiq, srf, xwd, abw, act, adt, aim, ans, asc, ase, bdp, bdr, bib, boc, crd, diz, dot, dotm, dotx, dvi, dxe, mlx, err, euc, faq, fdr, fds, gthr, idx, kwd, lp2, ltr, man, mbox, msg, nfo, now, odm, oft, pwi, rng, rtx, run, ssa, text, unx, wbk, wsh, 7z, arc, ari, arj, car, cbr, cbz, gz, gzig, jgz, pak, pcv, puz, r00, r01, r02, r03, rev, sdn, sen, sfs, sfx, sh, shar, shr, sqx, tbz2, tg, tlz, vsi, wad, war, xpi, z02, z04, zap, zipx, zoo, ipa, isu, jar, js, udf, adr, ap, aro, asa, ascx, ashx, asmx, asp, aspx, asr, atom, bml, cer, cms, crt, dap, htm, moz, svr, url, wdgt, abk, bic, big, blp, bsp, cgf, chk, col, cty, dem, elf, ff, gam, grf, h3m, h4r, iwd, ldb, lgp, lvl, map, md3, mdl, mm6, mm7, mm8, nds, pbp, ppf, pwf, pxp, sad, sav, scm, scx, sdt, spr, sud, uax, umx, unr, uop, usa, usx, ut2, ut3, utc, utx, uvx, uxx, vmf, vtf, w3g, w3x, wtd, wtf, ccd, cd, cso, disk, dmg, dvd, fcd, flp, img, iso, isz, md0, md1, md2, mdf, mds, nrg, nri, vcd, vhd, snp, bkf, ade, adpb, dic, cch, ctt, dal, ddc, ddcx, dex, dif, dii, itdb, itl, kmz, lcd, lcf, mbx, mdn, odf, odp, ods, pab, pkb, pkh, pot, potx, pptm, psa, qdf, qel, rgn, rrt, rsw, rte, sdb, sdc, sds, sql, stt, t01, t03, t05, tcx, thmx, txd, txf, upoi, vmt, wks, wmdb, xl, xlc, xlr, xlsb, xltx, ltm, xlwx, mcd, cap, cc, cod, cp, cpp, cs, csi, dcp, dcu, dev, dob, dox, dpk, dpl, dpr, dsk, dsp, eql, ex, f90, fla, for, fpp, jav, java, lbi, owl, pl, plc, pli, pm, res, rnc, rsrc, so, swd, tpu, tpx, tu, tur, vc, yab, 8ba, 8bc, 8be, 8bf, 8bi8, bi8, 8bl, 8bs, 8bx, 8by, 8li, aip, amxx, ape, api, mxp, oxt, qpx, qtr, xla, xlam, xll, xlv, xpt, cfg, cwf, dbb, slt, bp2, bp3, bpl, clr, dbx, jc, potm, ppsm, prc, prt, shw, std, ver, wpl, xlm, yps, md3.
Alternative Decryptor >>>
Rector
Cybercriminals use Trojan-Ransom.Win32.Rector for disrupting normal performance of computers
and for unauthorized modification of data making it unusable.
Once the data has been “taken hostage” (blocked), its owner (user) receives a ransom demand.
The malicious program Trojan-Ransom.Win32.Rector encrypts files with extensions .jpg, .doc, .pdf, .rar.
An offers to unblock files comes in from a cybercriminal named “††KOPPEKTOP††”.
He is offering to communicate with him using the following contacts:
ICQ: 557973252 or 481095
EMAIL: v-martjanov@mail.ru
EMAIL: v-martjanov@mail.ru
h***://trojan....sooot.cn/
h***://malware....66ghz.com/
h***://malware....66ghz.com/
Scraper
The malicious program Trojan-Ransom.Win32.Scraper encrypts user files to block access to them.
After the data has been blocked, the user is required to pay a ransom.
ScraperDecryptor.zip >>>
Alpha
When this ransomware infects your computer it will place the main executable at %APPDATA%\Windows\svchost.exe
and create an autorun called Microsoft.
This autorun allows the ransomware to continue the encryption process if the computer is rebooted.
This ransomware executable will automatically be removed after the ransomware finishes encrypting the victim's data.
This ransomware has somewhat of a bizarre encryption routine.
On the computer's SystemDrive, which is usually the C: drive,
it will only encrypt certain file types in the Desktop, My Pictures, and Cookies folders.
All other folders on the SystemDrive will not be encrypted.
The targeted file types for the SystemDrive are:
.3ds, .3fr, .3pr, .ab4, .ac2, .accdb, .accde, .accdr, .accdt, .acr, .adb, .agd1, .ai, .ait, .al, .apj, .arw, .asm, .asp, .aspx, .awg, .backup, .backupdb, .bak, .bat, .bdb, .bgt, .bik, .bkp, .blend, .bmp, .bpw, .c, .c, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfp, .cgm, .cib, .class, .cls, .cmd, .cmt, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cs, .csh, .csl, .css, .csv, .dac, .db, .db3, .dbf, .db-journal, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .der, .design, .dgc, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dwg, .dxb, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fpx, .fxg, .gif, .gray, .grey, .gry, .h, .h, .hbk, .hpp, .html, .ibank, .ibd, .ibz, .idx, .iiq, .incpas, .jar, .java, .jpeg, .jpg, .js, .kc2, .kdbx, .kdc, .kpdx, .lua, .mdb, .mdc, .mef, .mfw, .mmw, .moneywell, .mos, .mpg, .mrw, .myd, .ndd, .nef, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nwb, .nx1, .nx2, .nyf, .odb, .odf, .odg, .odm, .odp, .ods, .odt, .orf, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pat, .pcd, .pdf, .pef, .pem, .pfx, .php, .pl, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .ps, .psafe3, .psd, .ptx, .py, .ra2, .raf, .raw, .rdb, .rtf, .rw2, .rwl, .rwz, .s3db, .sas7bdat, .sav, .sd0, .sd1, .sda, .sdf, .sldm, .sldx, .sln, .sql, .sqlite, .sqlite3, .sqlitedb, .sr2, .srf, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stw, .stx, .svg, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .txt, .vb .vbs, .wb2, .x3f, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .ycbcra
777 Ransomware
Use this decrypter if your files have been encrypted and renamed to *.777.
777 Decryptor >>>
TeslaCrypt
TeslaCrypt now has a decryptor available thanks to the creators seemingly having a change of heart.
Both Eset and BloodDolly of BC have come up with their versions of a decryptor.
TeslaCrypt Decryptor >>>
How to use >>>
Alternative Decryptor >>>
How to use >>>
BadBlock
Use this decrypter if your files have been encrypted but not renamed.
The malware identifies itself as BadBlock both in the red ransomware screen as well as in the ransomnote "Help Decrypt.html" that can be found on the Desktop.
You will need an encrypted file as well as its unencrypted version.
Just select both the encrypted and original version at the same time and drag and drop them onto the decrypter executable.
The key finding process may take a while, so please be patient.
BadBlock Decryptor >>>
Apocalypse
Use this decrypter if your files have been encrypted and renamed to *.encrypted,
*.FuckYourData or *.SecureCrypted with ransom notes named *.How_To_Decrypt.txt,
*.Where_my_files.txt or *.Contact_Here_To_Recover_Your_Files.txt created for each encrypted file.
The ransom note asks you to contact "decryptionservice@mail.ru" or "recoveryhelp@bk.ru".
Apocalypse Decryptor >>>
ApocalypseVM
Use this decrypter if your files have been encrypted and renamed to *.encrypted or *.locked with ransom notes named *.How_To_Decrypt.txt,
*.README.txt or *.How_To_Get_Back.txt created for each encrypted file.
The ransom note asks you to contact "decryptionservice@inbox.ru" or "decryptdata@inbox.ru" and contains a personal ID.
To use the decrypter you will require an encrypted file of at least 4096 bytes in size as well as its unencrypted version.
To start the decrypter select both the encrypted and unencrypted file and drag and drop them onto the decrypter executable.
ApocalypseVM Decryptor >>>
Stampado
Stampado is a ransomware kit offered within various hacking communities.
Written in AutoIt, it encrypts files using AES-256 encryption and renames them to *.locked.
Known variants of this ransomware ask victims to contact paytodecrypt@sigaint.org or ransom64@sigaint.org to facilitate payment.
In order for the decrypter to work you will require both the email you are asked to contact as well as your ID.
Please keep in mind that both are case sensitive, so proper capitalization does matter.
Please put both information into the appropriate fields in the options tab.
Stampado Decryptor >>>
Combat Shade
ShadeDecryptor tool is designed to decrypt files affected by Shade version 1 and version 2.
Shade Decryptor >>> (zipped)
How To Use >>> (pdf)
Fight Rakhni & Friends
RakhniDecryptor tool is designed to decrypt files affected by:
Rakhni, Agent.iih, Aura, Autoit, Pletor, Rotor, Lamer, Lortok, Cryptokluchen, Democry, Bitman (TeslaCrypt) version 3 and 4.
How To Use >>> (pdf)
Smash Rannoh & Co
RannohDecryptor tool is designed to decrypt files affected by:
Rannoh, AutoIt, Fury, Crybola, Cryakl, CryptXXX versions 1 and 2 (files encrypted by Trojan-Ransom.Win32.CryptXXX version 3 are detected, but not decrypted).
How To Use >>> (pdf)
Crypt38
The Crypt38 Ransomware will encrypt your files an add the .crypt38 extension to encrypted files.
So a file called test.jpg would be encrypted as test.jpg.crypt38.
So a file called test.jpg would be encrypted as test.jpg.crypt38.
Crypt38 Decryptor >>>
Philadelphia
Philadelphia is a ransomware kit offered within various hacking communities.
Written in AutoIt, it encrypts files using AES-256 encryption, file names using RC4 encryption and uses the *.locked file extension.
It is based on a similar ransomware kit called "Stampado" that is written by the same author.
To use the decrypter you will require a file pair containing both an encrypted file and its non-encrypted original version.
Due to the file name encryption this can be a bit tricky.
The best way is to simply compare file sizes.
Encrypted files will have the size of the original file rounded up to the next 16 byte boundary.
So if a the original file was 1020 bytes large, the encrypted file will be 1024.
Select both the encrypted and non-encrypted file and drag and drop both of them onto the decrypter file in your download directory.
Philadelphia decryptor >>>
Fabiansomware
Use this decrypter if your files have been encrypted and renamed to
*.encrypted
*.How_To_Decrypt_Your_Files.txt
"decryptioncompany@inbox.ru" or "fabianwosar@mail.ru".
To use the decrypter you will require a file pair containing both an encrypted file and its non-encrypted original version.
Select both the encrypted and unencrypted file and drag and drop both of them onto the decrypter file in your download directory.
Fabiansomware Decryptor >>>
Fenix Locker
Use this decrypter if your files have been encrypted by the FenixLocker ransomware.
FenixLocker encrypts files and renames them by appending the ".centrumfr@india.com!!" extension.
It leaves behind a ransom note named "CryptoLocker.txt" or "Help to decrypt.txt" on your Desktop,
instructing you to contact "centrumfr@india.com". For example:
All of your files are encrypted, to decrypt them write me to email : centrumfr@india.com
Your key:
5ff56ffbddfeb3c32b0fd0c560e1ebbdda0a185e06dbef2558588a56323740
423936533a1d177127601611ddbd10bcebd98bf0062b6341acb6d8ff1e26
a8774a4e01093ee8536c940abf37fb5ed7da37a158226a695a6cca537537
98110cebe9b69a021104475dfd01fca5b33f53f6e6ed604867b820c4592e
1602d8e5d4400f
Your key:
5ff56ffbddfeb3c32b0fd0c560e1ebbdda0a185e06dbef2558588a56323740
423936533a1d177127601611ddbd10bcebd98bf0062b6341acb6d8ff1e26
a8774a4e01093ee8536c940abf37fb5ed7da37a158226a695a6cca537537
98110cebe9b69a021104475dfd01fca5b33f53f6e6ed604867b820c4592e
1602d8e5d4400f
Fenix Locker Decryptor >>>
Al-Namrood
The Al-Namrood ransomware is a fork of the Apocalypse ransomware.
The group behind it primarily attacks servers that have remote desktop services enabled.
Encrypted files are renamed to *.unavailable and for each file a ransom note is created with the name *.Read_Me.Txt.
The ransomware asks the victim to contact "decryptioncompany@inbox.ru".
An example can be found below:
Hello!
All your files was encrypted.
If you wanna recover your files contact me as soon as possible:
decryptioncompany@inbox.ru
Your ID: B5584071
You have few days for contact me, then all your files will be lost.
If you dont get answer more than 24 hours - try any public mail service for contact me(like gmail or yahoo).
Regards.
All your files was encrypted.
If you wanna recover your files contact me as soon as possible:
decryptioncompany@inbox.ru
Your ID: B5584071
You have few days for contact me, then all your files will be lost.
If you dont get answer more than 24 hours - try any public mail service for contact me(like gmail or yahoo).
Regards.
The ID can be set within the "Options" tab.
By default the decrypter will set the ID to the ID that corresponds to the system the decrypter runs on.
However, if that is not the same system the malware infection and encryption took place on, make sure to put in the ID as specified in the ransom note.
Al-Namrood Decryptor >>>
Globe
Globe is a ransomware kit that was first discovered at the end of August.
Files are encrypted using Blowfish.
Since the extension of encrypted files is configurable, several different file extensions are possible.
The most commonly used extensions are .purge, .globe and .okean-1955@india.com.!dsvgdfvdDVGR3SsdvfEF75sddf#xbkNY45fg6}P{cg.xtbl.
Ransom notes are stored in .hta files.
An example ransom note looks like this:
You personal ID
<long hex string split into multiple lines>
Your files have been been encrypted with a powerfull strain of a virus called ransomware.
Your files are encrytped using rsa encryption, the same standard used by the military and banks. It is currently impossible to decrypt files encrypted with rsa encryption..
Lucky for you, we can help. We are willing to sell you a decryptor UNIQUELY made for your computer (meaning someone else's decryptor will not work for you). Once you pay a small fee, we will instantly send you the software/info neccessary to decrypt all your files, quickly and easilly.
In order to get in touch with us email us at powerbase@tutanota.com.In your email write your personal ID (its located at the up of the page, it is a string of random characters). Once we receive your personal ID, we will send you payment instructions.
As proff we can decrypt you files we may decrypt 1 small file for test.
If you dont get answer from powerbase@tutanota.com in 10 hours
Register here: bitmsg.me (online sending message service Bitmessage)
Write to adress BM-2cUrKsazEKiamN9cZ17xQq9c5JpRpokca5 with you email and personal ID
When you payment will bee confirmed, You will get decrypter of files on you computer.
After you run decrypter software all you files will be decryped and restored.
IMPORTANT!
Do not try restore files without our help, this is useless and you may lose data permanetly
Decrypters of others clients are unique and work only on PC with they personal ID.
We can not keep your decryption keys forever, meaning after 1 week after you have been infected, if you have not paid, we will not be able to decrypt your files. Email us as soon as you see this message, we know exactly when everyone has been encrypted and the longer you wait, the higher the payment gets.
<long hex string split into multiple lines>
Your files have been been encrypted with a powerfull strain of a virus called ransomware.
Your files are encrytped using rsa encryption, the same standard used by the military and banks. It is currently impossible to decrypt files encrypted with rsa encryption..
Lucky for you, we can help. We are willing to sell you a decryptor UNIQUELY made for your computer (meaning someone else's decryptor will not work for you). Once you pay a small fee, we will instantly send you the software/info neccessary to decrypt all your files, quickly and easilly.
In order to get in touch with us email us at powerbase@tutanota.com.In your email write your personal ID (its located at the up of the page, it is a string of random characters). Once we receive your personal ID, we will send you payment instructions.
As proff we can decrypt you files we may decrypt 1 small file for test.
If you dont get answer from powerbase@tutanota.com in 10 hours
Register here: bitmsg.me (online sending message service Bitmessage)
Write to adress BM-2cUrKsazEKiamN9cZ17xQq9c5JpRpokca5 with you email and personal ID
When you payment will bee confirmed, You will get decrypter of files on you computer.
After you run decrypter software all you files will be decryped and restored.
IMPORTANT!
Do not try restore files without our help, this is useless and you may lose data permanetly
Decrypters of others clients are unique and work only on PC with they personal ID.
We can not keep your decryption keys forever, meaning after 1 week after you have been infected, if you have not paid, we will not be able to decrypt your files. Email us as soon as you see this message, we know exactly when everyone has been encrypted and the longer you wait, the higher the payment gets.
It is important to use a file pair that is as large as possible, as it determines the maximum file size up to which the decrypter will be able to decrypt your files.
Select both the encrypted and unencrypted file and drag and drop both of them onto the decrypter file in your download directory.
Globe Decryptor >>>
Globe2
Globe2 is a ransomware kit that was first discovered at the beginning of October.
Globe2 encrypts files and optionally file names using RC4.
Since the extension of encrypted files is configurable, several different file extensions are possible.
The most commonly used extensions are .raid10, .blt, .globe, .encrypted and .[mia.kokers@aol.com].
To use the decrypter you will require a file pair containing both an encrypted file and its non-encrypted original version.
Select both the encrypted and unencrypted file and drag and drop both of them onto the decrypter file in your download directory.
If file names are encrypted, please use the file size to determine the correct file.
Encrypted and original file will have exactly the same size.
Globe2 Decryptor >>>
OzozaLocker
Use this decrypter if your files have been renamed to *.locked and you find a ransom note named "HOW TO DECRYPT YOU FILES.txt" on your desktop.
Double clicking an encrypted file will also display a message box instructing you to contact "santa_helper@protonmail.com".
To use the decrypter you will require an encrypted file of at least 510 bytes in size as well as its unencrypted version.
To start the decrypter select both the encrypted and unencrypted file and drag and drop them onto the decrypter executable.
OzozaLocker Decryptor >>>
NMoreira
NMoreira, also known as XRatTeam or XPan, is a file encrypting ransomware.
It uses a mix of RSA and AES-256 to encrypt your files.
Encrypted files have either the extension *.maktub or *.__AiraCropEncrypted!.
In addition, the ransomware will create one of the following ransom notes.
Portugese version used by the *.maktub variant using the file name "Recupere seus arquivos. Leia-me!.txt":
Olá, seus arquivos foram criptografados.
A única forma de tê-los de volta, é atraves de um software juntamente com sua chave privada.
Caso haja interesse em recuperar seus arquivos, entre em contato pelo seguinte email: contatomaktub@email.tg
No campo do email, me envie sua chave pública que está logo abaixo.
Te responderei o mais rápido possível e lhe darei a garantia de recuperação dos arquivos.
Att
Chave pública: CC638AF6DE4D9B9998E74D00252862E512277575BA644D28D9320952F2C2193A
A única forma de tê-los de volta, é atraves de um software juntamente com sua chave privada.
Caso haja interesse em recuperar seus arquivos, entre em contato pelo seguinte email: contatomaktub@email.tg
No campo do email, me envie sua chave pública que está logo abaixo.
Te responderei o mais rápido possível e lhe darei a garantia de recuperação dos arquivos.
Att
Chave pública: CC638AF6DE4D9B9998E74D00252862E512277575BA644D28D9320952F2C2193A
Encrypted Files!
All your files are encrypted. Using encryption AES256-bit and RSA-2048-bit.
Making it impossible to recover the files without the correct private key.
If you are interested in getting is key, and retrieve your files
For information on how to reverse the file encryption
send email to:
airacrop@vpn.tg
enter your KEY in the subject or email body.
=======================================================
Remember your email is not answered within 24 hours,
visit one of the link below to get a new mail contact
h***s://6kaqkavhpu5dln6x.onion.to/
h***s://6kaqkavhpu5dln6x.onion.link/
h***s://qsx72kun2efdcli2.onion.to/
h***s://qsx72kun2efdcli2.onion.link/
Alternative link:
h**p://6kaqkavhpu5dln6x.onion
h**p://qsx72kun2efdcli2.onion
To access the alternate link is mandatory to use the TOR browser available on the link
www.torproject.org/download/download
Key:
=======================================================
EF0771674764DDAAB32A83F51239B6286FBC61265393AAA051CCC1881942616F
=======================================================
All your files are encrypted. Using encryption AES256-bit and RSA-2048-bit.
Making it impossible to recover the files without the correct private key.
If you are interested in getting is key, and retrieve your files
For information on how to reverse the file encryption
send email to:
airacrop@vpn.tg
enter your KEY in the subject or email body.
=======================================================
Remember your email is not answered within 24 hours,
visit one of the link below to get a new mail contact
h***s://6kaqkavhpu5dln6x.onion.to/
h***s://6kaqkavhpu5dln6x.onion.link/
h***s://qsx72kun2efdcli2.onion.to/
h***s://qsx72kun2efdcli2.onion.link/
Alternative link:
h**p://6kaqkavhpu5dln6x.onion
h**p://qsx72kun2efdcli2.onion
To access the alternate link is mandatory to use the TOR browser available on the link
www.torproject.org/download/download
Key:
=======================================================
EF0771674764DDAAB32A83F51239B6286FBC61265393AAA051CCC1881942616F
=======================================================
In addition, due to the fact that the ransomware doesn't leave anything behind, that would allow verification that the file was decrypted properly,
the decrypter tries to guess whether or not the file has been decrypted properly.
This guessing process can be prone to error and may not work correctly.
It also means, that if the decrypter does not know the file format, it will also be unable to decrypt it reliably.
At the moment the decrypter supports over 3000 different binary file formats, but especially text-based formats,
that lack a unique identifier in the first 16 bytes of the file, will not be recognised.
NMoreira Decryptor >>>
OpenToYou
OpenToDecrypt is a ransomware written in the Delphi programming language that encrypts your files using the RC4 encryption algorithm.
Encrypted files get renamed to *.-opentoyou@india.com and a ransom note named "!!!.txt" can be found on your Desktop.
The ransom note contains the following text:
Your files are encrypted!
To decrypt write on email - opentoyou@india.com
Identification key - 5E1C0884
To decrypt write on email - opentoyou@india.com
Identification key - 5E1C0884
OpenToYou Decryptor >>>
Globe 3
Globe3 is a ransomware kit that we first discovered at the beginning of 2017.
Globe3 encrypts files and optionally filenames using AES-256.
Since the extension of encrypted files is configurable, several different file extensions are possible.
The most commonly used extensions are .decrypt2017 and .hnumkhotep.
To use the decrypter, you will require a file pair containing both an encrypted file and its non-encrypted original version.
Select both the encrypted and unencrypted file and drag and drop both of them onto the decrypter file in your download directory.
If file names are encrypted, please use the file size to determine the correct file.
The encrypted and the original file will have the same size for files greater than 64 kb.
Due to a bug in the ransomware, decrypted files smaller than 64 kb will be up to 15 bytes larger than the originals.
This file size increase is due to the fact, that the ransomware rounds file sizes up to the next 16-byte boundary without saving the original file size.
For most file formats this is unlikely to cause problems.
However, if your applications complain about corrupted file formats,
you may have to manually remove trailing zero bytes at the end of the file using a hex editor.
Globe 3 Decryptor >>>
GlobeImposter
GlobeImposter is a Globe copycat that imitates the ransom notes and file extension found in the Globe ransomware kit.
Encrypted files have the extension *.crypt and the base name of the file is unchanged.
The ransom note is named "HOW_OPEN_FILES.hta" and can be found in all folders that contain encrypted files.
To start the decryption process you will need a file pair consisting of an encrypted file and the non-encrypted version of the same file.
Select both and drag and drop them onto the decrypter binary to start the process.
GlobeImposter Decryptor >>>
Chimera
Chimera is a doxing type of ransomware,
it will come in the form of an email and when deployed will begin to enumerate files across all disks and begin the encryption process.
Kaspersky have created a decryptor for the job.
Chimera Decryptor >>>
How To Guide pdf >>>
DeriaLock
When executed Derialock will use the computers MachineName ID and generate a MD5 hash in order to not infect the malware authors.
It will create a .exe called SystemLock.exe this will display a lockscreen with the message:
Your System has Locked!
If you try to restart you PC ALL data will delete.
If you want your data back, pay 30 USD.
Instuctions:
Is give no other way to get you computer/data back exdcept to pay a special Key.
You can buy the Key at the following Skype account: "arizonacode".
If you contact the bellow named Skype account send him you HWID the bottom left is to be seen.
If you Spamming the skype account, you can't get you data back
After you buy the key, paste him into the textbox.
If you try to restart you PC ALL data will delete.
If you want your data back, pay 30 USD.
Instuctions:
Is give no other way to get you computer/data back exdcept to pay a special Key.
You can buy the Key at the following Skype account: "arizonacode".
If you contact the bellow named Skype account send him you HWID the bottom left is to be seen.
If you Spamming the skype account, you can't get you data back
After you buy the key, paste him into the textbox.
taskmgr
procexp
procexp64
procexp32
skype
chrome
steam
MicrosoftEdge
regedit
msconfig
utilman
cmd
explorer
certmgr
control
cscript
procexp
procexp64
procexp32
skype
chrome
steam
MicrosoftEdge
regedit
msconfig
utilman
cmd
explorer
certmgr
control
cscript
How To Guide pdf >>>
PHP / Heimdall
PHP Ransomware aka Heimdall is known to target and infect compromised servers it is said to be of low risk in the wild but a decryptor is available.
PHP/Heimdall Decryptor >>>
How To Guide pdf >>>
WildFire
WildFire Ransomware is said to be associated with the Kelihos botnet in its rise,
previously there were no decryptors available but both Kaspersky and Intel have created tools to do just that.
WildFire Decryptor >>>
Alternative decryptor >>>
How To Guide pdf >>>
Rakhni V2
This tool is designed decrypt files encrypted by:
Crysis;
Chimera;
Rakhni;
Agent.iih;
Aura;
Autoit;
Pletor;
Rotor;
Lamer;
Lortok;
Cryptokluchen;
Democry;
Bitman (TeslaCrypt) version 3 and 4.
Chimera;
Rakhni;
Agent.iih;
Aura;
Autoit;
Pletor;
Rotor;
Lamer;
Lortok;
Cryptokluchen;
Democry;
Bitman (TeslaCrypt) version 3 and 4.
Rakhni V2 Decryptor >>>
How To Guide pdf >>>
Trend Micro Ransomware Tool
The Trend Micro Ransomware File Decryptor can decrypt files encrypted by 20+ different ransomware families.
Trend Micro Ransomware Decryption Tool >>>
How To Guide pdf >>>
Linux.Encoder.1
BitDefender have created a decryptor for the Linux.Encoder.1 and Linux.Encoder.3 ransomware.
Linux.Encoder.1 Decryptor >>>
How To Guide pdf >>>
Linux.Encoder.3
BitDefender have created a decryptor for the Linux.Encoder.1 and Linux.Encoder.3 ransomware.
Linux.Encoder.3 Decryptor >>>
How To Guide pdf >>>
Marlboro
The Marlboro ransomware was first seen on January 11th, 2017.
It is written in C++ and uses a simple XOR-based encryption algorithm.
Encrypted files are renamed to ".oops".
The ransom note is stored inside a file named "_HELP_Recover_Files_.html" and includes no further point of contact.
Due to a bug in the malware's code, the malware will truncate up to the last 7 bytes from files it encrypts.
It is, unfortunately, impossible for the decrypter to reconstruct these bytes.
To use the decrypter, you will require an encrypted file of at least 640 bytes in size as well as its unencrypted version.
To start the decrypter select both the encrypted and unencrypted file and drag and drop them onto the decrypter executable.
Marlboro Decryptor >>>
MRCR
MRCR or Merry X-Mas is a ransomware family that first appeared in December last year.
It is written in Delphi and uses a custom encryption algorithm.
Encrypted files will have either ".PEGS1", ".MRCR1", ".RARE1" or ".RMCM1" as an extension.
The ransom note is named "YOUR_FILES_ARE_DEAD.HTA" and asks victims to contact either "comodosec@yandex.ru" or "comodosecurity" via the secure mobile messenger Telegram.
To start the decryption process you will need a file pair consisting of an encrypted file and the non-encrypted version of the same file.
The files need to be between 64 KB and 100 MB in size.
Select both and drag and drop them onto the decrypter executable to start the process.
MRCR Decryptor >>>
Damage
Damage is a ransomware written in Delphi.
It uses a combination of SHA-1 and Blowfish to encrypt the first and last 8 kb of a file.
Encrypted files have the extension ".damage" and the ransom note, which is named "damage@india.com[].txt", asks to contact "damage@india.com".
The ransom note contains the following message:
/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
============================================================================================================================================================================
end of secret_key
To restore your files - send e-mail to damage@india.com
============================================================================================================================================================================
end of secret_key
To restore your files - send e-mail to damage@india.com
To use the decrypter, you will require an encrypted file as well as its unencrypted version.
To start the decrypter select both the encrypted and unencrypted file and drag and drop them onto the decrypter executable.
Damage Decryptor >>>
CryptON
CryptON aka Nemesis aka X3M is a ransomware family that is mostly used for targetted attacks via RDP.
Files are encrypted using a mix of RSA, AES-256 and SHA-256.
We have seen the following extensions being used by CryptON:
".id-_locked", ".id-_locked_by_krec", ".id-_locked_by_perfect", ".id-_x3m",
".id-_r9oj", ".id-_garryweber@protonmail.ch", ".id-_steaveiwalker@india.com_",
".id-_julia.crown@india.com_", ".id-_tom.cruz@india.com_",
".id-_CarlosBoltehero@india.com_" and ".id-_maria.lopez1@india.com_".
".id-_r9oj", ".id-_garryweber@protonmail.ch", ".id-_steaveiwalker@india.com_",
".id-_julia.crown@india.com_", ".id-_tom.cruz@india.com_",
".id-_CarlosBoltehero@india.com_" and ".id-_maria.lopez1@india.com_".
To use the decrypter, you will require an encrypted file of at least 128 KB in size as well as its unencrypted version.
To start the decrypter select both the encrypted and unencrypted file and drag and drop them onto the decrypter executable.
CryptON Decryptor >>>
Cry9
Cry9 is the successor of the CryptON ransomware family that is mostly used for targetted attacks via RDP.
Files are encrypted using a customized version of AES, RSA and SHA-512.
We have seen the following extensions being used by Cry9:
".juccy(at)protonmail.ch", ".id-<id>", ".id-<id>_[nemesis_decryptorataol.com].xj5v2", ".id-<id>_r9oj", ".id-<id>_x3m", ".id-<id>_[x3m-proatprotonmail.com]_[x3matusa.com].x3m", ".<id>", ".<id>-sofia_lobster(at)protonmail.ch" and ".<id>_[wqfhdgpdelcgww4g.onion.to].r2vy6"
To use the decrypter, you will require an encrypted file of at least 128 KB in size as well as its unencrypted version.
To start the decrypter select both the encrypted and unencrypted file and drag and drop them onto the decrypter executable.
Cry9 Decryptor >>>
To start the decrypter select both the encrypted and unencrypted file and drag and drop them onto the decrypter executable.
Cry9 Decryptor >>>
Cry128
Cry128 belongs to the CryptON/Nemesis ransomware family that is mostly used for targetted attacks via RDP.
Files are encrypted using a customized version of AES and RSA.
We have seen the following extensions being used by Cry128:
Files are encrypted using a customized version of AES and RSA.
We have seen the following extensions being used by Cry128:
".fgb45ft3pqamyji7.onion.to._", ".id_<id>_gebdp3k7bolalnd4.onion._", ".id_<id>_2irbar3mjvbap6gt.onion.to._" and ".id-<id>_[qg6m5wo7h3id55ym.onion.to].63vc4".
To use the decrypter,
you will require an encrypted file of at least 128 KB in size as well as its unencrypted version.
To start the decrypter select both the encrypted and unencrypted file and drag and drop them onto the decrypter executable.
Amnesia
Amnesia is a ransomware written in the Delphi programming language that encrypts your files using the AES-256 encryption algorithm.
Encrypted files get renamed to *.amnesia and a ransom note is called "HOW TO RECOVER ENCRYPTED FILES.TXT" and asks you to contact "s1an1er111@protonmail.com".
It can be found on your Desktop.
The ransom note contains the following text:
=========================================================================================================
YOUR FILES ARE ENCRYPTED!
Your personal ID:
<-- redacted -->
Attention! What happened?
Your documents, databases and other important data has been encrypted.
If you want to restore files send an email to: s1an1er111@protonmail.com
In a letter to indicate your personal identifier (see in the beginning of this document).
Attention!
* Do not attempt to remove the program or run the anti-virus tools.
* Attempts to self-decrypting files will result in the loss of your data.
* Decoders are not compatible with other users of your data, because each user's unique encryption key.
=========================================================================================================
To use the decrypter, you will require an encrypted file as well as its unencrypted version.
To start the decrypter select both the encrypted and unencrypted file and drag and drop them onto the decrypter executable.
Amnesia Decryptor >>>
Amnesia2
Amnesia is a ransomware written in the Delphi programming language that encrypts your files using the AES-256 encryption algorithm.
Encrypted files get renamed to *.amnesia and a ransom note is called "HOW TO RECOVER ENCRYPTED FILES.TXT" and asks you to contact "s1an1er111@protonmail.com".
It can be found on your Desktop.
The ransom note contains the following text:
=========================================================================================================
YOUR FILES ARE ENCRYPTED!
Your personal ID:
<-- redacted -->
Attention! What happened?
Your documents, databases and other important data has been encrypted.
If you want to restore files send an email to: s1an1er111@protonmail.com
In a letter to indicate your personal identifier (see in the beginning of this document).
Attention!
* Do not attempt to remove the program or run the anti-virus tools.
* Attempts to self-decrypting files will result in the loss of your data.
* Decoders are not compatible with other users of your data, because each user's unique encryption key.
=========================================================================================================
To use the decrypter, just start the decrypter and point it towards the files you need to decrypt.
Amnesia2 Decryptor >>>
NemocodAES
NemucodAES is a new variant of the Nemucod ransomware family.
Written in a combination of JavaScript and PHP it uses AES and RSA in order to encrypt your files.
Encrypted files will keep their original file names and a ransom note named "DECRYPT.hta" can be found on your Desktop.
The ransom note reads as follows:
To decrypt your files, please run the decrypter on the encrypted system.
The decrypter requires various files from your %TEMP% directory of the user that spawned the infection.
Therefore it is important not to reformat the system or run any cleanup tools before attempting the decryption.
NemucodAES >>>
Amnesia is a ransomware written in the Delphi programming language that encrypts your files using the AES-256 encryption algorithm.
Encrypted files get renamed to *.amnesia and a ransom note is called "HOW TO RECOVER ENCRYPTED FILES.TXT" and asks you to contact "s1an1er111@protonmail.com".
It can be found on your Desktop.
The ransom note contains the following text:
=========================================================================================================
YOUR FILES ARE ENCRYPTED!
Your personal ID:
<-- redacted -->
Attention! What happened?
Your documents, databases and other important data has been encrypted.
If you want to restore files send an email to: s1an1er111@protonmail.com
In a letter to indicate your personal identifier (see in the beginning of this document).
Attention!
* Do not attempt to remove the program or run the anti-virus tools.
* Attempts to self-decrypting files will result in the loss of your data.
* Decoders are not compatible with other users of your data, because each user's unique encryption key.
=========================================================================================================
To start the decrypter select both the encrypted and unencrypted file and drag and drop them onto the decrypter executable.
Amnesia Decryptor >>>
Amnesia2
Amnesia is a ransomware written in the Delphi programming language that encrypts your files using the AES-256 encryption algorithm.
Encrypted files get renamed to *.amnesia and a ransom note is called "HOW TO RECOVER ENCRYPTED FILES.TXT" and asks you to contact "s1an1er111@protonmail.com".
It can be found on your Desktop.
The ransom note contains the following text:
=========================================================================================================
YOUR FILES ARE ENCRYPTED!
Your personal ID:
<-- redacted -->
Attention! What happened?
Your documents, databases and other important data has been encrypted.
If you want to restore files send an email to: s1an1er111@protonmail.com
In a letter to indicate your personal identifier (see in the beginning of this document).
Attention!
* Do not attempt to remove the program or run the anti-virus tools.
* Attempts to self-decrypting files will result in the loss of your data.
* Decoders are not compatible with other users of your data, because each user's unique encryption key.
=========================================================================================================
Amnesia2 Decryptor >>>
NemocodAES
NemucodAES is a new variant of the Nemucod ransomware family.
Written in a combination of JavaScript and PHP it uses AES and RSA in order to encrypt your files.
Encrypted files will keep their original file names and a ransom note named "DECRYPT.hta" can be found on your Desktop.
The ransom note reads as follows:
ATTENTION!
All your documents, photos, databases and other important personal files were encrypted
using a combination of strong RSA-2048 and AES-128 algorithms.
The only way to restore your files is to buy decryptor. Please, follow these steps:
Create your Bitcoin wallet here:
h****://blockchain[dot]info/wallet/new
Buy 0.13066 bitcoins here:
h****://localbitcoins[dot]com/buy_bitcoins
Send 0.13066 bitcoins to this address:
1FeZr4bvMpCf1QTS49VjsdhtnP6zPvMjbP
Open one of the following links in your browser:
h***://luxe-limo[dot]ru/counter/?1FeZr4bvMpCf1QTS49VjsdhtnP6zPvMjbP
h***://musaler[dot]ru/counter/?1FeZr4bvMpCf1QTS49VjsdhtnP6zPvMjbP
h***://vinoteka28[dot]ru/counter/?1FeZr4bvMpCf1QTS49VjsdhtnP6zPvMjbP
h***://www.agrimixxshop[dot]com/counter/?1FeZr4bvMpCf1QTS49VjsdhtnP6zPvMjbP
h***://sharedocsrl[dot]it/counter/?1FeZr4bvMpCf1QTS49VjsdhtnP6zPvMjbP
Download and run decryptor to restore your files.
You can find this instruction in "DECRYPT" file on your desktop.
All your documents, photos, databases and other important personal files were encrypted
using a combination of strong RSA-2048 and AES-128 algorithms.
The only way to restore your files is to buy decryptor. Please, follow these steps:
Create your Bitcoin wallet here:
h****://blockchain[dot]info/wallet/new
Buy 0.13066 bitcoins here:
h****://localbitcoins[dot]com/buy_bitcoins
Send 0.13066 bitcoins to this address:
1FeZr4bvMpCf1QTS49VjsdhtnP6zPvMjbP
Open one of the following links in your browser:
h***://luxe-limo[dot]ru/counter/?1FeZr4bvMpCf1QTS49VjsdhtnP6zPvMjbP
h***://musaler[dot]ru/counter/?1FeZr4bvMpCf1QTS49VjsdhtnP6zPvMjbP
h***://vinoteka28[dot]ru/counter/?1FeZr4bvMpCf1QTS49VjsdhtnP6zPvMjbP
h***://www.agrimixxshop[dot]com/counter/?1FeZr4bvMpCf1QTS49VjsdhtnP6zPvMjbP
h***://sharedocsrl[dot]it/counter/?1FeZr4bvMpCf1QTS49VjsdhtnP6zPvMjbP
Download and run decryptor to restore your files.
You can find this instruction in "DECRYPT" file on your desktop.
To decrypt your files, please run the decrypter on the encrypted system.
The decrypter requires various files from your %TEMP% directory of the user that spawned the infection.
Therefore it is important not to reformat the system or run any cleanup tools before attempting the decryption.
NemucodAES >>>