How to decrypt or get back encrypted files infected by known encrypting ransom-ware viruses.

In the last years, cybercriminals distribute a new type of viruses that can encrypt files on your computer (or your network) with the purpose of earning easy money from their victims. This type of viruses are called “Ransomware” and they can infect computer systems if the computer’s user doesn’t pay attention when opening attachments or links from unknown senders or sites that have been hacked by cybercriminals. According to my experience, the only safe way to keep yourself protected from this type of viruses is to have clean backups of your files stored in a separate place from your computer. For example, in an unplugged external USB hard drive or in DVD-Rom’s.

This article contains important information of some known encrypting ransomware –crypt- viruses that were designed to encrypt critical files plus the available options & utilities in order to decrypt your encrypted files upon infection.

Ransom Crypt Trojans (Viruses) – Description & Known Decryption Tools – Methods:

Cryptowalll – Virus Information & Decryption Options.

The Cryptowall (or “Cryptowall Decrypter”) virus is the new variant of Cryptodefense ransomware virus. When a computer is infected with Cryptowall ransomware, then all the critical files on the computer (including the files on mapped –network- drives if you’re logged in a network) become encrypted with strong encryption that makes it practically impossible to decrypt them. After the Cryptowall encryption, the virus creates and sends the private key (password) to a private server in order to be used from the criminal to decrypt your files. After that, the criminals inform their victims that all their critical files are encrypted and the only way to decrypt them is to pay a ransom of 500$ (or more) in a defined time period, otherwise the ransom will be doubled or their files will be lost permanently.

How to decrypt Cryptowall infected files and get your files back:

If you want to decrypt Cryptowall encrypted files and get your files back, then you have these options:

A. The first option is to pay the ransom. If you decide to do that, then proceed with the payment at your own risk because according to our research some users get their data back and some others don’t. Keep in mind that criminals are not the most trustworthy people in the planet.

B. The second option is to clean the infected computer and then to restore your infected files from a clean backup (if you have one).

C.  If you don’t have a clean backup, then the only option that remains is to restore your files in previous versions from “Shadow Copies”. Observe that this procedure works only in Windows 8, Windows 7 and Vista OS and only if the “System Restore” feature was previously enabled on your computer and was not disabled after the Cryptowall infection.

CryptoDefense & How_Decrypt – Virus Information & Decryption.

Cryptodefense is another ransomware virus that can encrypt all the files on your computer regardless of their extension (file type) with strong encryption so that it makes it practically impossible to decrypt them. The virus may disable the “System Restore” feature on the infected computer and may delete all “Shadow Volume Copies” files, so you cannot restore your files to their previous versions. Upon infection Cryptodefenseransomware virus, creates two files on every infected folder (“How_Decrypt.txt” and “How_Decrypt.html”) with detailed instructions on how to pay the ransom in order to decrypt your files and sends the private key (password) to a private server in order to be used by the criminal to decrypt your files.

How to decrypt Cryptodefense encrypted files and get your files back:

In order to decrypt Cryptodefense infected files you have these options:

A. The first option is to pay the ransom. If you decide to do that, then proceed with the payment at your own risk because according to our research, some users get their data back and some others don’t. Keep in mind that criminals are not the most trustworthy people in the planet.

B. The second option is to clean the infected computer and then to restore your infected files from a clean backup (if you have one).

C. If you don’t have a clean backup then you can try to restore your files in previous versions from “Shadow Copies”. Observe that this procedure works only in Windows 8, Windows 7 and Vista OS and only if the “System Restore” feature was previous enabled on your computer and was not disabled after theCryptodefense infection.

  1. Finally, if you don’t have a clean backup and you aren’t able to restore your files from “Shadow Copies”, then you can try to decryptCryptodefense’s encrypted files by using the Emsisoft’s Decryptor utility. To do that:

Important Notice: This utility works only for computers infected before 1st April 2014.

  1. DownloadEmsisoft Decrypter ” utility to your computer (e.g. your Desktop).

a1

  1. When download is completed, navigate to yourDesktop and “Extract” the “decrypt_cryptodefense.zip” file.a2
  2. Nowdouble-click to run the “decrypt_cryptodefense” utility. a3
  1. Finally press the “Decrypt” button to decrypt your files. a4

Source – Additional information: A detailed tutorial on how to decrypt CryptoDefense encrypted files usingEmsisoft’s decrypter utility can be found here: http://www.bleepingcomputer.com/virus-removal/cryptodefense-ransomware-information#emsisoft

Cryptorbit or HowDecrypt – Virus Information & Decryption.

Cryptorbit or HowDecrypt virus is an ransomware virus that can encrypt all the files on your computer. Once your computer is infected with Cryptorbit virus all your critical files are encrypted regardless of their extension (file type) with strong encryption that makes it practically impossible to decrypt them. The virus also creates two files on every infected folder on your computer (“HowDecrypt.txt” and “HowDecrypt.gif”) with detailed instructions on how you can pay the ransom and decrypt your files.

How to decrypt Cryptorbit infected files and get your files back:

In order to decrypt Cryptorbit encrypted files you have these options:

A. The first option is to pay the ransom. If you decide to do that, then proceed with the payment at your own risk because according to our research some users get their data back and some others don’t.

B. The second option is to clean the infected computer and then to restore your infected files from a clean backup (if you have one).

C. If you don’t have a clean backup, then you can try to restore your files in previous versions from “Shadow Copies”. Observe that this procedure works only in Windows 8, Windows 7 and Vista OS and only if the “System Restore” feature was previous enabled on your computer and was not disabled after the Cryptorbit infection.

D. Finally, if you don’t have a clean backup and you aren’t able to restore your files from “Shadow Copies” then you can try to decryptCryptorbit’s encrypted files by using the Anti-CryptorBit utility. To do that:

  1. DownloadAnti-CryptorBit ” utility to your computer (e.g. your Desktop)b1
  2.  When download is completed, navigate to yourDesktop and “Extract” the “Anti-CryptorBitV2.zip” file.b2
  3. Nowdouble-click to run the Anti-CryptorBitv2 utility.b3
  4. Choose what type of files you want to recover. (e.g. “JPG”)b4
  5. Finally choose the folder that contains the corrupted/encrypted (JPG) files & then press the “Start” button to to fix them.

 

b5

Cryptolocker – Virus Information & Decryption.

Cryptolocker (also known as “Troj/Ransom-ACP”, “Trojan.Ransomcrypt.F”) is a Ransomware nasty virus (TROJAN) and  when it infects your computer, it encrypts all the files regardless of their extension (file type). The bad news with this virus is that, once it infects your computer, your critical files are encrypted with strong encryption and it is practically impossible to decrypt them. Once a computer is infected with Cryptolocker virus, then an information message appears on the victim’s computer demanding a payment (ransom) of 300$ (or more) in order to decrypt your files.

How to decrypt Cryptolocker infected files and get your files back:

In order to decrypt Cryptolocker infected files you have these options:

A. The first option is to pay the ransom. If you decide to do that, then proceed with the payment at your own risk because according to our research some users get their data back and some others don’t.

B. The second option is to clean the infected computer and then to restore your infected files from a clean backup (if you have one).

C. If you don’t have a clean backup, then you can try to restore your files in previous versions from “Shadow Copies”. Observe that this procedure works only in Windows 8, Windows 7 and Vista OS and only if the “System Restore” feature was previous enabled on your computer and was not disabled after the Cryptolocker infection.

D. In August 2014, FireEye  & Fox-IT  have released a new service that retrieves the private decryption key for users that were infected by the CryptoLocker ransomware. The service is called ‘DecryptCryptoLocker ‘, it is available globally and does not require users to register or provide contact information in order to use it.

In order to use this service you have to visit this site: https://www.decryptcryptolocker.com/  and upload one encrypted CryptoLocker file from the infected computer (Notice: upload a file that doesn’t contain sensitive and/or private information). After you do that, you have to specify an email address in order to receive your private key and a link to download the decryption tool. Finally run the downloaded CryptoLocker decryption tool (locally on your computer) and enter your private key to decrypt your CryptoLocker encrypted files.

More information about this service can be found here: FireEye and Fox-IT Announce New Service to Help CryptoLocker Victims .c1

Trojan-Ransom.Win32.Rector – Virus Information & Decryption.

The Trojan Rector encrypts files with the following extensions: .doc, .jpg, .pdf .rar, and after the infection itmakes them unusable. Once your files are infected with Trojan Rector, then the extensions of the infected files are changed to .VSCRYPT, .INFECTED, .KORREKTOR or .BLOC and this makes them unusable. When you try to open the infected files, then a message in Cyrillic characters is displayed on your screen which contains the ransom demand and the details for the payment. The cybercriminal who makes the Trojan Rector called “††KOPPEKTOP†† and asks to communicate with him via email or ICQ (EMAIL: v-martjanov@mail.ru / ICQ: 557973252 or 481095) to give instructions on how to unlock your files.

How to decrypt files infected with Trojan Rector and get your files back:

Advice: Copy all the infected files to a separate directory and close all open programs before proceeding to scan and decrypt the affected files.

1. Download Rector Decryptor  utility (from Kaspersky Labs ) to your computer.

2. When the download is completed, run RectorDecryptor.exe.

3.  Press the “Start Scan” button to scan your drives for the encrypted files.d1

4. Let the RectorDecryptor utility to scan and decrypt the encrypted files (with extensions .vscrypt, .infected, .bloc, .korrektor) and then select the option to “Delete crypted files after decryption” if the decryption was successful. *

* After the decryption you can find a report log of the scanning/decryption process to the root of your C:\ drive (e.g. “C:\RectorDecryptor.2.3.7.0_10.02.2011_15.31.43_log.txt”).

5. Finally continue to check and clean your system from malware programs that may exist on it.

Source – Additional information: http://support.kaspersky.com/viruses/disinfection/4264#block2 

Trojan-Ransom. Win32.Xorist, Trojan-Ransom.MSIL.Vandev – Virus Information & Decryption.

The Trojan Ransom Xorist  & Trojan Ransom Valdev, encrypts files with the following extensions:

doc, xls, docx, xlsx, db, mp3, waw, jpg, jpeg, txt, rtf, pdf, rar, zip, psd, msi, tif, wma, lnk, gif, bmp, ppt, pptx, docm, xlsm, pps, ppsx, ppd, tiff, eps, png, ace, djvu, xml, cdr, max, wmv, avi, wav, mp4, pdd, html, css, php, aac, ac3, amf, amr, mid, midi, mmf, mod, mp1, mpa, mpga, mpu, nrt, oga, ogg, pbf, ra, ram, raw, saf, val, wave, wow, wpk, 3g2, 3gp, 3gp2, 3mm, amx, avs, bik, bin, dir, divx, dvx, evo, flv, qtq, tch, rts, rum, rv, scn, srt, stx, svi, swf, trp, vdo, wm, wmd, wmmp, wmx, wvx, xvid, 3d, 3d4, 3df8, pbs, adi, ais, amu, arr, bmc, bmf, cag, cam, dng, ink, jif, jiff, jpc, jpf, jpw, mag, mic, mip, msp, nav, ncd, odc, odi, opf, qif, qtiq, srf, xwd, abw, act, adt, aim, ans, asc, ase, bdp, bdr, bib, boc, crd, diz, dot, dotm, dotx, dvi, dxe, mlx, err, euc, faq, fdr, fds, gthr, idx, kwd, lp2, ltr, man, mbox, msg, nfo, now, odm, oft, pwi, rng, rtx, run, ssa, text, unx, wbk, wsh, 7z, arc, ari, arj, car, cbr, cbz, gz, gzig, jgz, pak, pcv, puz, r00, r01, r02, r03, rev, sdn, sen, sfs, sfx, sh, shar, shr, sqx, tbz2, tg, tlz, vsi, wad, war, xpi, z02, z04, zap, zipx, zoo, ipa, isu, jar, js, udf, adr, ap, aro, asa, ascx, ashx, asmx, asp, aspx, asr, atom, bml, cer, cms, crt, dap, htm, moz, svr, url, wdgt, abk, bic, big, blp, bsp, cgf, chk, col, cty, dem, elf, ff, gam, grf, h3m, h4r, iwd, ldb, lgp, lvl, map, md3, mdl, mm6, mm7, mm8, nds, pbp, ppf, pwf, pxp, sad, sav, scm, scx, sdt, spr, sud, uax, umx, unr, uop, usa, usx, ut2, ut3, utc, utx, uvx, uxx, vmf, vtf, w3g, w3x, wtd, wtf, ccd, cd, cso, disk, dmg, dvd, fcd, flp, img, iso, isz, md0, md1, md2, mdf, mds, nrg, nri, vcd, vhd, snp, bkf, ade, adpb, dic, cch, ctt, dal, ddc, ddcx, dex, dif, dii, itdb, itl, kmz, lcd, lcf, mbx, mdn, odf, odp, ods, pab, pkb, pkh, pot, potx, pptm, psa, qdf, qel, rgn, rrt, rsw, rte, sdb, sdc, sds, sql, stt, t01, t03, t05, tcx, thmx, txd, txf, upoi, vmt, wks, wmdb, xl, xlc, xlr, xlsb, xltx, ltm, xlwx, mcd, cap, cc, cod, cp, cpp, cs, csi, dcp, dcu, dev, dob, dox, dpk, dpl, dpr, dsk, dsp, eql, ex, f90, fla, for, fpp, jav, java, lbi, owl, pl, plc, pli, pm, res, rnc, rsrc, so, swd, tpu, tpx, tu, tur, vc, yab, 8ba, 8bc, 8be, 8bf, 8bi8, bi8, 8bl, 8bs, 8bx, 8by, 8li, aip, amxx, ape, api, mxp, oxt, qpx, qtr, xla, xlam, xll, xlv, xpt, cfg, cwf, dbb, slt, bp2, bp3, bpl, clr, dbx, jc, potm, ppsm, prc, prt, shw, std, ver, wpl, xlm, yps, md3.

After the infection, Trojan Ransom Xorist compromises your computer’s security, makes your computer unstable and displays messages on your screen demanding a ransom in order to decrypt the infected files. The messages contain also information on how to pay the ransom in order to get the decryption utility from the cybercriminals.

How to decrypt files infected with Trojan Win32.Xorist or Trojan MSIL.Vandev:

Advice: Copy all the infected files to a separate directory and close all open programs before proceeding to scan and decrypt the affected files.

  1. DownloadXorist Decryptor  utility (from Kaspersky Labs ) to your computer.
  2. When the download is completed, runXoristDecryptor.exe.

Note: If you want to delete the encrypted files when the decryption is completed, then click the “Change parameters” option and check the “Delete crypted files after decryption” check box under “Additional Options”.

  1. Press the “Start Scan” button.d2
  2. Enter the path of at least one encrypted file and then wait until the utility decrypts the encrypted files.
  3. If the decryption was successful, reboot your computer and then scan and clean your system from malware programs that may exist on it.

Source – Additional information: http://support.kaspersky.com/viruses/disinfection/2911#block2

 

Trojan-Ransom.Win32.Rakhni – Virus Information & Decryption.

The Trojan Ransom Rakhni encrypts files by changing files extensions as follows:

<filename>.<original_extension>.<locked>
<filename>.<original_extension>.<kraken>
<filename>.<original_extension>.<darkness>
<filename>.<original_extension>.<nochance>
<filename>.<original_extension>.<oshit>
<filename>.<original_extension>.<oplata@qq_com>
<filename>.<original_extension>.<relock@qq_com>
<filename>.<original_extension>.<crypto>
<filename>.<original_extension>.<helpdecrypt@ukr.net>
<filename>.<original_extension>.pizda@qq_com

After the encryption, your files are unusable and your system security is compromised. Also the Trojan-Ransom.Win32.Rakhni creates a file on your %APPDATA% folder named “exit.hhr.oshit” that contains the encrypted password for the infected files.

Warning: The Trojan-Ransom.Win32.Rakhni creates the “exit.hhr.oshit” file that contains an encrypted password to the user’s files. If this file remains on the computer, it will make decryption with theRakhniDecryptor utility faster. If the file has been removed, it can be recovered with file recovery utilities. After the file is recovered, put it into %APPDATA% and run the scan with the utility once again.

%APPDATA% folder location:

  • Windows XP:C:\Documents and Settings\<username>\Application Data
  • Windows 7/8:C:\Users\<username>\AppData\Roaming

 

How to decrypt files infected with Trojan Rakhni and get your files back:

  1. DownloadRakhni Decryptor  utility (from Kaspersky Labs ) to your computer.
  2. When the download is completed, runRakhniDecryptor.exe .

Note: If you want to delete the encrypted files when the decryption is completed, then click the “Change parameters” option and check the “Delete crypted files after decryption” check box under “Additional Options”.

  1. Press the “Start Scan” button to scan your drives for encrypted files.d3
  2. Enter the path of at least one encrypted file (e.g. “file.doc.locked”) and then wait until the utility recovers the password from the “exit.hhr.oshit” file (mind theWarning) and decrypts your files.

Source – Additional information: http://support.kaspersky.com/viruses/disinfection/10556#block2

 

Trojan-Ransom.Win32.Rannoh (Trojan-Ransom.Win32.Cryakl) – Virus Information & Decryption.

The Trojan Rannoh or Trojan Cryakl encrypts all files on your computer in the following way:

  • In case of aTrojan-Ransom.Win32.Rannoh infection, file names and extensions will be changed according to the template locked-<original name>.<four random letters>.
  • In case of aTrojan-Ransom.Win32.Cryakl infection, the tag {CRYPTENDBLACKDC} is added to the end of file names.

How to decrypt files infected with Trojan Rannoh or Trojan Cryakl and get your files back:

Important: The Rannoh Decryptor utility decrypts files by comparing one encrypted and one decrypted file. So if you want to use the Rannoh Decryptor utility to decrypt files you must own an original copy of at least one encrypted file before the infection (e.g. from a clean backup).

  1. DownloadRannoh Decryptor  utility to your computer.
  2. When the download is completed, runRannohDecryptor.exe

Note: If you want to delete the encrypted files once the decryption is completed, then click the “Change parameters” option and check the “Delete crypted files after decryption” check box under “Additional Options”.

  1. Press the “Start Scan” button.d4
  2. Read the “Information required” message and then click “Continue” and specify the path to an original copy of at least one encrypted file before the infection (clean – original – file) and the path to the encrypted file (infected – encrypted -file).d5
  3. After the decryption, you can find a report log of the scanning/decryption process to the root of your C:\ drive. (e.g. “C:\RannohDecryptor.1.1.0.0_02.05.2012_15.31.43_log.txt”).

Source – Additional information: http://support.kaspersky.com/viruses/disinfection/8547#block1

 

 

Advertisements

3 thoughts on “How to decrypt or get back encrypted files infected by known encrypting ransom-ware viruses.

  1. the articles you publish here are very good to read and to apply. keep posting. they are very useful and helpful.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s