SECURITY EVANGELIST

What do you do if your computer gets infected with ransomware: do you pay up or try to find an alternative solution?

If you’re not ready to give up the fight, we have something that might help.

In the past few weeks, I’ve combed the web for decryption tools and I can tell you that it’s a never-ending process. It’s close to impossible to build up a complete database, because things change on a daily basis.

As new types of ransomware emerge, researchers decrypt some strains and others get new variants. There are tens or hundreds of them. Just like in a cat and mouse game, the chase never stops.

If this graphic would be filled out with the 2016 discoveries covering Q2 and Q3, you’d need a bigger screen to see this.

ransomware-discoveries-cert-ro

Source: CERT-RO

Believe it or not, there is a silver lining to ransomware’s popularity: the quality of the malicious code is steadily decreasing. As a result, cyber security specialists can crack the code faster and give victims a change to retrieve their data without further funding attackers.

Unfortunately, low quality ransomware also endangers the affected data: one error in the code and it can all be erased instead of encrypted. But that’s a story for another time.

Let’s get to the point, because, if you’re reading this, it’s likely that you don’t have too much time on your hands. If you couldn’t avoid a ransomware infection, let’s see if you can help fix it.

How to identify the ransomware you’ve been infected with

Sometimes, the ransom note says what type of ransomware your files have been encrypted with, but it can happen that you don’t have this information at hand. Readers have asked us in comments to which ransomware types certain encryption extensions belong to. Many of these extensions signaled new types of encrypting malware, for which the are no decryptors available.

If you need help with identifying what ransomware your system has been infected with, there are two tools you can use:

Crypto Sheriff from No More Ransom
ID Ransomware from MalwareHunter Team.

Please read the terms and conditions specific to these tools before using them.

Getting back to our list of decryption tools…

As a disclaimer, you should know that the list below is just a starting point. Use it, but do a bit more research as well. Safely decrypting your data can be a nerve-wrecking process, so try to be as thorough as possible.

We’ll do our best to keep this list up to date, but it’ll probably never be definitive. Contributions and suggestions are more than welcome, as we promise to promptly follow up on them and include them in the list.

Some of the decryption tools mentioned below are easy to use, while others require a bit more tech knowledge to break. You can try asking for help on one of these malware removal forums, which feature tons of information and helpful communities.

Without further ado, here it is – the list that will hopefully help you get your data back from the prying hands of cyber criminals.

Ransomware Decryption Tools – an ongoing list

OpenToYou decryption tools
Globe3 decryption tool
Dharma Decryptor
CryptON decryption tool
Alcatraz Decryptor tool // direct tool download
HiddenTear decryptor (Avast)
NoobCrypt decryptor (Avast)
CryptoMix/CryptoShield decryptor tool for offline key (Avast)
Damage ransomware decryption tool
.777 ransomware decrypting tool
7even-HONE$T decrypting tool
.8lock8 ransomware decrypting tool + explanations
7ev3n decrypting tool
Agent.iih decrypting tool (decrypted by the Rakhni Decryptor)
Alma decrypting tool
Al-Namrood decrypting tool
Alpha decrypting tool
AlphaLocker decrypting tool
Apocalypse decrypting tool
ApocalypseVM decrypting tool + alternative
Aura decrypting tool (decrypted by the Rakhni Decryptor)
AutoIt decrypting tool (decrypted by the Rannoh Decryptor)
Autolocky decrypting tool
Badblock decrypting tool + alternative 1
Bart decrypting tool
BitCryptor decrypting tool
BitStak decrypting tool
Chimera decrypting tool + alternative 1 + alternative 2
CoinVault decrypting tool
Cryaki decrypting tool (decrypted by the Rannoh Decryptor)
Crybola decrypting tool (decrypted by the Rannoh Decryptor)
CrypBoss decrypting tool
Crypren decrypting tool
Crypt38 decrypting tool
Crypt888 (see also Mircop) decrypting tool
CryptInfinite decrypting tool
CryptoDefense decrypting tool
CryptoHost (a.k.a. Manamecrypt) decrypting tool
Cryptokluchen decrypting tool (decrypted by the Rakhni Decryptor)
CryptoTorLocker decrypting tool
CryptXXX decrypting tool
CrySIS decrypting tool (decrypted by the Rakhni Decryptor – additional details)
CTB-Locker Web decrypting tool
CuteRansomware decrypting tool
DeCrypt Protect decrypting tool
Democry decrypting tool (decrypted by the Rakhni Decryptor)
DMA Locker decrypting tool + DMA2 Locker decoding tool
Fabiansomware decrypting tool
FenixLocker – decrypting tool
Fury decrypting tool (decrypted by the Rannoh Decryptor)
GhostCrypt decrypting tool
Globe / Purge decrypting tool + alternative
Gomasom decrypting tool
Harasom decrypting tool
HydraCrypt decrypting tool
Jigsaw/CryptoHit decrypting tool + alternative
KeRanger decrypting tool
KeyBTC decrypting tool
KimcilWare decrypting tool
Lamer decrypting tool (decrypted by the Rakhni Decryptor)
LeChiffre decrypting tool + alternative
Legion decrypting tool
Linux.Encoder decrypting tool
Lock Screen ransomware decrypting tool
Locker decrypting tool
Lortok decrypting tool (decrypted by the Rakhni Decryptor)
MarsJoke decryption tool
Manamecrypt decrypting tool (a.k.a. CryptoHost)
Mircop decrypting tool + alternative
Merry Christmas / MRCR decryptor
Nanolocker decrypting tool
Nemucod decrypting tool + alternative
NMoreira ransomware decryption tool
ODCODC decrypting tool
Operation Global III Ransomware decrypting tool
Ozozalocker ranomware decryptor
PClock decrypting tool
Petya decrypting tool
Philadelphia decrypting tool
PizzaCrypts decrypting tool
Pletor decrypting tool (decrypted by the Rakhni Decryptor)
Pompous decrypting tool
PowerWare / PoshCoder decrypting tool
Radamant decrypting tool
Rakhni decrypting tool
Rannoh decrypting tool
Rector decrypting tool
Rotor decrypting tool (decrypted by the Rakhni Decryptor)
Scraper decrypting tool
Shade / Troldesh decrypting tool + alternative
SNSLocker decrypting tool
Stampado decrypting tool + alternative
SZFlocker decrypting tool
TeleCrypt decrypting tool (additional details)
TeslaCrypt decrypting tool + alternative 1 + alternative 2
TorrentLocker decrypting tool
Umbrecrypt decrypting tool
Wildfire decrypting tool + alternative
WannaCry decryption tool + Guide
XORBAT decrypting tool
XORIST decrypting tool + alternative

As you may have noticed, some of these decryption tools work for multiple ransomware families, while certain strains have more than one solution (although this is rarely the case).

From a practical perspective, some of the decryptors are easy to use, but some require some technical know-how. As much as we’d want this process to be easier, it doesn’t always happen.

No matter how much work and time researchers put into reverse engineering cryptoware, the truth is that we’ll never have a solution to all of these infections. It would take an army of cyber security specialists working around the clock to get something like this done.

But being pragmatic doesn’t mean adopting a pessimistic outlook. In fact, if you apply the simple steps we outlined in the anti-ransomware security plan, you can avoid this kind of attacks and their consequences.

Even if cyber criminals do manage to infect your PC, you can just wipe the system clean and restore your latest backup. No money lost and, most importantly, no important information compromised! So, please, please back up your data. Not tomorrow, not this weekend, not next week. Do it today!

I hope that it will solve some of your ransomware-related problems. Moreover, please think about sharing the simple principle of proactive protection with your friends and family. It could spare them the negative experience of being a cyber attack victim.

What is Ransomware
2017.05.15 SLOW READ

What is Ransomware and 15 Easy Steps To Keep Your System Protected [Updated]

The Anti-Ransomware Protection Plan
2016.05.24 SLOW READ

The Anti-Ransomware Protection Plan You Need to Follow Today

ransomware-distribution-in-companies
2016.04.01 QUICK READ

Ransomware Distribution: How One Infection Can Go Network-Wide

Comments
Essam Al-Moraissi on May 19, 2017 at 2:53 pm

I have infected with ransomware and all my files are become locked with MOLE extension. I have used most of decryptor tool but without benefits.

Please help me

is there any tools to decrypt .xcrypt extension files

Is there any way to decrypt my files they are encypted by ransomeware virus.
it affects all my .jpeg .mp4 and all important file by .xcrypt extension

Hello Andra, do you have any file fix for .MOLE extension thank you 🙂

Leaton G. Johnson on May 16, 2017 at 1:39 am

Is there any help for files that were corrupted with the cryptodefense malware after April 1st, 2014? The tools for before April 1st 2014 do not work for my files.

[…] you’re looking for decryption tools for other types of ransomware, we have a huge and up to date list packed with […]

[…] Decryption tools – some of the ransomware has been broken by security companies and if you have one of the versions that has been broken you can use a tool to decrypt your files.  Here is a list of tools available :  Tools […]

Hey Andra,
Thanks for the information, I’ve few pc’s infected with .Osiris extension is there any decryptor for it?
Thanks

Hi Tahir! Unfortunately, .osiris is an extension used by Locky ransomware, which is impossible to decrypt at this point. Sorry we can’t help.

[…] It is very hard to restore data files without those keys as hackers use military grade encryption systems like AES and RSA. But hackers are also people and they often make mistakes in their code. Security researchers were able to find flaws in many ransomware viruses and create decryptors. […]

[…] find a solution to recover your data without further funding ransomware creators, we put together a sizeable list of ransomware decryption tools which you can […]

Hello Andra
Need help with my server, all files have been encrypted wit shnell ransomware there by shutting down all services even basic administrative tools can not be accessed.
please advice

Hello Isaac,

So sorry to hear about your situation, but there isn’t much we can do about this, given we don’t have a decryption tool for it in our list. Maybe you can try the Crypto Sheriff tool to find out if it is a known strain and come back to the list to check for potential fixes: https://www.nomoreransom.org/crypto-sheriff.php Best of luck!

Hi
What can I do for shnell ransomeware
Which tool should I use?
Thanks

Hi,
Is there any way to decrypt my files they are encypted by RAAS ransomeware.
it affects all my .jpeg .mp4 and all important file just lefting few like .gz and .exe

Hi Abhi,

So sorry to hear that, but we can’t help, I’m afraid. Unfortunately, there’s no way to decrypt it yet.

I am facing problem with .wallet files suddenly all files converted into .wallet extension.

kindly help me what i suppose to do.

Hi Ali,

So sorry to hear that, but we can’t help, I’m afraid. Dharma ransomware uses the .wallet extension, but, unfortunately, there’s no way to decrypt it yet.

Hello Ali,

A few days ago, the Dharma ransomware was decrypted and a decryption tool has appeared. You can access it here: https://www.nomoreransom.org/decryption-tools.html

anything you can do for this
! ! IMPORTANT INFORMATION ‘l I
Allcof, your files are encrypted with RSA-2048 and AES-1285ciphers.
More information about the RSA andeAES can e be found here:
(cryptosystem) czbchttp://eLÄ!<.pedie-ægLyiki/Adyanced
Decrypting of your files isbonly possible withdthe privateA<ey and decryptdprogram, which isöon *our secret server.
Todreceive youraprivateEkey follow one of the links :
If all ravailable, follow*hesedsteps:
1. Download and installeTor Browser:
: / html
2. 4fter a successfulæinstallation, run the and wait fom initialization.
cddb3.eTypeeinothe address bar: g46mbrrzpfszonuk.onion/1CUZ3X6WQQATGH7U 4 : Followbthecinstructions oncthe site.
! ! ! e Your?personal identification ID: ICUZ3X6WQQATGH7U ! ! !

Hi Michael,

Sorry about your issue, but there isn’t much we can do about this, given we don’t know which strain you got infected with. Maybe you can try the Crypto Sheriff tool to find out what it is: https://www.nomoreransom.org/crypto-sheriff.php

Is there any decryptor for .wnrozba files? mY computer is infected

How to decrypt spora ransomware .It came with .HTA file In windows its acts as google chrome HTML file and now it just corrupt all excel and word files.There is no any dedicated extension of this ransomware. All word files and excel files are in their default extension that is xlsx and docx.

Hi Kawal!

Unfortunately, there is no way to decrypt Spora ransomware infected files for free at the moment.

wallet file decrypter ?

Hi Atish,

So sorry to hear that, but we can’t help, I’m afraid. Dharma ransomware uses the .wallet extension, but, unfortunately, there’s no way to decrypt it yet.

Hello Atish,

A few days ago, the Dharma ransomware was decrypted and a decryption tool has appeared. You can access it here: https://www.nomoreransom.org/decryption-tools.html

is there any tool to decrypt .wcry files which because virus

Hi there!

For the moment we cannot confirm the strain without looking at it, but you can use Crypto Sheriff to find out: https://www.nomoreransom.org/crypto-sheriff.php

Hi…
My files are encrypted by 84E0…
Is there any tool…

Hello,
Is there any decryptor for x3m ransomware?

For the moment, there is no decryption tool for this type of ransomware.

Hello,
I have infected files .crypto shield.
I need help.
What is the recommended tool to decrypt?

Hi Robert!

For the moment, there is no way to currently decrypt files encrypted by CryptoShield for free. Also, a newer version (2.0) has emerged last week, which is also impossible to decrypt currently. Sorry for the bad news.

Hello,
I have infected files .cryptoshield.
What program you can decode them?
Thank you in advance for the information.

Al my files have .b76a in it. Is there anything that can decrypt all of my files??

Hi Roger!

For the moment we cannot confirm the strain without looking at it, but you can use Crypto Sheriff to find out: https://www.nomoreransom.org/crypto-sheriff.php

[…] is a tool that can decrypt data locked by some TorrentLocker variants, but it has not been tested on this new variant […]

Hi ! I have lot of files (excel and pdf) infected by dharma, any decription tool available?
Thanks, Alba

Nothing for .Osiris then?

my files got locked with the extension.ba22. i need help please

Hi Henry, unfortunately, we don’t have information on that particular extension. However, you can use this tool to find out what type of ransomware you’ve been infected with, so you can find potential solutions to decrypt it: https://www.nomoreransom.org/crypto-sheriff.php

Hello Andra,

I have many jpgs and video files which I backed up from a memory card I used on a Blackberry long time ago.
This device was stolen, and most part of the files are on the .rem RIM’s extension.
My question is: is told that just the original device which encrypted the original file can open and decrypt it; files saved/backed up from the original memory cards cannot be read on Macs/PCs.
Is there any software that could do this job in my case, as I had it stolen a long time ago on the airport?
Best.

Hi Danilo! I’m afraid you’re going to have to ask Blackberry for help here, because I can’t provide support for other products than our own. Sorry and best of luck! I really hope you get your data back safe and sound.

Hi, I had been hit by a virus that change all my files extension to .wallet which Decryption Tools is recommended?

Hi Richard,

So sorry to hear that, but we can’t help, I’m afraid. Dharma ransomware uses the .wallet extension, but, unfortunately, there’s no way to decrypt it yet.

my word and excel file got .sage extension,kindly suggest the appropriate toll

me to i got the same problem with my word and winrar files please tell me what to do or the tool i need

Good night do you know if there is any tool to decrypt ransomware with the “shit” extension? i think it belongs to locky family thank you!

Hi,

I have an awesome .merry file extension. 🙂 This is a massive Ransomware. I’m looking for decryptor for it.
Do you have any idea?

Thank you

Hi Steve!

Luckily, there’s a tool to decrypt it: https://decrypter.emsisoft.com/mrcr

We’ve also added it to the list. I hope you get your files back soon and safely!

Do you know what ransomware is k2p and k23p? I cannot find anywhere on the internet, it seems to be Globe but Globe2 doesn’t work…

Hi Ben!

For the moment we cannot confirm the strain without looking at it, but you can use Crypto Sheriff to find out: https://www.nomoreransom.org/crypto-sheriff.php

Does anyone know of a decrypter for ransomeware .aes256 extension? Absolutely killing me.

same problem here!

can you please provide help for jigsaw ransomware or provide any toll

The decryption tools list includes a decryptor for Jigsaw. You can find the link in the article.

Any one can help me to recover .wallet extension files

Hi there! Unfortunately, there is no decryption tool for Dharma ransomware.

HI MY SERVER HARD DRIVE ENCRYPTED USED DISKCRYPTOR TOOL FROM HACKERS ANY SOLUTION?

Hello! Sorry, but we don’t offer assistance with ransomware decryption. Malware-removal support is only available for Heimdal CORP customers. I hope you find a way to get your data back safe and sound!

Sidharaj Sinh Jadeja on January 3, 2017 at 3:17 pm

Hi
my external HDD as effected ransom-ware
Its showing .bb1a
you can suggest any tool for this
Please replay.
Regards

Bat-Erdene Chuluunbat on January 1, 2017 at 6:02 pm

I have attacked .wallet ransomwere on my company server on Dec 25, 2016. Bad thing is backup also infected. I’m in big trouble can’t eat and sleep may lose my job. I contact with those criminals they required 5 bit coins it is equal to 4000$ that is too much i can’t pay it. If have anything about .wallet please help me.

So sorry to hear that, but we can’t help, I’m afraid. Dharma ransomware uses the .wallet extension, but, unfortunately, there’s no way to decrypt it yet.

lulz…..I hope you make more than $4000. If you only have one backup, you may deserve to lose your job.

Any about .Wallet?
The files have a name, xmen_xmen [@] aol. com
e.g, Filename.pdf.[xmen_xmen@aol.com].wallet
Remote case in Costa Rica from 23-Dec-16

Hi Tames! Dharma ransomware uses the .wallet extension, but, unfortunately, there’s no way to decrypt it yet.

Thanks for replay, any news let me know!

Hello . Pls my blackberry device got infected by a malware with file extension .rem is there any decryptor to get me off the hook ?

Hi Charles! I’m happy to say that your Blackberry has not been affected with ransomware. In fact, .rem is an extension that shows that your files have been encrypted and are safe. In this case, we’re talking about non-malicious encryption used by Blackberry to secure your data. More info here: http://www.openthefile.net/extension/rem

what about .90f1

I can’t associate that extension with anything, Francesco. Maybe you can try the Crypto Sheriff tool to find out what it is: https://www.nomoreransom.org/crypto-sheriff.php

hi ,
there any decryption tool lavandos@dr.com.wallet

what about .b53c?

If it’s not on the list, I’m afraid there’s no solution for it yet.

[…] more and more decryption tools available for some types of ransomware, the bulk of it remains […]

[…] this link for an extensive list of ransomware […]

.9788 in pictures , music , documents

Sorry, no news on that yet.

Are there any experiences with paying the ransom? Will they un-encrypt your files and just go away? Or will that lead to more demands?

Cyber security experts, the Europol, the FBI and many more authorities and specialists advise to never pay up. There is no guarantee that you’ll get your data back or that the decryption key will work. There are cases where the ransomware is poorly coded and can’t be decrypted, even with the correct key, because the encryption went badly. Also, paying the ransom will just feed the malware economy and enable cybercriminals to continue attacking people and companies all over the world.

Hi,
What can I do for .b727 type of attack.
is there any solution for the same?
Regards

Unfortunately, Sigit, this seems like a new strain of ransomware and there is no decryptor available for it yet.

Jhonathan Bastidas on December 7, 2016 at 2:23 am

.thor?

Jhonathan, this is actually a new extension Locky started to use, and, unfortunately, Locky hasn’t been cracked yet. I’m sorry we can’t help.

Hi,
What can I do for .zzzz type of attack.
is there any solution for the same?
Regards

Unfortunately, Priya, there is no decryptor available for this type of ransomware yet.

Hi Andra ,

Could you please help me to in decryption process for my files infected with Ransomware v.5.0
I don’t know what is that but it damaged my word, excel, pdf and jpeg files 🙁

Regards,

Unfortunately, Mohamed, we do not offer assistance for individual cases. Asides from the tools available here, we don’t have anything else that can help. I’m sorry about your situation.

i
What can I do for .a2df files.

I don’t know of any tools that can decrypt this ransomware, Danush. I’m sorry.

[…] online and see the details about the ransomware strain you’ve been infected with. There are even some decryption tools out there that might work. However, please note that cyber criminals release new ransomware […]

Is there a tool for ZAAEBZM?

[…] can do about it. But due to a tough work of cyber confidence experts, we can find copiousness of ransomware decryptors out there. These tools, when paired with the relevant ransomware type, may decrypt your files […]

[…] you can do about it. But due to the hard work of cyber security experts, you can find plenty of ransomware decryptors out there. These tools, when paired with the relevant ransomware type, may decrypt your files […]

.8df4 Cerber any tools to remove this.

There are not decryption tools for Cerber yet, sorry.

[…] there are a swarm of decryption tools available for other types of encrypting malware, Locky remains unbreakable, […]

[…] already made a list of the available ransomware decryption tools out there, but the strongest and most dangerous encrypting […]

Hi Andra,

Firstly thank you for this great post.

I was attacked with CrptoLocker Ransomware on 15th Oct. Please let me know as and when you come across a decrypter tool for the same.

Thanks a lot
-Harsha

Hi there! Sorry to hear about your issues. There is no decryption tool available for Cryptolocker yet. It’s one of the oldest and strongest ransomware families, so it’s unlikely that it’ll be decrypted anytime soon.

Thanks a lot for the reply Andra! I shall wait!

hi, what is the extension of your encrypted files ?

Hi Cihen,

Sorry for the late reply.

No change in the file extension. The files are in their usual extension.

Thank You
Harsha

Hi andra,

do you have any tool to decrypt cyber ransome infections

Hi
my external HDD as effected ransom-ware
Its showing .zendr4
you can suggest any tool for this
Please replay.
Regards

Hi Noufal!

If it’s not on the list yet, it probably doesn’t have a decryptor. But I hope one will appear soon. So sorry to hear about your issue.

Any dycrypter for Cerber 4 I was hit last week shortly after this came out I have run numerous spyware malware & AV packages on my machine and moved all files to separate drive and locked away until such time as a solution arrives

Any tools discovered for ZEPTO?

Not that we know of. Sorry, Bob. We’ll update as soon as something reliable comes up.

Hi
What can I do for .afa8 files.
Which tool should I use?
Thanks

Hi there! Unfortunately, we have no knowledge at this point about a ransomware strain that turns files into .afa8. We’ll keep you posted if we do. Sorry to hear about your troubles.

Great blog, keep going. Lot of learning everyday from this blog.

Thanks a bunch for your feedback, Ajay! We promise to keep it up.

[…] this subject, maybe you’d like to browse our list of over 80 decryption tools for various ransomware strains that we published this […]

[…] by this ransomware, know that cyber security researchers have cracked the code and released a decryption tool for Stampado. Be sure to read a bit about how the process works, so you can get your data back safely, without […]

[…] in case your system is already infected, know that researchers have released a decryption tool for the TorrentLocker ransomware which you can use to unlock your data for free. Just make sure you read about how the entire […]

Frederik Bechmann on October 6, 2016 at 2:04 pm

Congrats on the new blog layout, Andra.

Quality content needs a quality frame 😉

Thank you so much, Frederik! It was a team effort and I’m really glad you enjoy it.

[…] find a solution to recover your data without further funding ransomware creators, we put together a sizeable list of ransomware decryption tools which you can […]

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP
164 queries in 1.074 seconds