Very simple listing of weblinks to decryptors of Ransomeware.
Date: 10 December, 2020
Version: 2.8
Listing compiled by: Albert van der Sel
For who: Private PC/Laptop users.
Status: this note will remain a working document. A lot needs to be added.
Please refresh the page to see any updates.
When you were attacked by Ransomware, and you do not have data backups, there is a very small chance
to find a "decryptor key". I have compiled a listing of public "weblinks" to
"decryptors" of ransomware, as was put available by various Manufacturers of AV software,
and other Organizations. See Table 1.
Sorry, it's just a very simple listing. In most cases, unfortunately, there will be no solution
found in this listing: It all depends on the "type" of encryption. But you can take a look anyway.
It might seem, maybe, a bit of a silly listing. Depends a bit on how you look at things, I guess....
But if you have good data backups, there is ofcourse no need to search for keys.
Then you can simply forget this whole business. So.., what do you need to do???
The listings were created "by just Googleling around for a bit". That's all there is to it, really.
So, it's really no big deal here. Other folks did the hard work. I only listed it below.
However, by now, I must say that I searched quite a bit ;-)
There is certainly no guarantee that I found the best links. I searched a lot, but it's very likely
I missed a good deal of them.
If you do not know which decryptor to use, a pointer may be the "extension" of the encrypted files,
like for example "bookkeeping.xls.xyzw", where the malware has extended the encrypted filename
with "xyzw". You can take a look at Table 2, for several listings of such extensions, which may help
in identifying the ransomware.
Please note that not all ransomware will append an additional extension to the filename.
In most cases, in the listings, instructions come with the decryptor.
It's probably best, to try the decryptor, first with one file only, and check the result.
In some cases, it might be so that the decryptor wants a pair of the unaffected file, with the
accompanying infected (encrypted) file. Often, it might be pretty hard to fullfill that requirement.
In all the weblinks below, there exists ofcourse some overlap of decryptors for the same sort
of ransomware, that is, you might see the same in multiple webpages.
It's possible that the content of a certain webpage, mirrors that from another webpage.
This happens only very occasionally, and after my checks, not anymore in the listings.
I hope that the links are pretty "stable" (not fade away quickly), but you never know with weblinks.
I will, at least once a week, check their validity. And if new links are found, I will add them ofcourse.
No matter how large a listing becomes, it will be "messy", and for a user, it still will be
rather difficult to search through all that stuff. What is needed, is that a Central Trusted Authority,
collects all info, and maintains a simple website, with an inputfield, where the user simply
can enter some characteristic (extension, ransomware name etc..), and that it returns the location
of a decryptor. (Ofcourse, unfortunately, most often the output will be: "not available".)
But, that Central Site will get better all the time. Such a Trusted site, would be tremendously valuable!
Everything nicely maintained at one spot, and with the best info possible.
On a limited scale (as it seems to me), we have "id-ransomware.malwarehunterteam.com", which may help,
but is not "global enough" (as it seems to me), and does not provide decryptors.
No..., as I found out at a later moment, "id-ransomware.malwarehunterteam.com" is quite a good site.
Sorry for downplaying it.
However, unfortunately, it's not the "global/universal" site, as I described above.
But otherwise, that site is Super. Again, sorry.
I found that "virustotal.com" and "id-ransomware.malwarehunterteam.com" are great, and advanced.
So, I was a bit dumb, but I already knew that. Bad thing is..., now you know it too ;-(
Ofcourse, for any user, the main principles remain to be: Security, Awareness, and Backups.
Table 1: Listings of links to free decryptors:
Section 1. Listings to Decryptor "Collections" offering multiple decryptors (as found sofar: 15):
Checked. Seems good (ofcourse they are. They are all professionals).
Even if you have no interest in ransomware, it's good to checkout the sites above.
Section 4. Sites offering a Specific Decryptor (for a specific malware) (as collected sofar: 2).
It's only possible to create a listing for the Top 15-20 (or so) sorts of ransomware.
Ofcourse, what belongs in the Top 15, varies with time. But I think I will maintain such a listing.
Still "playing" around in this section, to determine the best approach...
Several reports seem to suggest that, among others, we have:
--Current ones:
Maze, Ryuk, Revil, MaMoCrypt, Stop/Djvu, Tycoon, Netwalker/Mailto, Snake,
Sodinokibi, WastedLocker, DoppelPaymer, Nemty, Nefilim, and variants, are currently most important:
According to the literature around 900 - 1000 or so, variants exists in the wild.
Sometimes, a piece of ransomware that goes by a certain name, may have variants for which the decryptor
does not work. You must carefully inspect the website and the description.
Also, In some cases, there seems not to be a nice "instruction" on how to work with the decryptor.
So, this section differs a bit from section 1 above (where most sites delivered adequate instructions).
It can well be, that a decryptor listed below, is replaced by a decryptor found at the sites in section 1.
Decryptors as offered by section 1, if availble, have preference above anything listed below.
Allways crosscheck a certain decryptor below, with other sites (you should "Google" a bit).
Allways carefully read any info in the sites listed below. Possibly some decryptor does not apply
for your variant, and that would not be good.
Sorry for the hassle...This sort of science is not allways very transparent.
=>2. Stop/Djvu/Puma:
Stop/djvu like puma, decryptor seems to been replaced by Emsisoft version, see above section 1.
However other, older, variants exist as well. You might try the other sites below, for older variants.
--Possible decryptors at:
Unfortunately, Too strong encryption. No decryptor seems to be available.
It seems impossible to decrypt any encrypted files, without the private key of the ransomware "authors" (criminals).
Table 3: Listings of (what I think might be) relevant scientific articles (as found sofar:1):
(could change quite a bit).
=> Art. 1:
Fast Performance counters, together with AI, could (in the microsecond range) determine if we have
benign software, or evil software (sort of): Ranstop (arxiv)
Nice article, but I wonder if it's really fast enough. Also, does such approach beat simple things like
tight security, awareness, prohibitig elevation, backups?