Very simple listing of weblinks to decryptors of Ransomeware.

Date: 10 December, 2020
Version: 2.8
Listing compiled by: Albert van der Sel
For who: Private PC/Laptop users.
Status: this note will remain a working document. A lot needs to be added.

Please refresh the page to see any updates.



When you were attacked by Ransomware, and you do not have data backups, there is a very small chance
to find a "decryptor key". I have compiled a listing of public "weblinks" to
"decryptors" of ransomware, as was put available by various Manufacturers of AV software,
and other Organizations. See Table 1.

Sorry, it's just a very simple listing. In most cases, unfortunately, there will be no solution
found in this listing: It all depends on the "type" of encryption. But you can take a look anyway.

It might seem, maybe, a bit of a silly listing. Depends a bit on how you look at things, I guess....

But if you have good data backups, there is ofcourse no need to search for keys.
Then you can simply forget this whole business. So.., what do you need to do???



Table 1: Listings of links to free decryptors:

Section 1. Listings to Decryptor "Collections" offering multiple decryptors (as found sofar: 15):
Checked. Seems good (ofcourse they are. They are all professionals).

emsisoft.com
nomoreransom.org
watchpointdata.com
avast.com
kaspersky.com
heimdalsecurity.com
Blog from heimdalsecurity
thewindowsclub.com
trendmicro.com
How to Use McAfee Ransomware Recover
McAfee Ransomware Recover
repairwin.com
avg.com
10 Decryptor tools (techviral.net)
quickheal.com

Section 2. Possible Decryption which require that the system was NOT Rebooted (as found sofar: 1):

There are a few successes here and there, but in general, I am afraid, it all is wishfull thinking...
Blog Malwarebytes discussing options for WannaCry.

Section 3. Sites which may help in identification of Ransomware, plus possibly further help (as found sofar: 2):

id-ransomware.malwarehunterteam.com
virustotal.com (check files, url's)

Even if you have no interest in ransomware, it's good to checkout the sites above.

Section 4. Sites offering a Specific Decryptor (for a specific malware) (as collected sofar: 2).
It's only possible to create a listing for the Top 15-20 (or so) sorts of ransomware.

Ofcourse, what belongs in the Top 15, varies with time. But I think I will maintain such a listing.
Still "playing" around in this section, to determine the best approach...
Several reports seem to suggest that, among others, we have:

--Current ones:
Maze, Ryuk, Revil, MaMoCrypt, Stop/Djvu, Tycoon, Netwalker/Mailto, Snake,
Sodinokibi, WastedLocker, DoppelPaymer, Nemty, Nefilim, and variants, are currently most important:

--Older ones:
WannaCry, TeslaCrypt, SimpleLocker, Petya, Bad Rabbit, Ryuk etc.. (around 2016-2019)

According to the literature around 900 - 1000 or so, variants exists in the wild.

  • Sometimes, a piece of ransomware that goes by a certain name, may have variants for which the decryptor
    does not work. You must carefully inspect the website and the description.
  • Also, In some cases, there seems not to be a nice "instruction" on how to work with the decryptor.
    So, this section differs a bit from section 1 above (where most sites delivered adequate instructions).
  • It can well be, that a decryptor listed below, is replaced by a decryptor found at the sites in section 1.
    Decryptors as offered by section 1, if availble, have preference above anything listed below.
  • Allways crosscheck a certain decryptor below, with other sites (you should "Google" a bit).
  • Allways carefully read any info in the sites listed below. Possibly some decryptor does not apply
    for your variant, and that would not be good.

Sorry for the hassle...This sort of science is not allways very transparent.

Top 20: only just started.

=>1. MaMoCrypt:
--Possible decryptors at:
bitdefender.com - against "MaMoCrypt" (1)
securityboulevard.com - against "MaMoCrypt" (2)

=>2. Stop/Djvu/Puma:
Stop/djvu like puma, decryptor seems to been replaced by Emsisoft version, see above section 1.
However other, older, variants exist as well. You might try the other sites below, for older variants.

--Good info on Stop/djvu:
Info Stop/djvu

--Possible decryptors at:
emsisoft.com- against "Stop" (1)
majorgeeks.com - against "Stop" (2)
filehorse.com- against "Stop" (3)

=>3. Redrum / (older?) Tycoon variant:

--Good info on Tycoon:
blackberry.com

--Possible decryptors at:
emsisoft.com- against "Redrum/Tycoon" (1)

=>4. Netwalker/Mailto:

--Good info on:
trustwave.com

--Possible decryptors at:
Unfortunately, Too strong encryption. No decryptor seems to be available.
It seems impossible to decrypt any encrypted files, without the private key of the ransomware "authors" (criminals).

=>5. Snake / Ekans:

--Good Info on:
vmware.com
sophos.com
gbhackers.com

--Possible decryptors at:
Unfortunately, Too strong encryption. No decryptor seems to be available.
It's a mix of symmetric and asymmetric encryption.


Table 2: Listings of weblinks to ransomware file extensions (as found sofar:4):

Not all ransomware will extend the filenames, with a specific extension to the names, but most do.

->These seem to be OK:
from "techviral.net"
from "avepointcdn.azureedge.net"
from "ransomware.zuckerscharff.com"
from "malwareid.nl"


Table 3: Listings of (what I think might be) relevant scientific articles (as found sofar:1):
(could change quite a bit).

=> Art. 1:

Fast Performance counters, together with AI, could (in the microsecond range) determine if we have
benign software, or evil software (sort of):
Ranstop (arxiv)

Nice article, but I wonder if it's really fast enough. Also, does such approach beat simple things like
tight security, awareness, prohibitig elevation, backups?

=> Art. 2:

The following article is nice, primarily, because it also discusses new methods (at the end, e.g. "ShieldFS"),
which might be interesting.
Ransomware in Windows and Android Platforms (arxiv)


This note must be better, in format and in quality.
I hear you say: "It should be an up to date database, and not a silly listing...". That's right.



EOF