Дешифраторы от компании Emsisoft

safety · August 2016

дешифраторы от компании Emsisoft
https://decrypter.emsisoft.com/

Emsisoft Decrypter for Nemucod

Используйте этот Decrypter, если файлы были переименованы в * .crypted и вы нашли ransomnote с именем DECRYPT.txt на рабочем столе. Для использования Decrypter вам потребуется зашифрованный файл, по меньшей мере, 510 байт, а также его незашифрованный версию. Для запуска Decrypter выбрать как зашифрованное и незашифрованный файл и перетащите их на исполняемый файл Decrypter.

Emsisoft Decrypter for DMALocker2
Emsisoft Decrypter for HydraCrypt

Используйте этот Decrypter, если файлы были зашифрованы и переименован либо * .hydracrypt * или * .umbrecrypt *.

Emsisoft Decrypter for DMALocker
Emsisoft Decrypter for CrypBoss
Emsisoft Decrypter for Gomasom
Emsisoft Decrypter for LeChiffre

Используйте этот Decrypter, если ваши файлы были зашифрованы и переименован в * .LeChiffre и ransomnote просит вас связаться с [email protected] по электронной почте.

Emsisoft Decrypter for KeyBTC
Emsisoft Decrypter for Radamant

Use this decrypter if your files have been encrypted and renamed to either *.rdm or *.rrk.

Emsisoft Decrypter for CryptInfinite

Use this decrypter if your files have been encrypted and renamed to *.CRINF.

Emsisoft Decrypter for PClock
Emsisoft Decrypter for CryptoDefense

Используйте этот Decrypter, если вредоносная программа идентифицирует себя как CryptoDefense и оставляет выкупов ноты названные HOW_DECRYPT.txt позади.

Emsisoft Decrypter for Harasom
Emsisoft Decrypter for Stampado
Emsisoft Decrypter for ApocalypseVM
Emsisoft Decrypter for Apocalypse
Emsisoft Decrypter for BadBlock
Emsisoft Decrypter for Xorist

Используйте этот Decrypter, если файлы были зашифрованы с помощью вымогателей Xorist. Типичные расширения, используемые Xorist включают * .EnCiPhErEd, * .0JELvV, * .p5tkjw, * .6FKR8d, * .UslJ6m, * .n1wLp0, * .5vypSa и * .YNhlv1. Ransomnote обычно можно найти на рабочем столе с названием "КАК дешифровать files.txt". Для использования Decrypter вам потребуется зашифрованный файл, по меньшей мере, 144 байт, а также его незашифрованный версию. Для запуска Decrypter выбрать как зашифрованное и незашифрованный файл и перетащите их на исполняемый файл Decrypter.

Emsisoft Decrypter for 777
Emsisoft Decrypter for AutoLocky

safety · December 2016

добавился дешифратор
[Nov, 29, 2016] - Version: 1.0.0.8
Emsisoft Decrypter for NMoreira

NMoreira, also known as XRatTeam or XPan, is a file encrypting ransomware. It uses a mix of RSA and AES-256 to encrypt your files. Encrypted files have either the extension *.maktub or *.__AiraCropEncrypted!. In addition, the ransomware will create one of the following ransom notes.

https://decrypter.emsisoft.com/nmoreira

проверил расшифровку файлов на единственном пока примере.

Starting decryption ...

Encrypted file: E:\deshifr\_AiraCropEncrypted!\01\1\Бух.rar.__AiraCropEncrypted!
Decryption: Trying to reconstruct encryption key, this will take a bit ...
Destination file: E:\deshifr\_AiraCropEncrypted!\01\1\Бух.rar
Status: Successfully decrypted!

Encrypted file: E:\deshifr\_AiraCropEncrypted!\01\2\1sys_buh 2016-08-31 19;21;16 (Full).zip.__AiraCropEncrypted!
Decryption: Successfully recovered encryption keys based on previous key.
Destination file: E:\deshifr\_AiraCropEncrypted!\01\2\1sys_buh 2016-08-31 19;21;16 (Full).zip
Status: Successfully decrypted!

Encrypted file: E:\deshifr\_AiraCropEncrypted!\01\3\Бух.rar.__AiraCropEncrypted!
Decryption: Trying to reconstruct encryption key, this will take a bit ...
Destination file: E:\deshifr\_AiraCropEncrypted!\01\3\Бух.rar
Status: Successfully decrypted!

Encrypted file: E:\deshifr\_AiraCropEncrypted!\01\4\04-2016_подр_6606087 (1).txt.__AiraCropEncrypted!
Decryption: Trying to reconstruct encryption key, this will take a bit ...
Could not guess key. Most likely the original file format is not supported.

Encrypted file: E:\deshifr\_AiraCropEncrypted!\01\4\1sys_buh 2016-08-31 19;21;16 (Full).zip.__AiraCropEncrypted!
Decryption: Successfully recovered encryption keys based on previous key.
Destination file: E:\deshifr\_AiraCropEncrypted!\01\4\1sys_buh 2016-08-31 19;21;16 (Full).zip
Status: Successfully decrypted!

Encrypted file: E:\deshifr\_AiraCropEncrypted!\01\4\Выгрузка каталога и коммерческих предложений на сайт в формате CommerceML версии 2.docx.__AiraCropEncrypted!
Decryption: Successfully recovered encryption keys based on previous key.
Destination file: E:\deshifr\_AiraCropEncrypted!\01\4\Выгрузка каталога и коммерческих предложений на сайт в формате CommerceML версии 2.docx
Status: Successfully decrypted!

Finished!

safety · January 2017

добавился дешифратор Globe3

[Jan, 4, 2017] - Version: 1.0.0.12
Emsisoft Decrypter for Globe3

Globe3 is a ransomware kit that we first discovered at the beginning of 2017. Globe3 encrypts files and optionally filenames using AES-256. Since the extension of encrypted files is configurable, several different file extensions are possible. The most commonly used extensions are .decrypt2017 and .hnumkhotep. To use the decrypter, you will require a file pair containing both an encrypted file and its non-encrypted original version. Select both the encrypted and unencrypted file and drag and drop both of them onto the decrypter file in your download directory. If file names are encrypted, please use the file size to determine the correct file. The encrypted and the original file will have the same size for files greater than 64 kb.

Due to a bug in the ransomware, decrypted files smaller than 64 kb will be up to 15 bytes larger than the originals. This file size increase is due to the fact, that the ransomware rounds file sizes up to the next 16-byte boundary without saving the original file size. For most file formats this is unlikely to cause problems. However, if your applications complain about corrupted file formats, you may have to manually remove trailing zero bytes at the end of the file using a hex editor.

https://decrypter.emsisoft.com/globe3

Decryption key found

The decrypter detected the following key to be a match for the given file:

Key:
C6DE117389F107D2579B10030848DFE8D07419DCA1AA271C861DDC96D9C4A328

Extension:
True

File name encryption:
[email protected]

Please keep in mind that there is a slight chance that this key might be wrong. We suggest trying decrypting a few files first to check whether it is working correctly.

ОК

Looking for active infection ...
No active infection was found!

Encrypted file: E:\deshifr\encode_files\Globe\globe3\10\sample\encode_files\[email protected]
Destination file: E:\deshifr\encode_files\Globe\globe3\10\sample\encode_files\Hotel.dll
Status: Successfully decrypted!

Finished!

safety · January 2017

добавился дешифратор MRCR

[Jan, 12, 2017] - Version: 1.0.0.45
Emsisoft Decrypter for MRCR

MRCR or Merry X-Mas is a ransomware family that first appeared in December last year. It is written in Delphi and uses a custom encryption algorithm. Encrypted files will have either ".PEGS1", ".MRCR1", ".RARE1", ".MERRY", or ".RMCM1" as an extension. The ransom note is named "YOUR_FILES_ARE_DEAD.HTA" or "MERRY_I_LOVE_YOU_BRUCE.HTA" and asks victims to contact either "[email protected]" or "comodosecurity" via the secure mobile messenger Telegram.

To start the decryption process you will need a file pair consisting of an encrypted file and the non-encrypted version of the same file. The files need to be between 64 KB and 100 MB in size. Select both and drag and drop them onto the decrypter executable to start the process.
[/email]

https://www.bleepingcomputer.com/news/security/merry-christmas-ransomware-and-its-dev-comodosecurity-not-bringing-holiday-cheer/

https://decrypter.emsisoft.com/mrcr

в данной версии дешифратор неудовлетворителен, по крайней мере не для всех заявленных расширений (в частности для *.RARE1) работает корректно.

safety · January 2017

DDoS attacks hit Emsisoft over the weekend

Three days later, on Saturday, January 28, Emsisoft suffered a similar fate, when a DDoS attack hit a specific section of the company's portal, the place where Emsisoft hosts ransomware decrypters.

Looks like someone DDoSes our decrypter site. Coincides with MRCR devs showing up in our forums. Guess I pissed someone off again. ¯\_(ツ)_/¯
— Fabian Wosar (@fwosar) January 28, 2017

Speaking to Bleeping Computer, Emsisoft's CTO Fabian Wosar said the attack clocked in at around 80 Gbps, and its defenses held up just fine, with no downtime to its website.

"They didn't manage to take the site down," Wosar said. "According to our provider it was a smaller attack of about 80 GBit. It was [...] kinda slow."

https://www.bleepingcomputer.com/news/security/emsisoft-website-hit-by-ddos-attack-as-company-releases-ransomware-decrypter/

safety · March 2017

добавлены дешифраторы Emsisoft Decrypter for CryptON, for Damage

[Mar, 7, 2017] - Version: 1.0.0.33
Emsisoft Decrypter for CryptON

Today, Emsisoft CTO and Malware researcher Fabian Wosar released a free decrypter for the CryptON ransomware family, allowing those that have been infected to free their encrypted files without having to pay a ransom.

Variants of the Russian-originated CryptON ransomware, such as X3M and Nemesis, started to appear on the Bleeping Computer forums from December 2016. All of them seem to be put together using the same “builder”, a term that describes a software application which automates the process of customizing a malware executable.

http://blog.emsisoft.com/2017/03/07/emsisoft-releases-free-decrypter-for-crypton-ransomware/

[Mar, 11, 2017] - Version: 1.0.0.12
Emsisoft Decrypter for Damage

дешифратор (for Damage) рабочий, ключ в итоге по паре чистый - зашифрованный был вычислен, и все файлы были корректно расшифрованы.

Encrypted file: E:\deshifr\encode_files\damage\10\encode_files\бесхозяйные вещи исковое заявление.doc.damage
Destination file: E:\deshifr\encode_files\damage\10\encode_files\бесхозяйные вещи исковое заявление.doc
Status: Successfully decrypted!

Finished!

safety · May 2017

Emsisoft Releases a Decryptor for the Amnesia Ransomware

On Saturday, Emsisoft's CTO and malware researcher Fabian Wosar released a decryptor for the Amnesia Ransomware. This ransomware was first spotted in early May and has had one other variant released called CryptoBoss. This family of ransomware was named Amnesia based on the extension appended to encrypted files by the first variant.

https://www.bleepingcomputer.com/news/security/emsisoft-releases-a-decryptor-for-the-amnesia-ransomware/

[May, 6, 2017] - Version: 1.0.0.25
Emsisoft Decrypter for Amnesia

safety · September 2017

decrypt_Xorist обновился до версии 1.0.0.33
https://decrypter.emsisoft.com/xorist

расшифровка вариантов значительно улучшена.

тестирую расшифровку на примере шифратора *.id70915

Emsisoft:
ключ самостоятельно вычислен по паре чистый - зашифрованный

Key : DAC1055D494221DB36287C849183EEE2
Encryption Rounds: 32 
Start Offset: 62 
Encryption Limit: 1371077
Algorithm: TEA

расшифровка тестовой папки - отлично (100%)

ESET (ESETFilecoderQCleaner.exe v. 3.2.0.7):
(ключ предварительно был получен от вирлаба).
расшифровка теcmовой папки - отлично (100%),
- ("минус") в том, что опция "/a" вычисления ключа по группе зашифрованных документов не работает в ESETFilecoderQCleaner.exe. Т.е. ключ расшифровки для данной утилиты можно получить только в вирлабе.

2017.09.16 15:17:15.648] -
[2017.09.16 15:17:15.648] - ....................................
[2017.09.16 15:17:15.648] - ..::::::::::::::::::....................
[2017.09.16 15:17:15.664] - .::EEEEEE:::SSSSSS::..EEEEEE..TTTTTTTT.. Win32/Filecoder.Q
[2017.09.16 15:17:15.664] - .::EE::::EE:SS:::::::.EE....EE....TT...... Version: 3.2.0.7
[2017.09.16 15:17:15.664] - .::EEEEEEEE::SSSSSS::.EEEEEEEE....TT...... Built: Dec 11 2015
[2017.09.16 15:17:15.664] - .::EE:::::::::::::SS:.EE..........TT......
[2017.09.16 15:17:15.664] - .::EEEEEE:::SSSSSS::..EEEEEE.....TT..... Copyright (c) ESET, spol. s r.o.
[2017.09.16 15:17:15.664] - ..::::::::::::::::::.................... 1992-2015. All rights reserved.
[2017.09.16 15:17:15.664] - ....................................
[2017.09.16 15:17:16.241] -
[2017.09.16 15:17:16.241] - INFO: 26 infected files found.
[2017.09.16 15:17:16.241] - INFO: 26 file(s) cleaned.
[2017.09.16 15:17:21.966] - End

LK v2.5.1.0:
отключил проверку жестких дисков (только съемные), но утилита на это почему то не реагирует.
15:27:22.0960 0x06dc Can't init decryptor on file Z:\test_decrypt\keygpg.rar.id70915

Trend Micro v 1.0.1667 даже не шевельнулся, после того как я указал пару файлов: зашифрованный - оригинал

safety · March 2019

+

[Mar, 9, 2019] - Version: 1.0.0.0
Emsisoft Decrypter for BigBobRoss

BigBobRoss is a ransomware written in C++ using QT. It uses AES-128 ECB to encrypt files, and adds the extension ".obfuscated". Some variants also prepend the victim ID to the filename. The ransom note "Read Me.txt" asks the victim to contact "[email protected]".

https://decrypter.emsisoft.com/bigbobross

+
update:

Version: 1.0.0.2
Emsisoft Decrypter for BigBobRoss

BigBobRoss is a ransomware written in C++ using QT. It uses AES-128 ECB to encrypt files, and adds the extension ".obfuscated". Some variants also prepend the victim ID to the filename. The ransom note "Read Me.txt" asks the victim to contact "[email protected]".

видим, что интерфейс дешифраторов от Emsisoft изменился, и теперь брутфорсер запускается через GUI. (видимо результат сотрудничества М.Гиллеспи и F.Wosar)

собственно, так есть:

Written by Michael Gillespie - Emsisoft Ltd - www.emsisoft.com

видим, что в возможно вычисление ключа по записке о выкупе.

Результат:

Starting...

Starting...

File: G:\DATA\shifr\encode_files\BigBobRoss\20\encoder_files\test_emsisoft\Chrysanthemum.jpg.obfuscated
Decrypted: G:\DATA\shifr\encode_files\BigBobRoss\20\encoder_files\test_emsisoft\Chrysanthemum.jpg

File: G:\DATA\shifr\encode_files\BigBobRoss\20\encoder_files\test_emsisoft\Desert.jpg.obfuscated
Decrypted: G:\DATA\shifr\encode_files\BigBobRoss\20\encoder_files\test_emsisoft\Desert.jpg

File: G:\DATA\shifr\encode_files\BigBobRoss\20\encoder_files\test_emsisoft\Hydrangeas.jpg.obfuscated
Decrypted: G:\DATA\shifr\encode_files\BigBobRoss\20\encoder_files\test_emsisoft\Hydrangeas.jpg

File: G:\DATA\shifr\encode_files\BigBobRoss\20\encoder_files\test_emsisoft\Jellyfish.jpg.obfuscated
Decrypted: G:\DATA\shifr\encode_files\BigBobRoss\20\encoder_files\test_emsisoft\Jellyfish.jpg

File: G:\DATA\shifr\encode_files\BigBobRoss\20\encoder_files\test_emsisoft\Koala.jpg.obfuscated
Decrypted: G:\DATA\shifr\encode_files\BigBobRoss\20\encoder_files\test_emsisoft\Koala.jpg

File: G:\DATA\shifr\encode_files\BigBobRoss\20\encoder_files\test_emsisoft\Lighthouse.jpg.obfuscated
Decrypted: G:\DATA\shifr\encode_files\BigBobRoss\20\encoder_files\test_emsisoft\Lighthouse.jpg

File: G:\DATA\shifr\encode_files\BigBobRoss\20\encoder_files\test_emsisoft\Penguins.jpg.obfuscated
Decrypted: G:\DATA\shifr\encode_files\BigBobRoss\20\encoder_files\test_emsisoft\Penguins.jpg

File: G:\DATA\shifr\encode_files\BigBobRoss\20\encoder_files\test_emsisoft\Tulips.jpg.obfuscated
Decrypted: G:\DATA\shifr\encode_files\BigBobRoss\20\encoder_files\test_emsisoft\Tulips.jpg

Finished!

Finished!

+

Version: 1.0.0.3
Written by Michael Gillespie - Emsisoft Ltd - www.emsisoft.com
+

Update: The BigBobRoss decrypter has been updated for the extension ‘.encryptedALL’

Version: 1.0.0.4
Written by Michael Gillespie - Emsisoft Ltd - www.emsisoft.com

safety · March 2019

+

[Mar, 19, 2019] - Version: 1.0.0.0
Emsisoft Decrypter for PewCrypt

PewCrypt is a ransomware written in Java that uses AES and RSA to encrypt a victim's files, adding the extension ".PewCrypt". The malware then asks the victim to subscribe to PewDiePie.

The author supposedly released this as a "joke" in 2019 - but be assured, ransomware is no joke, ever.

To use the decrypter, you will require the "AES.key" file left on the desktop by the malware.

https://decrypter.emsisoft.com/pewcrypt

safety · March 2019

+

[Mar, 25, 2019] - Version: 1.0.0.0
Emsisoft Decrypter for HKCrypt

HKCrypt (also known as "Hacked Ransomware") first appeared in late 2017, and encrypts a victim's files using the RC4 algorithm, then adds the extension ".hacked" to files. The malware pretends to be running a Windows update, then shows a lock screen telling the victim to contact "[email protected]".

https://decrypter.emsisoft.com/hkcrypt

p.s.
1. пример шифрования на ANY.RUN
https://app.any.run/tasks/34adc1cd-3b88-43a5-8853-00f42cd614a0
2.после некоторого перерыва, Emsisoft вновь активен в создании новых дешифраторов.
3. лог расшифровки:

Starting...

File: G:\DATA\shifr\encode_files\HKCrypt\AdobeID.pdf.hacked
Decrypted: G:\DATA\shifr\encode_files\HKCrypt\AdobeID.pdf

File: G:\DATA\shifr\encode_files\HKCrypt\autoexec.bat.hacked
Decrypted: G:\DATA\shifr\encode_files\HKCrypt\autoexec.bat

File: G:\DATA\shifr\encode_files\HKCrypt\Click on _Change_ to select default PDF handler.pdf.hacked
Decrypted: G:\DATA\shifr\encode_files\HKCrypt\Click on _Change_ to select default PDF handler.pdf

File: G:\DATA\shifr\encode_files\HKCrypt\DefaultID.pdf.hacked
Decrypted: G:\DATA\shifr\encode_files\HKCrypt\DefaultID.pdf

File: G:\DATA\shifr\encode_files\HKCrypt\Leame.htm.hacked
Decrypted: G:\DATA\shifr\encode_files\HKCrypt\Leame.htm

File: G:\DATA\shifr\encode_files\HKCrypt\license.html.hacked
Decrypted: G:\DATA\shifr\encode_files\HKCrypt\license.html

Finished!

safety · April 2019

+

[Apr, 1, 2019] - Version: 1.0.0.0
Emsisoft Decrypter for Aurora

Aurora is a ransomware family that encrypts files using XTEA and RSA, and may also be known as "Zorro", "Desu", or "AnimusLocker". Known extensions include ".Aurora", ".aurora", ".animus", ".ONI", ".Nano", and ".cryptoid".

The malware leaves many ransom notes, examples include "!-GET_MY_FILES-!.txt", "#RECOVERY-PC#.txt", and "@_RESTORE-FILES_@.txt".

https://decrypter.emsisoft.com/aurora

p.s. и здесь видим, что новый дешифратор, есть результат сотрудничества M.Gillespie и Emsisoft

https://www.bleepingcomputer.com/ransomware/decryptor/how-to-decrypt-the-aurora-ransomware-with-auroradecrypter/

safety · April 2019

+

[Apr, 4, 2019] - Version: 1.0.0.0
Emsisoft Decrypter for Planetary
Written by Michael Gillespie - Emsisoft Ltd - www.emsisoft.com

Planetary is a ransomware family that uses AES-256 to encrypt files, adding the extension ".mira", ".yum", ".Neptune", or ".Pluto" to files - the latter of which give this ransomware its name. The ransom note "!!!READ_IT!!!.txt" then asks the victim to contact "[email protected]".

https://decrypter.emsisoft.com/planetary
+
интересное наблюдение:

На этой неделе Emsisoft выпустил расшифровщик для семейства Planetary Ransomware, который позволяет жертвам бесплатно расшифровывать свои файлы. Это семейство вымогателей называется Planetary, потому что оно обычно использует имена планет для расширений, добавляемых к зашифрованным именам файлов.

При шифровании файлов к имени зашифрованного файла добавляется расширение .mira, .yum, .Pluto или .Neptune. Например, если файл с именем test.jpg был зашифрован, он будет переименован в test.jpg.Pluto.

В последнем варианте добавлено расширение .mira, названное в честь вымышленной планеты из видеоигры...

https://www.bleepingcomputer.com/ransomware/decryptor/planetary-ransomware-decryptor-gets-your-files-back-for-free/

safety · April 2019

+
[Apr, 11, 2019] - Version: 1.0.0.0
Emsisoft Decrypter for CryptoPokemon
Written by Michael Gillespie - Emsisoft Ltd - www.emsisoft.com

CryptoPokemon uses SHA256 and AES-128 to capture victim's files, and adds the extension ".CRYPTOPOKEMON". The victim is then presented a ransom note and website claiming to be "PokemonGO".

The ransom note "!INFO.CRYPTOPOKEMON.log"

https://decrypter.emsisoft.com/cryptopokemon

safety · May 2019

+

[May, 1, 2019] - Version: 1.0.0.0
Emsisoft Decrypter for ZQ

ZQ Ransomware encrypts victim's files using the Salsa20 and RSA-1024 algorithms, and adds the extension ".[[email protected]].zq" to files. The ransom note "{HELP__DECRYPT}.txt" asks the victim to contact the email address "[email protected]".

https://www.emsisoft.com/decrypter/zq

safety · May 2019

+
[May, 2, 2019] - Version: 1.0.0.0
Emsisoft Decrypter for MegaLocker

MegaLocker encrypts a victim's files using AES-128 ECB, and adds the extension ".nampohyu" to files. The ransom note "!DECRYPT_INSTRUCTION.TXT" instructs the victim to go to a Tor website to contact the criminals.

https://www.emsisoft.com/decrypter/megalocker

https://www.bleepingcomputer.com/news/security/decryptor-for-megalocker-and-nampohyu-virus-ransomware-released/

safety · May 2019

+

[May, 20, 2019] - Version: 1.0.0.0
Emsisoft Decrypter for JSWorm 2.0

JSWorm 2.0 is a ransomware written in C++ that uses Blowfish to encrypt files, and adds the extension ".[ID-numbers][email].JSWORM" to files.

The ransom note "JSWORM-DECRYPT.txt"[/email]

https://www.emsisoft.com/decrypter/jsworm-20
+
[May, 22, 2019] - Version: 1.0.0.0
Emsisoft Decrypter for GetCrypt

GetCrypt is a ransomware spread by the RIG exploit kit, and encrypts victim's files using Salsa20 and RSA-4096. It appends a random 4-character extension to files that is unique to the victim.

https://www.emsisoft.com/decrypter/getcrypt

safety · July 2019

[Jul, 12, 2019] - Version: 1.0.0.0
Emsisoft Decrypter for Ims00rry

The Ims00rry ransomware encrypts files using AES-128, and does not add an extension. Instead, the text "---shlangan AES-256---" is pretended to the file contents. The victim is asked to contact the criminals on Telegram @Ims00rybot.

The ransom note "README"

https://www.emsisoft.com/decrypter/ims00rry

safety · July 2019

+
[Jul, 18, 2019] - Version: 1.0.0.0
Emsisoft Decrypter for ZeroFucks

This ransomware encrypts the victim's files with AES-256 and replaces the extension with ".zerofucks". For example, "Chrysanthemum.jpg" would become "Chrysanthemum.zerofucks".

https://www.emsisoft.com/decrypter/download/zerofucks

Starting...

File: G:\DATA\shifr\encode_files\ZeroFacks\busblock.zerofucks
Decrypted: G:\DATA\shifr\encode_files\ZeroFacks\busblock.jpg

File: G:\DATA\shifr\encode_files\ZeroFacks\offeye.zerofucks
Decrypted: G:\DATA\shifr\encode_files\ZeroFacks\offeye.jpg

File: G:\DATA\shifr\encode_files\ZeroFacks\rolebetter.zerofucks
Decrypted: G:\DATA\shifr\encode_files\ZeroFacks\rolebetter.jpg

File: G:\DATA\shifr\encode_files\ZeroFacks\usbpublished.zerofucks
Decrypted: G:\DATA\shifr\encode_files\ZeroFacks\usbpublished.png

File: G:\DATA\shifr\encode_files\ZeroFacks\xarchives.zerofucks
Decrypted: G:\DATA\shifr\encode_files\ZeroFacks\xarchives.jpg

safety · July 2019

+

[Jul, 22, 2019] - Version: 1.0.0.0
Emsisoft Decrypter for LooCipher

LooCipher encrypts the victim's files using AES-128 ECB, and adds the extension ".lcphr".

https://www.emsisoft.com/decrypter/loocipher

safety · August 2019

Эсмсисофт теперь использует сервис ID-Ransomware (Michael Gillespie) для детектирования типов Ransomware.

safety · August 2019

+

[Aug, 8, 2019] - Version: 1.0.0.0
Emsisoft Decryptor for JSWorm 4.0

JSWorm 4.0 is a ransomware written in C++ that uses a modified version of AES-256 to encrypt files, and adds the extension ".[ID-][].JSWRM to files.

The ransom note "JSWRM-DECRYPT.hta" has the below text:

https://www.emsisoft.com/ransomware-decryption-tools/jsworm-40

safety · August 2019

+

[Aug, 26, 2019] - Version: 1.0.0.0
Emsisoft Decryptor for Syrk

Syrk Ransomware pretends to be a hacking tool for the video game Fortnite, but instead, encrypts its victims files using AES-256 and adds the extension ".Syrk".

The ransom note "Readme_now.txt" contains the following text:

Your personal files have been encrypted by Syrk Malware, send an email to pan

https://www.emsisoft.com/ransomware-decryption-tools/syrk

safety · September 2019

+
[Sep, 25, 2019] - Version: 1.0.0.0
Emsisoft Decryptor for WannaCryFake

This ransomware pretends to be WannaCry by using the extension ".WannaCry". WannaCryFake uses AES-256 to encrypt it's victim's files, and displays a note that mimics Phobos.

https://www.emsisoft.com/ransomware-decryption-tools/wannacryfake

safety · September 2019

+
[Sep, 26, 2019] - Version: 1.0.0.0
Emsisoft Decryptor for Avest

The Avest ransomware encrypts victim's files and appends the extension ".ckey().email().pack14" to the filename.

https://www.emsisoft.com/ransomware-decryption-tools/avest
https://id-ransomware.blogspot.com/2019/09/avest-pack14-ransomware.html

safety · October 2019

+
[Oct, 3, 2019] - Version: 1.0.0.0
Emsisoft Decryptor for GalactiCrypter

The GalactiCrypter ransomware encrypts its victims files with AES-256 and prepends the filename with "ENCx45cR"; for example, "ENCx45cRChrysanthemum.jpg".

https://blog.emsisoft.com/en/34271/emsisoft-releases-free-decryptor-for-galacticrypter-ransomware/

https://www.emsisoft.com/ransomware-decryption-tools/download/galacticrypter

safety · October 2019

+
[Oct, 5, 2019] - Version: 1.0.0.0
Emsisoft Decryptor for HildaCrypt

The HildaCrypt encrypts its victims files using AES-256 and RSA-2048. Known extensions include ".HCY!" and ".mike".

https://www.emsisoft.com/ransomware-decryption-tools/hildacrypt
+
update: Version: 1.0.0.5
Emsisoft Decryptor for Aurora

Aurora is a ransomware family that encrypts files using XTEA and RSA, and may also be known as "Zorro", "Desu", or "AnimusLocker". Known extensions include ".Aurora", ".aurora", ".animus", ".ONI", ".Nano", ".cryptoid", ".peekaboo", ".isolated", ".infected", ".locked", and "veracrypt".

https://www.emsisoft.com/ransomware-decryption-tools/aurora
+
[Oct, 7, 2019] - Version: 1.0.0.0
Emsisoft Decryptor for Muhstik

The Muhstik Ransomware encrypts files on compromised QNAP systems using AES-256, and adds the extension ".muhstik" to files.

https://www.emsisoft.com/ransomware-decryption-tools/muhstik

safety · October 2019

+
[Oct, 18, 2019] - Version: 1.0.0.0
Emsisoft Decryptor for STOP Djvu

The STOP Djvu ransomware encrypts victim's files with Salsa20, and appends one of dozens of extensions to filenames; for example, ".djvu", ".rumba", ".radman", ".gero", etc.

Please note: There are limitations on what files can be decrypted. For all versions of STOP Djvu, files can be successfully decrypted if they were encrypted by an offline key that we have. For Old Djvu, files can also be decrypted using encrypted/original file pairs submitted to the STOP Djvu Submission portal; this does not apply to New Djvu after August 2019.

The ransom note "_readme.txt"

https://www.emsisoft.com/ransomware-decryption-tools/download/stop-djvu

+
[Oct, 18, 2019] - Version: 1.0.0.0
Emsisoft Decryptor for STOP Puma

The STOP Puma ransomware encrypts victim's files and appends the extension ".puma", ".pumas", or ".pumax" to files. Other supported extensions also include ".INFOWAIT" and ".DATAWAIT".

The ransom note "!readme.txt"

https://www.emsisoft.com/ransomware-decryption-tools/download/stop-puma

safety · October 2019

+
[Oct, 30, 2019] - Version: 1.0.0.0
Emsisoft Decryptor for Paradise

The Paradise ransomware encrypts victims using Salsa20 and RSA-1024, and appends one of several extensions such as ".paradise", "2ksys19", ".p3rf0rm4", and ".FC".

https://www.emsisoft.com/ransomware-decryption-tools/paradise

File: G:\DATA\shifr\encode_files\Paradise\fc\10\crypted\KP4 Baru 2019 Asnanda DTPPHP.docx_Support_{JRo07C}.FC
Decrypted: G:\DATA\shifr\encode_files\Paradise\fc\10\crypted\KP4 Baru 2019 Asnanda DTPPHP.docx

Finished!

safety · November 2019

+
[Nov, 18, 2019] - Version: 1.0.0.0
Emsisoft Decryptor for Jigsaw

The Jigsaw ransomware encrypts victim's files with AES and appends one of many extensions, including ".fun". An image is then displayed with a threat to delete files after a certain amount of time.

https://www.emsisoft.com/ransomware-decryption-tools/jigsaw

safety · November 2019

+
[Nov, 21, 2019] - Version: 1.0.0.0
Emsisoft Decryptor for Hakbit

The Hakbit ransomware targets businesses and encrypts its victim's files using AES-256.

The malware may also pretend to be one of the following processes at random to evade suspicion: lsass.exe, svchst.exe, crcss.exe, chrome32.exe, firefox.exe, calc.exe, mysqld.exe, dllhst.exe, opera32.exe, memop.exe, spoolcv.exe, ctfmom.exe, or SkypeApp.exe.

The ransom note "HELP_ME_RECOVER_MY_FILES.txt"

https://www.emsisoft.com/ransomware-decryption-tools/hakbit

Привет, незнакомец!

Быстрые ссылки

Разделы

In this Discussion

Дешифраторы от компании Emsisoft

Комментарии