Kaspersky RannohDecryptor for decrypting files affected by Trojan-Ransom.Win32.Rannoh

Latest update: September 3, 2024 ID: 8547

Do you want to prevent infections? Install Kaspersky for Windows

Kaspersky for Windows protects your digital life with technologies that go beyond anti-virus.

Buy

The RannohDecryptor tool is designed to decrypt files encrypted by the following ransomware:

Trojan-Ransom.Win32.Rannoh
Trojan-Ransom.Win32.AutoIt
Trojan-Ransom.Win32.Cryakl
Trojan-Ransom.Win32.CryptXXX version 1, 2 and 3
Trojan-Ransom.Win32.Crybola
Trojan-Ransom.Win32.Polyglot
Trojan-Ransom.Win32.Fury
Trojan-Ransom.Win32.Yanluowang

How ransomware changes files

In case of an infection, all files on the computer will be changed as follows:

Ransomware	How files will be encrypted
Trojan-Ransom.Win32.Rannoh	File names and extensions will be changed according to the template locked-<original_name>.<four_random_letters>.
Trojan-Ransom.Win32.AutoIt	Extensions will be changed according to the template <original_name>@<mail server>_.<random_set_of_characters>. For example, [email protected]_.rzwdtdic.
Trojan-Ransom.Win32.Cryakl	The tag {CRYPTENDBLACKDC} is added to the end of file names.
Trojan-Ransom.Win32.CryptXXX	Extensions will be changed according to the templates: <original_name>.crypt <original_name>.crypz <original_name>.cryp1
Trojan-Ransom.Win32.Crybola	Extensions will be changed according to the template <original_name>.ebola.
Trojan-Ransom.Win32.Yanluowang	Extensions will be changed according to the template <original_name>.yanluowang.

The other ransomware does not change file extensions.

Features of the tool operation when decrypting files affected by Trojan-Ransom.Win32.CryptXXX

How to decrypt files with Kaspersky RannohDecryptor

Download the RannohDecryptor.zip archive and extract the files from it using the instructions.
Open the folder with the archive files.
Run the RannohDecryptor.exe file.
Read the License agreement carefully. If you agree to all of its terms, click Accept.
If you want the utility to automatically remove the decrypted files, do the following:
1. In the main window, click Change parameters.
2. After successful decryption, select the Delete crypted files after decryption check box and click OK.
Click Start scan.

Starting a scan in Kaspersky RannohDecryptor.

Specify the path to the encrypted file.
To decrypt some files, the utility will request the original (not encrypted) copy of one encrypted file. You can find such a copy in your mail, on a removable drive, on your other computers, or in cloud storage. Click Continue and specify the path to the original file.
If the file is encrypted by Trojan-Ransom.Win32.CryptXXX, indicate the largest files. Only the files of this size or smaller ones will be decrypted.

Specifying the path to the original file in Kaspersky Rannoh Decryptor.

Wait until the encrypted files are found and decrypted.

If the file was encrypted by Trojan-Ransom.Win32.Cryakl, Trojan-Ransom.Win32.Polyglot, or Trojan-Ransom.Win32.Fury, the tool will save the file at its previous location with the extension .decryptedKLR.original_extension. If you selected the Delete crypted files after decryption check box, the tool will save the decrypted files with their original name.

If the file was encrypted by Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.Cryakl, Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.CryptXXX, Trojan-Ransom.Win32.Crybola, or Trojan-Ransom.Win32.Yanluowang, the tool will save the file at its previous location with the original extension.

By default, the tool log is saved on the system disk with the operating system installed. The log file name is: UtilityName.Version_Date_Time_log.txt. For example, C:\RannohDecryptor.1.1.0.0_02.05.2012_15.31.43_log.txt

How to use the tool through the command line

Parameter	Value	Example
-l <file_name>	Creating a log file with the specified name.	RannohDecryptor.exe -l C:\Users\Administrator\Downloads\log.txt

What to do if the issue persists

Useful references

Free recovery tools