Tool for decrypting files affected by Trojan-Ransom.Win32.Rannoh infection
Back to “Virus-fighting utilities”
If the system is infected by a malicious program of the family Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.Fury, Trojan-Ransom.Win32.Crybola, Trojan-Ransom.Win32.Cryakl or Trojan-Ransom.Win32.CryptXXX, all files on the computer will be encrypted in the following way:
- In case of a Trojan-Ransom.Win32.Rannoh infection, file names and extensions will be changed according to the template locked-<original_name>.<four_random_letters>.
- In case of a Trojan-Ransom.Win32.Cryakl infection, the tag {CRYPTENDBLACKDC} is added to the end of file names.
- In case of a Trojan-Ransom.Win32.AutoIt infection, extensions will be changed according to the template<original_name>@<mail server>_.<random_set_of_characters>.
Example: [email protected]_.RZWDTDIC. - In case of a Trojan-Ransom.Win32.CryptXXX infection, extensions will be changed according to the template<original_name>.crypt.
RannohDecryptor tool is designed to decrypt files dectypted by Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.AutoIt,Trojan-Ransom.Win32.Fury, Trojan-Ransom.Win32.Crybola, Trojan-Ransom.Win32.Cryakl or Trojan-Ransom.Win32.CryptXXX versions 1 and 2 (files encrypted by Trojan-Ransom.Win32.CryptXXX version 3 are detected, but not decrypted).
Disinfection
To disinfect the system:
http://media.kaspersky.com/utilities/VirusUtilities/EN/rannohdecryptor.zip
- Download RannohDecryptor.zip. The following pages contain information on how to download the file.
- Run RannohDecryptor.exe on the infected computer.
- In the main window, click Start scan.
- Indicate path to one encrypted file and one not encrypted file.
If the file is encrypted by Trojan-Ransom.Win32.CryptXXX, indicate the largest files. Only the files of this size or smaller ones will be decrypted. - Wait until the files are found and decrypted.
- Reboot the computer, if needed.
- To delete copies of encrypted files named like locked-<original_name>.<four_random_letters> after a successful decryption, use the option Delete encrypted files after decryption.
- By default, the tool log is saved on system disk (the one with the operating system installed).Log file name is: UtilityName.Version_Date_Time_log.txt
For example, C:\RannohDecryptor.1.1.0.0_02.05.2012_15.31.43_log.txt
If the system is encrypted by Trojan-Ransom.Win32.CryptXXX, the tool scans a limited number of files. If you have selected a file encrypted by CryptXXX v2, the encryption key restoration can take a rather long time. In this case the tool views the following message: