Free Ransomware Decryption Tools

The ransomware adds one of the following extensions to encrypted files:
.aes_ni
.aes256
.aes_ni_0day

In each folder with at least one encrypted file, the file "!!! READ THIS - IMPORTANT !!!.txt" can be found. Additionally, the ransomware creates a key file with name similar to: [PC_NAME]#9C43A95AC27D3A131D3E8A95F2163088-Bravo NEW-20175267812-78.key.aes_ni_0day in C:\ProgramData folder.

The file “!!! READ THIS - IMPORTANT !!!.txt” contains the following ransom note:

Encrypted files have the ".Alcatraz" extension.

After encrypting your files, a similar message appears (it is located in a file "ransomed.html" in the user's desktop):

Apocalypse adds .encrypted, .FuckYourData, .locked, .Encryptedfile, or .SecureCrypted to the end of filenames. (e.g., Thesis.doc = Thesis.doc.locked)

Opening a file with the extension .How_To_Decrypt.txt, .README.Txt, .Contact_Here_To_Recover_Your_Files.txt, .How_to_Recover_Data.txt, or .Where_my_files.txt (e.g., Thesis.doc.How_To_Decrypt.txt) will display a variant of this message:

BadBlock does not rename your files.

After encrypting your files, BadBlock displays one of these messages (from a file named Help Decrypt.html):

Bart adds .bart.zip to the end of filenames. (e.g., Thesis.doc = Thesis.docx.bart.zip) These are encrypted ZIP archives containing the original files.

After encrypting your files, Bart changes your desktop wallpaper to an image like the one below. The text on this image can also be used to help identify Bart, and is stored on the desktop in files named recover.bmp and recover.txt.

The ransomware adds the following extension: .obfuscated

foobar.doc -> foobar.doc.obfuscated
document.dat -> document.dat.obfuscated
document.xls -> document.xls.obfuscated
foobar.bmp -> foobar.bmp.obfuscated

Encrypted file names will have the following format:
foobar.docx.[sql772@aol.com].theva
foobar.docx.[no.xop@protonmail.ch].cryptobyte
foobar.bmp.[no.btc@protonmail.ch].cryptowin
foobar.bmp.[no.btcw@protonmail.ch].btcware
foobar.docx.onyon

Furthermore, one of the following files can be found on the PC
Key.dat on %USERPROFILE%\Desktop
1.bmp in %USERPROFILE%\AppData\Roaming
#_README_#.inf or !#_DECRYPT_#!.inf in each folder with at least one encrypted file.

After encrypting your files, the desktop wallpaper is changed to the following:

Crypt888 adds Lock. to the beginning of filenames. (e.g., Thesis.doc = Lock.Thesis.doc)

After encrypting your files, Crypt888 changes your desktop wallpaper to one of the following:

Encrypted files will have one of the following extensions: .CRYPTOSHIELD, .rdmk, .lesli, .scl, .code, .rmd, .rscl or .MOLE.

The following files may be found on the PC after encrypting files:

Encrypted files have many various extensions, including:
.johnycryptor@hackermail.com.xtbl,
.ecovector2@aol.com.xtbl,
.systemdown@india.com.xtbl,
.Vegclass@aol.com.xtbl,
.{milarepa.lotos@aol.com}.CrySiS,
.{Greg_blood@india.com}.xtbl,
.{savepanda@india.com}.xtbl,
.{arzamass7@163.com}.xtbl,
.{3angle@india.com}.dharma,
.{tombit@india.com}.dharma,
.wallet

After encrypting your files, one of the following messages appears (see below). The message is located in "Decryption instructions.txt", "Decryptions instructions.txt", "README.txt", "Readme to restore your files.txt" or "HOW TO DECRYPT YOUR DATA.txt" on the user's desktop. Also, the desktop background is changed to one of the pictures below.

The ransomware adds the word “encrypTile” into a file name:

foobar.doc -> foobar.docEncrypTile.doc

foobar3 -> foobar3EncrypTile

The ransomware also creates four new files on user’s desktop. Names of these files are localized, here are their English versions:

+

Encrypted files will have the .crypt extension.

After encrypting your files, several files are created on the user’s desktop, with name variants of: DECRYPT.txt, HOW_TO_DECRYPT.txt, README.txt. They are all identical, containing the following text message:

The ransomware adds multiple possible extensions:
.GDCB,
.CRAB,
.KRAB,
.%RandomLetters%
foobar.doc -> foobar.doc.GDCB
document.dat -> document.dat.CRAB
document.xls -> document.xls.KRAB
foobar.bmp -> foobar.bmp.gcnbo (letters are random)

The ransomware also creates a text file named "GDCB-DECRYPT.txt", "CRAB-DECRYPT.txt", "KRAB_DECRYPT.txt", "%RandomLetters%-DECRYPT.txt" or "%RandomLetters%-MANUAL.txt" in each folder. The content of the file is below.

Globe adds one of the following extensions to the file name: ".ACRYPT", ".GSupport[0-9]", ".blackblock", ".dll555", ".duhust", ".exploit", ".frozen", ".globe", ".gsupport", ".kyra", ".purged", ".raid[0-9]", ".siri-down@india.com", ".xtbl", ".zendrz", ".zendr[0-9]", or ".hnyear". Furthermore, some of its versions encrypt the file name as well.

After encrypting your files, a similar message appears (it is located in a file "How to restore files.hta" or "Read Me Please.hta"):

Encrypted files will have one of the following extensions (but not limited to): .locked, .34xxx, .bloccato, .BUGSECCCC, .Hollycrypt, .lock, .saeid, .unlockit, .razy, .mecpt, .monstro, .lok, .암호화됨, .8lock8, .fucked, .flyper, .kratos, .krypted, .CAZZO, .doomed.

After encrypting files, a text file (READ_IT.txt, MSG_FROM_SITULA.txt, DECRYPT_YOUR_FILES.HTML) appears on the user's desktop. Various variants can also show a ransom message:

Encrypted files will have one of the following extensions: .kkk, .btc, .gws, .J, .encrypted, .porno, .payransom, .pornoransom, .epic, .xyz, .versiegelt, .encrypted, .payb, .pays, .payms, .paymds, .paymts, .paymst, .payrms, .payrmts, .paymrts, .paybtcs, .fun, .hush, .uk-dealer@sigaint.org, or .gefickt.

After encrypting your files, one of the screens below will appear:

The ransomware adds the “.MyChemicalRomance4EVER” extension after a file name:
foobar.doc -> foobar.doc.MyChemicalRomance4EVER
document.dat -> document.dat.MyChemicalRomance4EVER

The ransomware also creates a text file named "UNLOCK_guiDE.txt" on the user's desktop. The content of the file is below.

Legion adds a variant of ._23-06-2016-20-27-23_$f_tactics@aol.com$.legion or .$centurion_legion@aol.com$.cbf to the end of filenames. (e.g., Thesis.doc = Thesis.doc._23-06-2016-20-27-23_$f_tactics@aol.com$.legion)

After encrypting your files, Legion changes your desktop wallpaper and displays a popup, like this:

NoobCrypt doesn't change file name. Files that are encrypted are unable to be open with their associated application, however.

After encrypting your files, a similar message appears (it is located in a file "ransomed.html" in the user's desktop):

Stampado adds the .locked extension to the encrypted files. Some variants also encrypt the filename itself, so the encrypted file name may look either as document.docx.locked or 85451F3CCCE348256B549378804965CD8564065FC3F8.locked.

After encryption is complete, the following screen will appear:

SZFLocker adds .szf to the end of filenames. (e.g., Thesis.doc = Thesis.doc.szf)

When you try to open an encrypted file, SZFLocker displays the following message (in Polish):

The latest version of TeslaCrypt does not rename your files.

After encrypting your files, TeslaCrypt displays a variant of the following message:

Encrypted files will have one of these extensions:
• xtbl
• ytbl
• breaking_bad
• heisenberg
• better_call_saul
• los_pollos
• da_vinci_code
• magic_software_syndicate
• windows10
• windows8
• no_more_ransom
• tyson
• crypted000007
• crypted000078
• rsa3072
• decrypt_it
• dexter
• miami_california

After encrypting your files, several files are created on the user’s desktop, with name of README1.txt to README10.txt. They are in different languages, containing this text:

The ransomware adds the ".~xdata~" extension to the encrypted files.

In each folder with at least one encrypted file, the file "HOW_CAN_I_DECRYPT_MY_FILES.txt" can be found. Additionally, the ransomware creates a key file with name similar to:

[PC_NAME]#9C43A95AC27D3A131D3E8A95F2163088-Bravo NEW-20175267812-78.key.~xdata~ in the following folders:

• C:\

• C:\ProgramData

• Desktop

The file “HOW_CAN_I_DECRYPT_MY_FILES.txt” contains the following ransom note: