Decrypt and Protect from Ransomware on Windows and Mac
The amount of Ransomware that has been released in 2017 has reached a new high. Below are steps to protect, or remove/decrypt your files with the following forms of Ransomware.
First check No More Ransomware website – https://www.nomoreransom.org
Emsisoft has a large number of tools to decrypt a variety of Ransomware see – https://www.emsisoft.com/ransomware-decryption-tools/free-download
Ransomware Detection Tool
Bitdefender Ransomware Recognition Tool will help find a tool to decrypt your data if one exists or will attempt to identify the form of Ransomware.
ThiefQuest – Mac Ransomware Cleanup
SentinelOne has released a decryption tool for TheifQuest/EvilQuest
See this page at SentinelOne
https://labs.sentinelone.com/breaking-evilquest-reversing-a-custom-macos-ransomware-file-encryption-routine/
Hakbit Ransomware Cleanup
Emsisoft has released a decryption tool for Hakbit Ransomware.
See this page at Emsisoft
https://www.emsisoft.com/ransomware-decryption-tools/hakbit
STOP Ransomware Cleanup
Emsisoft has released a decryption tool for 148 of the 160 variants of STOP Ransomware.
See this page at Emsisoft
https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu
STOP Puma Ransomware Cleanup
Emsisoft has released a decryption tool for STOP Puma Ransomware variant.
See this page at Emsisoft
https://www.emsisoft.com/ransomware-decryption-tools/stop-puma
Muhstik Ransomware Cleanup
Emsisoft has released a decryption tool for Muhstik Ransomware, files encrypted with this have .muhstik added as their extension to the filename.
See this page at Emsisoft
https://www.emsisoft.com/ransomware-decryption-tools/muhstik
HildaCrypt Ransomware Cleanup
Emsisoft has released a decryption tool for HildaCrypt Ransomware, files encrypted with this have .HCY! or .mike as their extension.
See this page at Emsisoft
https://www.emsisoft.com/ransomware-decryption-tools/hildacrypt
GalactiCrypter Ransomware Cleanup
Emsisoft has released a decryption tool for GalactiCrypter Ransomware, files encrypted with this have ENCx45cR prepended to the filename.
See this page at Emsisoft
https://www.emsisoft.com/ransomware-decryption-tools/galacticrypter
Avest Ransomware Cleanup
Emsisoft has released a decryption tool for Avest Ransomware, files encrypted with this have the extension of .ckey().email().pack14 added to the filename.
See this page at Emsisoft
https://www.emsisoft.com/ransomware-decryption-tools/avest
WannaCryFake Ransomware Cleanup
Emsisoft has released a decryption tool for WannaCryFake Ransomware, files encrypted with this have the extension of .WannaCry.
See this page at Emsisoft
https://www.emsisoft.com/ransomware-decryption-tools/wannacryfake
Syrk Ransomware Cleanup
Emsisoft has released a decryption tool for Syrk Ransomware, files encrypted with this have the extension of .Syrk.
See this page at Emsisoft
https://www.emsisoft.com/ransomware-decryption-tools/syrk
JSWorm 4.0 Ransomware Cleanup
Emsisoft has released a decryption tool for JSWorm 4.0 Ransomware, files encrypted with this have the extension JSWRM along with an ID # added to the end of the filename.
See this page at Emsisoft
https://www.emsisoft.com/ransomware-decryption-tools/jsworm-40
LooCipher Ransomware Cleanup
Emsisoft has released a decryption tool for LooCipher Ransomware, files encrypted with this has the extension of .lcphr.
See this page at Emsisoft
https://www.emsisoft.com/ransomware-decryption-tools/loocipher
Ims00rry Ransomware Cleanup
Emsisoft has relased a decryption tool for Ims00rry Ransomware, files have —shlangan AES-256— added to the beginning of the file.
See this page at Emsisoft
https://www.emsisoft.com/ransomware-decryption-tools/ims00rry
GandCrab Ransomware Cleanup
Bitdefender has released a cleanup utility for GandCrab versions 1, 4, and 5 and they are working on versions 2 and 3. The free utility will automate the data decryption process. They also have a version of GandCrab that fixes a specific Syrian version as well. The utility requires a active Internet connection to be able to decrypt the files.
See this page at Bitdefender
https://labs.bitdefender.com/2018/10/gandcrab-ransomware-decryption-tool-available-for-free/
Syrian version
https://labs.bitdefender.com/2018/10/bitdefender-gandcrab-decryptor-for-syrian-users-now-available/
LockCrypt Ransomware Cleanup
Bitdefender has developed a tool to decrypt 1btc files. lock, 2018, and mich files are not included in this tools decryption.
See this page at Bitdefender
https://labs.bitdefender.com/2018/07/lockcrypt-ransomware-decryption-tool/
Annabelle Ransomware Cleanup
Bitdefender has a tool that cleans up the Master Boot Record, deletes registry keys designed to reactivate the Ransomware, and a tool that will attempt to decrypt the files.
See this page at Bitdefender
https://labs.bitdefender.com/2018/03/annabelle-ransomware-decryption-tool/
Shrug Ransomware Cleanup
Around July 6, 2018 a new form of Ransomware was found called Shrug based on the ASCII text art of someone shrugging. It seems to be a drive by kind of Ransomware. It removes all system restore points, locks the screen, but leaves the encryption key in the directory. It affects many Microsoft Office document formats and other popular file types.
See LMNTRIX Labs for information on how to fix this form of Ransomware – https://lmntrix.com/Lab/Lab_info.php?id=112
Thanatos Decryption tool from Cisco Talos
Cisco Talos has released a decryption tool for files that have been encrypted with Thanatos ransomware. Tool can be downloaded from https://github.com/Cisco-Talos/ThanatosDecryptor
How to Block Bad Rabbit
Windows 10, 8 Start, Search Command Prompt, right click Command Prompt choose Run as Administrator
Type in notepad c:\windows\infpub.dat, when prompted file does not exist do you want to create say yes
Choose File, Save, File, Exit
Type in attrib +r c:\windows\infpub.dat
Type in notepad c:\windows\cscc.dat, when prompted file does not exist do you want to create say yes
Choose File, Save, File, Exit
Type in attrib +r c:\windows\cscc.dat
Type in exit
Windows 7, Vista choose Start, All Programs Accessories, right click Command Prompt choose Run as Administrator
Type in notepad c:\windows\infpub.dat, when prompted file does not exist do you want to create say yes
Choose File, Save, File, Exit
Type in attrib +r c:\windows\infpub.dat
Type in notepad c:\windows\cscc.dat, when prompted file does not exist do you want to create say yes
Choose File, Save, File, Exit
Type in attrib +r c:\windows\cscc.dat
Type in exit
Most antivirus and Malware tools are updated to detect the variants of Bad Rabbit Malware. If your computer has the March 2017 Windows updates then you should be safe from this attack.
Fix for LambdaLocker (only newer versions)
See this page at No More Ransomware
https://www.nomoreransom.org/en/decryption-tools.html#LambdaLocker
BTCWare Ransomware Cleanup
Bitdefender has created a cleanup utility for systems with btcware, cryptobyte, onyon, xfile, cryptowin, theva, and master extensions. You need to be sure if it is BTCWare, the Bitdefender detection tool at the top of the page can verify if this tool can help
See this page at Bitdefender
https://labs.bitdefender.com/2017/09/btcware-decryption-tool-now-available-for-free/
Fixes for older forms of Petya like Red, Green and Goldeneye
See this page at Malwarebytes:
https://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/
How to determine version of Petya
https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/
How to block Petya or NonPeyta Randsomware
Windows 10, 8 Start, Search Command Prompt, right click Command Prompt choose Run as Administrator
Type in notepad c:\windows\perfc, when prompted file does not exist do you want to create say yes
Choose File, Save, File, Exit
Type in attrib +r c:\windows\perfc
Type in exit
Windows 7, Vista choose Start, All Programs Accessories, right click Command Prompt choose Run as Administrator
Type in notepad c:\windows\perfc, when prompted file does not exist do you want to create say yes
Choose File, Save, File, Exit
Type in attrib +r c:\windows\perfc
Type in exit
Fix for Nemucod Randsomware
Emisoft Nemucode Decryptor – https://decrypter.emsisoft.com/nemucodaes