Decrypt and Protect from Ransomware on Windows and Mac

The amount of Ransomware that has been released in 2017 has reached a new high.  Below are steps to protect, or remove/decrypt your files with the following forms of Ransomware.

First check No More Ransomware website – https://www.nomoreransom.org

Emsisoft has a large number of tools to decrypt a variety of Ransomware see – https://www.emsisoft.com/ransomware-decryption-tools/free-download

Ransomware Detection Tool
Bitdefender Ransomware Recognition Tool will help find a tool to decrypt your data if one exists or will attempt to identify the form of Ransomware.


ThiefQuest – Mac Ransomware Cleanup

SentinelOne has released a decryption tool for TheifQuest/EvilQuest

See this page at SentinelOne
https://labs.sentinelone.com/breaking-evilquest-reversing-a-custom-macos-ransomware-file-encryption-routine/


Hakbit Ransomware Cleanup

Emsisoft has released a decryption tool for Hakbit Ransomware.

See this page at Emsisoft
https://www.emsisoft.com/ransomware-decryption-tools/hakbit


STOP Ransomware Cleanup

Emsisoft has released a decryption tool for 148 of the 160 variants of STOP Ransomware.

See this page at Emsisoft
https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu


STOP Puma Ransomware Cleanup

Emsisoft has released a decryption tool for STOP Puma Ransomware variant.

See this page at Emsisoft
https://www.emsisoft.com/ransomware-decryption-tools/stop-puma


Muhstik Ransomware Cleanup

Emsisoft has released a decryption tool for Muhstik Ransomware, files encrypted with this have .muhstik added as their extension to the filename.

See this page at Emsisoft
https://www.emsisoft.com/ransomware-decryption-tools/muhstik


HildaCrypt Ransomware Cleanup

Emsisoft has released a decryption tool for HildaCrypt Ransomware, files encrypted with this have .HCY! or .mike as their extension.

See this page at Emsisoft
https://www.emsisoft.com/ransomware-decryption-tools/hildacrypt


GalactiCrypter Ransomware Cleanup

Emsisoft has released a decryption tool for GalactiCrypter Ransomware, files encrypted with this have ENCx45cR prepended to the filename.

See this page at Emsisoft
https://www.emsisoft.com/ransomware-decryption-tools/galacticrypter


Avest Ransomware Cleanup

Emsisoft has released a decryption tool for Avest Ransomware, files encrypted with this have the extension of .ckey().email().pack14 added to the filename.

See this page at Emsisoft
https://www.emsisoft.com/ransomware-decryption-tools/avest


WannaCryFake Ransomware Cleanup

Emsisoft has released a decryption tool for WannaCryFake Ransomware, files encrypted with this have the extension of .WannaCry.

See this page at Emsisoft
https://www.emsisoft.com/ransomware-decryption-tools/wannacryfake


Syrk Ransomware Cleanup

Emsisoft has released a decryption tool for Syrk Ransomware, files encrypted with this have the extension of .Syrk.

See this page at Emsisoft
https://www.emsisoft.com/ransomware-decryption-tools/syrk


JSWorm 4.0 Ransomware Cleanup

Emsisoft has released a decryption tool for JSWorm 4.0 Ransomware, files encrypted with this have the extension JSWRM along with an ID # added to the end of the filename.

See this page at Emsisoft
https://www.emsisoft.com/ransomware-decryption-tools/jsworm-40


LooCipher Ransomware Cleanup

Emsisoft has released a decryption tool for LooCipher Ransomware, files encrypted with this has the extension of .lcphr.

See this page at Emsisoft
https://www.emsisoft.com/ransomware-decryption-tools/loocipher


Ims00rry Ransomware Cleanup

Emsisoft has relased a decryption tool for Ims00rry Ransomware, files have —shlangan AES-256— added to the beginning of the file.

See this page at Emsisoft
https://www.emsisoft.com/ransomware-decryption-tools/ims00rry


GandCrab Ransomware Cleanup

Bitdefender has released a cleanup utility for GandCrab versions 1, 4, and 5 and they are working on versions 2 and 3. The free utility will automate the data decryption process.  They also have a version of GandCrab that fixes a specific Syrian version as well.  The utility requires a active Internet connection to be able to decrypt the files.

See this page at Bitdefender
https://labs.bitdefender.com/2018/10/gandcrab-ransomware-decryption-tool-available-for-free/
Syrian version
https://labs.bitdefender.com/2018/10/bitdefender-gandcrab-decryptor-for-syrian-users-now-available/


LockCrypt Ransomware Cleanup

Bitdefender has developed a tool to decrypt 1btc files.  lock, 2018, and mich files are not included in this tools decryption.

See this page at Bitdefender
https://labs.bitdefender.com/2018/07/lockcrypt-ransomware-decryption-tool/


Annabelle Ransomware Cleanup

Bitdefender has a tool that cleans up the Master Boot Record, deletes registry keys designed to reactivate the Ransomware, and a tool that will attempt to decrypt the files.

See this page at Bitdefender
https://labs.bitdefender.com/2018/03/annabelle-ransomware-decryption-tool/


Shrug Ransomware Cleanup

Around July 6, 2018 a new form of Ransomware was found called Shrug based on the ASCII text art of someone shrugging.  It seems to be a drive by kind of Ransomware.  It removes all system restore points, locks the screen, but leaves the encryption key in the directory.  It affects many Microsoft Office document formats and other popular file types.

See LMNTRIX Labs for information on how to fix this form of Ransomware – https://lmntrix.com/Lab/Lab_info.php?id=112


Thanatos Decryption tool from Cisco Talos

Cisco Talos has released a decryption tool for files that have been encrypted with Thanatos ransomware. Tool can be downloaded from https://github.com/Cisco-Talos/ThanatosDecryptor


How to Block Bad Rabbit

Windows 10, 8 Start, Search Command Prompt, right click Command Prompt choose Run as Administrator
Type in notepad c:\windows\infpub.dat, when prompted file does not exist do you want to create say yes
Choose File, Save, File, Exit
Type in attrib +r c:\windows\infpub.dat
Type in notepad c:\windows\cscc.dat, when prompted file does not exist do you want to create say yes
Choose File, Save, File, Exit
Type in attrib +r c:\windows\cscc.dat
Type in exit

Windows 7, Vista choose Start, All Programs Accessories, right click Command Prompt choose Run as Administrator
Type in notepad c:\windows\infpub.dat, when prompted file does not exist do you want to create say yes
Choose File, Save, File, Exit
Type in attrib +r c:\windows\infpub.dat
Type in notepad c:\windows\cscc.dat, when prompted file does not exist do you want to create say yes
Choose File, Save, File, Exit
Type in attrib +r c:\windows\cscc.dat
Type in exit

Most antivirus and Malware tools are updated to detect the variants of Bad Rabbit Malware.  If your computer has the March 2017 Windows updates then you should be safe from this attack.


Fix for LambdaLocker (only newer versions)
See this page at No More Ransomware
https://www.nomoreransom.org/en/decryption-tools.html#LambdaLocker


BTCWare Ransomware Cleanup

Bitdefender has created a cleanup utility for systems with btcware, cryptobyte, onyon, xfile, cryptowin, theva, and master extensions.  You need to be sure if it is BTCWare, the Bitdefender detection tool at the top of the page can verify if this tool can help

See this page at Bitdefender
https://labs.bitdefender.com/2017/09/btcware-decryption-tool-now-available-for-free/


Fixes for older forms of Petya like Red, Green and Goldeneye
See this page at Malwarebytes:
https://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/
How to determine version of Petya
https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/


How to block Petya or NonPeyta Randsomware
Windows 10, 8 Start, Search Command Prompt, right click Command Prompt choose Run as Administrator
Type in notepad c:\windows\perfc, when prompted file does not exist do you want to create say yes
Choose File, Save, File, Exit
Type in attrib +r c:\windows\perfc
Type in exit

Windows 7, Vista choose Start, All Programs Accessories, right click Command Prompt choose Run as Administrator
Type in notepad c:\windows\perfc, when prompted file does not exist do you want to create say yes
Choose File, Save, File, Exit
Type in attrib +r c:\windows\perfc
Type in exit


Fix for Nemucod Randsomware
Emisoft Nemucode Decryptor – https://decrypter.emsisoft.com/nemucodaes