Ransomware File Decryptor is a tool developed by Trend Micro to recover files infected by specific types of ransomware. Please note that this tool may not work for all versions of ransomware. Some attackers are updating their ransom program after learning that there are free tools available to recover encrypted files. Please see the list of ransomware with corresponding versions and filenames that this tool can handle.
- 777 – (file name).777 | Example: myfile.doc will be myfile.doc.777
- AutoLocky – (file name).locky | Expample: myfile.jpg will be myfile.jpg.locky
- BadBlock (file name)
- CERBER V1 – (10 random characters).cerber | Example: myfile.jpg will be Thd8Yhns7R.cerber
- Chimera – (file name).crypt | Example: myfile.doc will be myfile.doc.crypt
- CryptXXX V1, V2, V3 – (file name}.crypt, .cryp1, .crypz, or 5 random characters | Example: myfile.jpg will be myfile.jpg.crypt or myfile.jpg.G5Th4s
- CryptXXX V4, V5 – (MD5 Hash).5 random characters
- Nemucod – (file name).crypted | Exmaple: myfile.doc will be myfile.doc.crypted
- Stampado – (file name).locked | Example: myfile.jpg will be myfile.jpg.locked
- SNSLocker – (file name).RSNSLocked | Example: myfile.doc will be myfile.doc.RSNSLocked
- TeslaCrypt V1 – (file name).ECC | Example: myfile.jpg will be myfile.jpg.ECC
- TeslaCrypt V2 – (file name).VVV, .CCC, .ZZZ, .AAA, .ABC, .XYZ | Example: myfile.doc will be myfile.doc.VVV or myfile.doc.XYZ
- TeslaCrypt V3 – (file name).XXX, .TTT, .MP3, or .MICRO | Example: myfile.jpg will be myfile.jpg.XXX
- TeslaCrypt V4 – No changes on file name and extension
- XORIST – (file name).xorist or random extension | Example: myfile.doc will be myfile.doc.xorist
- XORBAT – (file name}.crypted | Example: myfile.jpg will be myfile.jpg.crypted
How to Download and Use Ransomware File Decryptor Tool
Disclaimer: By downloading and using this tool, you are considered to have read the publisher’s disclaimer and agreed to terms and conditions as declared on the official web site.
1. Click on the link below to download Ransomware File Decryptor from Trend Micro web site.
RansomwareFileDecryptor Official Site (this will open on a new window)
2. Save the file to your hard drive, Desktop, or any location on your hard drive.
3. Once the download completed, decompress the file and double-click to run.
4. If it prompts for End User License Agreement (EULA), please Accept to proceed.
5. The tool will launch the main user interface. Click on Select button.
6. Under “Select Ransomware Name“, please choose Ransomware type. Then, press OK to save your choice. If you are unsure of which ransomware hits your computer, please look at the file name of infected files and refer to the list above. You may also refer to a text file, html file, or documented ransom notes placed by the malware on various locations of the computer. This tool may also help you identify ransomware type by clicking on “I don’t know the ransomware name” link.
7. On main interface, click on Select & Decrypt button. See image below for reference.
8. Select a file or Folder that was encrypted by ransomware. This tool can either decrypt single file or all files inside the folder and sub-folders.
9. This ransomware file decryptor tool will start scanning the computer and immediately decrypt files. Recovery time may vary depending on quantity of affected files and folders.
Decrypted file will be retain the previously encrypted file name. For files that were not changed by ransomware, the new decrypted file name will be (filename)decrypted.extension.