6 Free Ransomware Decryption Tools
The No More Ransom group has been working to get free decryptor tools into the hands of security professionals and the general public.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt7f1f552941cbc25a/64f0dac1872773a255925ffd/Slide-1-CoverArt.jpg?width=700&auto=webp&quality=80&disable=upscale)
Worried about getting hit with ransomware? You're not alone. The good news is that security experts and law enforcement have been working to combat ransomware: over the past year, the No More Ransom project has developed free decryptor tools for more than two dozen strains of ransomware.
Jornt van der Wiel, a Kaspersky Lab security researcher, notes that No More Ransom was launched in July 2016 by the Dutch National Police, Europol, Kaspersky Lab, and Intel Security.
From those early meetings, No More Ransom started releasing the first batch of free decryptor tools. In December, Bitdefender, Emsisoft, Check Point, and Trend Micro joined the project as associate partners.
"We have definitely angered the ransomware makers," says Intel Security Vice President and CTO Raj Samani. "Recently, we found a ransomware variant using the file extension .nomoreransom, so they know who we are."
The No More Ransom site is managed by Amazon Web Services and Barracuda. For more information and access to the full range of free decryptor tools, check out No More Ransom.
Here's a look at the free tools available to get back your data after a ransomware attack as welll as in inside look at how they were created, based on interviews with vand der Wiel and Samani.
Although it is often difficult to reverse-engineer sophisticated ransomware variants, Kaspersky Lab made that happen, and in this case updated the Rannoh Decryptor, which now cleanses both Rannoh and CryptXXX malware. One caveat: It will only decrypt as long as there is at least one original file sample that has not been encrypted by CryptXXX. The Rannoh Decrypter now works on CryptXXX versions 1, 2, and 3. For versions 1 and 2, Kaspersky Lab found implementation mistakes, and for version 3 it was stored on the server. Follow this link for more information.
Kaspersky Lab got a phone call at one of its local offices in Europe that a machine was infected with ransomware. They tracked down the server in the Netherlands and had the local Dutch police seize the server. The police then turned over the keys to Kaspersky Lab and McAfee. When police examined the server, they found that the crooks made $80,000 in a single month and roughly 5,600 machines were infected. Both Kaspersky Lab and Intel Security developed tools. Follow this link for more information.
Kaspersky Lab discovered the keys to the Chimera ransomware strain on an Internet forum and then turned them over to their experts. It's never clear why keys are leaked: Sometimes it may be the handiwork of a rival gang looking to make trouble for the competition, experts say. In other instances, it could be a good Samaritan who wants to leak the keys but remain anonymous. Kaspersky Lab updated its Rakhni utility to build a decryptor. Follow this link for more information.
Shade was found because the ransomware authors made configuration mistakes that were discovered by researchers. They found the IP address of the server and gave it to the police, who seized the server. They recovered 250,000 keys. Both Kaspersky Lab and Intel Security developed tools for the ransomware variant. Follow this link for more information.
This one was just plain odd: Researchers from ESET contacted the Teslacrypt gang and asked for the keys. Amazingly, the bad guys then just handed them over. Speculation is that the Teslacrypt group was moving on to CryptXXX. Either way, they released the keys and both Kaspersky Lab and Intel Security developed a decryptor. Kaspersky Lab and Intel Security also updated their Rakhni utility to decrypt this ransomware. Follow this link for more information.
This tool decrypts files encrypted by CoinVault and Bitcryptor. Kaspersky Lab worked closely with law enforcement to uncover the key. All 14,000 decryption keys have been released, and two of the cybercriminals involved will be prosecuted later this year. Both Kaspersky Lab and Intel Security created decryption tools for CoinVault. Follow this link for more information.
This tool decrypts files encrypted by CoinVault and Bitcryptor. Kaspersky Lab worked closely with law enforcement to uncover the key. All 14,000 decryption keys have been released, and two of the cybercriminals involved will be prosecuted later this year. Both Kaspersky Lab and Intel Security created decryption tools for CoinVault. Follow this link for more information.
Worried about getting hit with ransomware? You're not alone. The good news is that security experts and law enforcement have been working to combat ransomware: over the past year, the No More Ransom project has developed free decryptor tools for more than two dozen strains of ransomware.
Jornt van der Wiel, a Kaspersky Lab security researcher, notes that No More Ransom was launched in July 2016 by the Dutch National Police, Europol, Kaspersky Lab, and Intel Security.
From those early meetings, No More Ransom started releasing the first batch of free decryptor tools. In December, Bitdefender, Emsisoft, Check Point, and Trend Micro joined the project as associate partners.
"We have definitely angered the ransomware makers," says Intel Security Vice President and CTO Raj Samani. "Recently, we found a ransomware variant using the file extension .nomoreransom, so they know who we are."
The No More Ransom site is managed by Amazon Web Services and Barracuda. For more information and access to the full range of free decryptor tools, check out No More Ransom.
Here's a look at the free tools available to get back your data after a ransomware attack as welll as in inside look at how they were created, based on interviews with vand der Wiel and Samani.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024