This guide provides the instructions and location for downloading and using the latest Trend Micro Ransomware File Decryptor tool to attempt to decrypt files encrypted by certain ransomware families.
As an important reminder, the best protection against ransomware is preventing it from ever reaching your system. While Trend Micro is constantly working to update our tools, ransomware writers are also constantly changing their methods and tactics, which can make previous versions of tools such as this one obsolete over time.
Customers are strongly encouraged to continue practicing safe security habits:
- Make sure you have regular offline or cloud backups of your most important and critical data.
- Ensure that you are always applying the latest critical updates and patches to your system OS and other key software (e.g. browsers).
- Install the latest versions of and apply best practice configurations of security solutions such as Trend Micro to provide mutli-layered security.
Trend Micro customers are encouraged to visit the following sites for more information on ransomware and prevention best practices:
Consumer (Home) customers may visit the following site: Consumer (Home) Customers' Guide on Ransomware: Introduction, Prevention and Trend Micro Security Solutions
Corporate (Business) customers may find additional information and guides here: Corporate (Business) Customers' Guide on Ransomware: Solutions, Best Practice Configuration and Prevention using Trend Micro products
Supported Ransomware Families
The following list describes the known ransomware-encrypted files types can be handled by the latest version of the tool.
Ransomware | File name and extension |
---|---|
CryptXXX V1, V2, V3* | {original file name}.crypt, cryp1, crypz, or 5 hexadecimal characters |
CryptXXX V4, V5 | {MD5 Hash}.5 hexadecimal characters |
TeslaCrypt V1** | {original file name}.ECC |
TeslaCrypt V2** | {original file name}.VVV, CCC, ZZZ, AAA, ABC, XYZ |
TeslaCrypt V3 | {original file name}.XXX or TTT or MP3 or MICRO |
TeslaCrypt V4 | File name and extension are unchanged |
SNSLocker | {Original file name}.RSNSLocked |
AutoLocky | {Original file name}.locky |
BadBlock | {Original file name} |
777 | {Original file name}.777 |
XORIST | {Original file name}.xorist or random extension |
XORBAT | {Original file name}.crypted |
CERBER V1 | {10 random characters}.cerber |
Stampado | {Original file name}.locked |
Nemucod | {Original file name}.crypted |
Chimera | {Original file name}.crypt |
LECHIFFRE | {Original file name}.LeChiffre |
MirCop | Lock.{Original file name} |
Jigsaw | {Original file name}.random extension |
Globe/Purge | V1: {Original file name}.purge V2: {Original file name}.{email address + random characters} V3: Extension not fixed or file name encrypted |
DXXD | V1: {Original file name}.{Original extension}dxxd |
Teamxrat/Xpan | V2: {Original filename}.__xratteamLucked |
Crysis | .{id}.{email address}.xtbl, .{id}.{email address}.crypt, .{id}.{email addres}.dharma, .{id}.{email address}.wallet |
TeleCrypt | {Original file name} |
DemoTool | .demoadc |
WannaCry (WCRY) | {Original file name}.WNCRY, {Original file name}.WCRY |
Petya | N/A |
* - CryptXXX V3 decryption may not recover the entire file (partial data decryption). Please see the section titled Important Note about Decrypting CryptXXX V3 below.
** - Users will need to contact Trend Micro technical Support to request the separate tool TeslacryptDecryptor 1.0.xxxx MUI for TeslaCrypt V1 and V2 files. Both tools support V3 and V4.
Obtaining and Executing the Tool(s)
- Click the Download button below to obtain the latest version of the Trend Micro Ransomware File Decryptor tool. Decompress (unzip) and then launch the included RansomwareFileDecryptor exe file.
- Upon launch, users will be required to accept the End User License Agreement (EULA) to proceed.
- After accepting the EULA, the tool will proceed to the main user interface (UI). From here, users will be presented with a step-by-step guide to perform the file decryption.