Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Downloading and Using the Trend Micro Ransomware File Decryptor

    • Updated:
    • 19 Apr 2018
    • Product/Version:
    • Antivirus+ Security 2016.All
    • Antivirus+ Security 2017.All
    • Internet Security 2016.All
    • Internet Security 2017.All
    • Maximum Security 2016.All
    • Maximum Security 2017.All
    • OfficeScan 10.6
    • OfficeScan 11.0
    • Premium Security 2016.All
    • Premium Security 2017.All
    • Worry-Free Business Security Services 3.7
    • Worry-Free Business Security Services 5.7
    • Worry-Free Business Security Services 5.8
    • Worry-Free Business Security Services 6.1
    • Worry-Free Business Security Services 6.2
    • Worry-Free Business Security Services 6.3
    • Worry-Free Business Security Standard/Advanced 7.0
    • Worry-Free Business Security Standard/Advanced 8.0
    • Worry-Free Business Security Standard/Advanced 9.0
    • Platform:
    • Windows 10 32-bit
    • Windows 10 64-bit
    • Windows 2003 Datacenter 64-bit
    • Windows 2003 Enterprise
    • Windows 2003 Enterprise 64-bit
    • Windows 2003 Server R2
    • Windows 2003 Standard
    • Windows 2003 Standard 64-bit
    • Windows 2008 Datacenter
    • Windows 2008 Datacenter 64-bit
    • Windows 2008 Enterprise
    • Windows 2008 Enterprise 64-bit
    • Windows 2008 Server Core
    • Windows 2008 Server R2 Enterprise
    • Windows 2008 Standard
    • Windows 2008 Standard 64-bit
    • Windows 2008 Web Server Edition
    • Windows 2008 Web Server Edition 64-bit
    • Windows 2012 Datacenter R2
    • Windows 2012 Enterprise
    • Windows 2012 Enterprise R2
    • Windows 2012 Server Essential R2
    • Windows 2012 Server Essentials
    • Windows 2012 Standard
    • Windows 2012 Standard R2
    • Windows 2012 Web Server Edition
    • Windows 7 32-bit
    • Windows 7 64-bit
    • Windows 8 32-bit
    • Windows 8 64-bit
Summary
 
As of May 21, 2017, limited decryption support for the WannaCry (WCRY) Ransomware has been added to this tool (primarily for Windows XP). Please read the notes and limitations below for more information.

This guide provides the instructions and location for downloading and using the latest Trend Micro Ransomware File Decryptor tool to attempt to decrypt files encrypted by certain ransomware families.

As an important reminder, the best protection against ransomware is preventing it from ever reaching your system.  While Trend Micro is constantly working to update our tools, ransomware writers are also constantly changing their methods and tactics, which can make previous versions of tools such as this one obsolete over time.

Customers are strongly encouraged to continue practicing safe security habits:

  1. Make sure you have regular offline or cloud backups of your most important and critical data.
  2. Ensure that you are always applying the latest critical updates and patches to your system OS and other key software (e.g. browsers).
  3. Install the latest versions of and apply best practice configurations of security solutions such as Trend Micro to provide mutli-layered security.

Trend Micro customers are encouraged to visit the following sites for more information on ransomware and prevention best practices:

Consumer (Home) customers may visit the following site: Consumer (Home) Customers' Guide on Ransomware: Introduction, Prevention and Trend Micro Security Solutions

Corporate (Business) customers may find additional information and guides here:  Corporate (Business) Customers' Guide on Ransomware: Solutions, Best Practice Configuration and Prevention using Trend Micro products

 
Learn how your Trend Micro Consumer (Home) product protects you against the latest WCRY (WannaCry) Ransomware Attack. Click here.
Details
Public

Supported Ransomware Families

The following list describes the known ransomware-encrypted files types can be handled by the latest version of the tool.

RansomwareFile name and extension
CryptXXX V1, V2, V3*{original file name}.crypt, cryp1, crypz, or 5 hexadecimal characters
CryptXXX V4, V5{MD5 Hash}.5 hexadecimal characters
TeslaCrypt V1**{original file name}.ECC
TeslaCrypt V2**{original file name}.VVV, CCC, ZZZ, AAA, ABC, XYZ
TeslaCrypt V3{original file name}.XXX or TTT or MP3 or MICRO
TeslaCrypt V4File name and extension are unchanged
SNSLocker{Original file name}.RSNSLocked
AutoLocky{Original file name}.locky
BadBlock{Original file name}
777{Original file name}.777
XORIST{Original file name}.xorist or random extension
XORBAT{Original file name}.crypted
CERBER V1{10 random characters}.cerber
Stampado{Original file name}.locked
Nemucod{Original file name}.crypted
Chimera{Original file name}.crypt
LECHIFFRE{Original file name}.LeChiffre
MirCopLock.{Original file name}
Jigsaw{Original file name}.random extension
Globe/PurgeV1: {Original file name}.purge
V2: {Original file name}.{email address + random characters}
V3: Extension not fixed or file name encrypted
DXXDV1: {Original file name}.{Original extension}dxxd
Teamxrat/XpanV2: {Original filename}.__xratteamLucked
Crysis.{id}.{email address}.xtbl, .{id}.{email address}.crypt, .{id}.{email addres}.dharma, .{id}.{email address}.wallet
TeleCrypt{Original file name}
DemoTool.demoadc
WannaCry (WCRY){Original file name}.WNCRY, {Original file name}.WCRY
PetyaN/A
 

* - CryptXXX V3 decryption may not recover the entire file (partial data decryption). Please see the section titled Important Note about Decrypting CryptXXX V3 below.

** - Users will need to contact Trend Micro technical Support to request the separate tool TeslacryptDecryptor 1.0.xxxx MUI for TeslaCrypt V1 and V2 files. Both tools support V3 and V4. 

Obtaining and Executing the Tool(s)

  1. Click the Download button below to obtain the latest version of the Trend Micro Ransomware File Decryptor tool. Decompress (unzip) and then launch the included RansomwareFileDecryptor exe file.

    Download RansomwareFileDecryptor

  2. Upon launch, users will be required to accept the End User License Agreement (EULA) to proceed.
  3. After accepting the EULA, the tool will proceed to the main user interface (UI). From here, users will be presented with a step-by-step guide to perform the file decryption.

    Anti-Ransomware

Detailed Steps
Important Note about Decrypting CryptXXX V3
Decrypting BadBlock
CERBER Decryption Limitations
Globe/Purge Decryption Limitations
WannaCry (WCRY) Decryption Limitations
Petya Decryption Key
Obtaining Tool Logs
Send User Feedback
Video How-to
Notes and Limitations
File Verification and Checksums
Premium
Internal
Rating:
Category:
Troubleshoot
Solution Id:
1114221
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.