Decrypt and Protect from Ransomware on Windows

The amount of Ransomware that has been released in 2017 has reached a new high.  Below are steps to protect, or remove/decrypt your files with the following forms of Ransomware.

First check No More Ransomware website – https://www.nomoreransom.org

Ransomware Detection Tool
Bitdefender Ransomware Recognition Tool will help find a tool to decrypt your data if one exists or will attempt to identify the form of Ransomware.


GandCrab Ransomware Cleanup

Bitdefender has released a cleanup utility for GandCrab versions 1, 4, and 5 and they are working on versions 2 and 3. The free utility will automate the data decryption process.  They also have a version of GandCrab that fixes a specific Syrian version as well.  The utility requires a active Internet connection to be able to decrypt the files.

See this page at Bitdefender
https://labs.bitdefender.com/2018/10/gandcrab-ransomware-decryption-tool-available-for-free/
Syrian version
https://labs.bitdefender.com/2018/10/bitdefender-gandcrab-decryptor-for-syrian-users-now-available/


LockCrypt Ransomware Cleanup

Bitdefender has developed a tool to decrypt 1btc files.  lock, 2018, and mich files are not included in this tools decryption.

See this page at Bitdefender
https://labs.bitdefender.com/2018/07/lockcrypt-ransomware-decryption-tool/


Annabelle Ransomware Cleanup

Bitdefender has a tool that cleans up the Master Boot Record, deletes registry keys designed to reactivate the Ransomware, and a tool that will attempt to decrypt the files.

See this page at Bitdefender
https://labs.bitdefender.com/2018/03/annabelle-ransomware-decryption-tool/


Shrug Ransomware Cleanup

Around July 6, 2018 a new form of Ransomware was found called Shrug based on the ASCII text art of someone shrugging.  It seems to be a drive by kind of Ransomware.  It removes all system restore points, locks the screen, but leaves the encryption key in the directory.  It affects many Microsoft Office document formats and other popular file types.

See LMNTRIX Labs for information on how to fix this form of Ransomware – https://lmntrix.com/Lab/Lab_info.php?id=112


Thanatos Decryption tool from Cisco Talos

Cisco Talos has released a decryption tool for files that have been encrypted with Thanatos ransomware. Tool can be downloaded from https://github.com/Cisco-Talos/ThanatosDecryptor


How to Block Bad Rabbit

Windows 10, 8 Start, Search Command Prompt, right click Command Prompt choose Run as Administrator
Type in notepad c:\windows\infpub.dat, when prompted file does not exist do you want to create say yes
Choose File, Save, File, Exit
Type in attrib +r c:\windows\infpub.dat
Type in notepad c:\windows\cscc.dat, when prompted file does not exist do you want to create say yes
Choose File, Save, File, Exit
Type in attrib +r c:\windows\cscc.dat
Type in exit

Windows 7, Vista choose Start, All Programs Accessories, right click Command Prompt choose Run as Administrator
Type in notepad c:\windows\infpub.dat, when prompted file does not exist do you want to create say yes
Choose File, Save, File, Exit
Type in attrib +r c:\windows\infpub.dat
Type in notepad c:\windows\cscc.dat, when prompted file does not exist do you want to create say yes
Choose File, Save, File, Exit
Type in attrib +r c:\windows\cscc.dat
Type in exit

Most antivirus and Malware tools are updated to detect the variants of Bad Rabbit Malware.  If your computer has the March 2017 Windows updates then you should be safe from this attack.


Fix for LambdaLocker (only newer versions)
See this page at No More Ransomware
https://www.nomoreransom.org/en/decryption-tools.html#LambdaLocker


BTCWare Ransomware Cleanup

Bitdefender has created a cleanup utility for systems with btcware, cryptobyte, onyon, xfile, cryptowin, theva, and master extensions.  You need to be sure if it is BTCWare, the Bitdefender detection tool at the top of the page can verify if this tool can help

See this page at Bitdefender
https://labs.bitdefender.com/2017/09/btcware-decryption-tool-now-available-for-free/


Fixes for older forms of Petya like Red, Green and Goldeneye
See this page at Malwarebytes:
https://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/
How to determine version of Petya
https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/


How to block Petya or NonPeyta Randsomware
Windows 10, 8 Start, Search Command Prompt, right click Command Prompt choose Run as Administrator
Type in notepad c:\windows\perfc, when prompted file does not exist do you want to create say yes
Choose File, Save, File, Exit
Type in attrib +r c:\windows\perfc
Type in exit

Windows 7, Vista choose Start, All Programs Accessories, right click Command Prompt choose Run as Administrator
Type in notepad c:\windows\perfc, when prompted file does not exist do you want to create say yes
Choose File, Save, File, Exit
Type in attrib +r c:\windows\perfc
Type in exit


Fix for Nemucod Randsomware
Emisoft Nemucode Decryptor – https://decrypter.emsisoft.com/nemucodaes