The Kaspersky RakhniDecryptor tool decrypts files that have been changed according to the following patterns:

• Trojan-Ransom.Win32.Conti:
  • <file_name>.KREMLIN
  • <file_name>.RUSSIA
  • <file_name>.PUTIN

• Trojan-Ransom.Win32.Ragnarok:
  • <file_name>.<ID>.thor
  • <file_name>.<ID>.odin
  • <file_name>.<ID>.hela

• For decryption, the utility asks for the file of the !!Read_Me.<ID>.html type.

• Trojan-Ransom.Win32.Fonix:
  • <file_name>.<original_file_extension>.Email=[<mail>@<server>.<domain>]ID=[<id>].XINOF
  • <file_name>.<original_file_extension>.Email=[<mail>@<server>.<domain>]ID=[<id>].FONIX
• Trojan-Ransom.Win32.Rakhni:
  • <file_name>.<original_file_extension>.locked
  • <file_name>.<original_file_extension>.kraken
  • <file_name>.<original_file_extension>.darkness
  • <file_name>.<original_file_extension>.oshit
  • <file_name>.<original_file_extension>.nochance
  • <file_name>.<original_file_extension>.oplata@qq_com
  • <file_name>.<original_file_extension>.relock@qq_com
  • <file_name>.<original_file_extension>.crypto
  • <file_name>.<original_file_extension>[email protected]
  • <file_name>.<original_file_extension>.p***a@qq_com
  • <file_name>.<original_file_extension>.dyatel@qq_com
  • <file_name>.<original_file_extension>.nalog@qq_com
  • <file_name>.<original_file_extension>.chifrator@gmail_com
  • <file_name>.<original_file_extension>.gruzin@qq_com
  • <file_name>.<original_file_extension>.troyancoder@gmail_com
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id373
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id371
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id372
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id374
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id375
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id376
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id392
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id357
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id356
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id358
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id359
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id360
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id20

• Trojan-Ransom.Win32.Mor: <file_name>.<original_file_extension>_crypt
• Trojan-Ransom.Win32.Autoit: <file_name>.<original_file_extension>.<[email protected]_.letters>
• Trojan-Ransom.MSIL.Lortok:
  • <file_name>.<original_file_extension>.cry
  • <file_name>.<original_file_extension>.AES256
• Trojan-Ransom.MSIL.Yatron: <file_name>.<original_file_extension>.Yatron
• Trojan-Ransom.AndroidOS.Pletor: <file_name>.<original_file_extension>.enc
• Trojan-Ransom.Win32.Agent.iih: <file_name>.<original_file_extension>+<hb15>
• Trojan-Ransom.Win32.CryFile: <file_name>.<original_file_extension>.encrypted
• Trojan-Ransom.Win32.Democry:
  • <file_name>.<original_file_extension>+<._data-time_$email@domain$.777>
  • <file_name>.<original_file_extension>+<._data-time_$email@domain$.legion>
• Trojan-Ransom.Win32.GandCrypt:
  • version 4: <file_name>.<original_file_extension>.KRAB
  • version 5: <file_name>.<original_file_extension>.<line_of_random_characters>
• Trojan-Ransom.Win32.Bitman version 3:
  • <file_name>.xxx
  • <file_name>.ttt
  • <file_name>.micro
  • <file_name>.mp3
• Trojan-Ransom.Win32.Bitman version 4: <file_name>.<original_file_extension>

• (File name and its extension don't change).

• Trojan-Ransom.Win32.Libra:
  • <file_name>.encrypted
  • <file_name>.locked
  • <file_name>.SecureCrypted
• Trojan-Ransom.MSIL.Lobzik:
  • <file_name>.fun
  • <file_name>.gws
  • <file_name>.btc
  • <file_name>.AFD
  • <file_name>.porno
  • <file_name>.pornoransom
  • <file_name>.epic
  • <file_name>.encrypted
  • <file_name>.J
  • <file_name>.payransom
  • <file_name>.paybtcs
  • <file_name>.paymds
  • <file_name>.paymrss
  • <file_name>.paymrts
  • <file_name>.paymst
  • <file_name>.paymts
  • <file_name>.gefickt
  • <file_name>[email protected]
• Trojan-Ransom.Win32.Mircop: <Lock>.<file_name>.<original_file_extension>
• Trojan-Ransom.Win32.Crusis (Dharma):
  • <file_name>.ID<…>.<mail>@<server>.<domain>.xtbl
  • <file_name>.ID<…>.<mail>@<server>.<domain>.CrySiS
  • <file_name>.id-<…>.<mail>@<server>.<domain>.xtbl
  • <file_name>.id-<…>.<mail>@<server>.<domain>.wallet
  • <file_name>.id-<…>.<mail>@<server>.<domain>.dhrama
  • <file_name>.id-<…>.<mail>@<server>.<domain>.onion
  • <file_name>.<mail>@<server>.<domain>.wallet
  • <file_name>.<mail>@<server>.<domain>.dhrama
  • <file_name>.<mail>@<server>.<domain>.onion

• Examples of some email addresses used to spread malware:

  • [email protected]
  • [email protected]
  • [email protected]
  • [email protected]
  • [email protected]
  • [email protected]
  • [email protected]
  • [email protected]
  • [email protected]
  • [email protected]
  • [email protected]
• Trojan-Ransom.Win32.Crypren.afjh (FortuneCrypt): doesn’t change file extensions.
• Trojan-Ransom.Win32.Nemchig: <file_name>.<original_file_extension>[email protected]
• Trojan-Ransom.Win32.Lamer:
  • <file_name>.<original_file_extension>.bloked
  • <file_name>.<original_file_extension>.cripaaaa
  • <file_name>.<original_file_extension>.smit
  • <file_name>.<original_file_extension>.fajlovnet
  • <file_name>.<original_file_extension>.filesfucked
  • <file_name>.<original_file_extension>.criptx
  • <file_name>.<original_file_extension>.gopaymeb
  • <file_name>.<original_file_extension>.cripted
  • <file_name>.<original_file_extension>.bnmntftfmn
  • <file_name>.<original_file_extension>.criptiks
  • <file_name>.<original_file_extension>.cripttt
  • <file_name>.<original_file_extension>.hithere
  • <file_name>.<original_file_extension>.aga
• Trojan-Ransom.Win32.Cryptokluchen:
  • <file_name>.<original_file_extension>.AMBA
  • <file_name>.<original_file_extension>.PLAGUE17
  • <file_name>.<original_file_extension>.ktldll
• Trojan-Ransom.Win32.Rotor:
  • <file_name>.<original_file_extension>[email protected]
  • <file_name>.<original_file_extension>[email protected]
  • <file_name>.<original_file_extension>[email protected]
  • <file_name>.<original_file_extension>[email protected]
  • <file_name>.<original_file_extension>[email protected]_.crypt
  • <file_name>.<original_file_extension>[email protected]____.crypt
  • <file_name>.<original_file_extension>[email protected]_______.crypt
  • <file_name>.<original_file_extension>[email protected]___.crypt
  • <file_name>.<original_file_extension>[email protected]==.crypt
  • <file_name>.<original_file_extension>[email protected]=--.crypt

• Trojan-Ransom.Win32.Chimera:
  • <file_name>.<original_file_extension>.crypt
  • <file_name>.<original_file_extension>.<4 random tokens>
• Trojan-Ransom.Win32.AecHu:
  • <file_name>.aes256
  • <file_name>.aes_ni
  • <file_name>.aes_ni_gov
  • <file_name>.aes_ni_0day
  • <file_name>.lock
  • <file_name>.decrypr_helper@freemail_hu
  • <file_name>[email protected]
  • <file_name>.~xdata
• Trojan-Ransom.Win32.Jaff:
  • <file_name>.jaff
  • <file_name>.wlu
  • <file_name>.sVn
• Trojan-Ransom.Win32.Cryakl: email-<...>.ver-<...>.id-<...>.randomname-<...>.<random_extension>
• Trojan-Ransom.Win32.Maze: <file_name>.<original_file_extension>.<random_extension>
• Trojan-Ransom.Win32.Sekhmet: <file_name>.<original_file_extension>.<random_extension>
• Trojan-Ransom.Win32.Egregor: <file_name>.<original_file_extension>.<random_extension>

Learn more about the technologies that Kaspersky uses to protect against malware, including encryptors, on the TechnoWiki page.

1. Download the RakhniDecryptor.zip archive and extract the files from it using the instructions.
2. Open the folder with the archive files.
3. Run the RakhniDecryptor.exe file.
4. Read the License agreement carefully. If you agree to all of its terms, click Accept.
5. Click Change parameters.

6. Specify the parameters:
   1. Select the objects to scan: hard drives / removable drives / network drives.
   2. Select the Delete crypted files after decryption check box. In this case, the tool will remove copies of encrypted files with the extensions LOCKED, KRAKEN, DARKNESS, etc.
   3. Click ОК.
      

7. Click Start scan.

8. Select the encrypted file and click Open.

9. Read the warning and click ОК.

A file with the CRYPT extension might be encrypted more than once. For example, if the test.doc file was encrypted twice, the tool will decipher the first layer into the file test.1.doc.layerDecryptedKLR. In the tool performance report you will see: “Decryption success: disk:\path\test.doc_crypt -> dish:\path\test.1.doc.layerDecryptedKLR”. You will need to decrypt this file once again. In case of the successful decryption, the file will be saved under the original name test.doc.

Kaspersky RakhniDecryptor supports the following command line parameters for convenient and faster file decryption:

If you notice a suspicious file on your computer which may possibly cause infection or file encryption, send it for analysis to [email protected]. To do so, add the suspicious file to a ZIP or RAR archive using these instructions.

If the tool didn’t help, contact Kaspersky Customer Service.