发布于admin

Tool for decrypting files affected by Trojan-Ransom.Win32.Rannoh infection

Tool for decrypting files affected by Trojan-Ransom.Win32.Rannoh infection

Back to “Virus-fighting utilities”

2016 May 24 ID: 8547

If the system is infected by a malicious program of the family Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.Fury, Trojan-Ransom.Win32.CrybolaTrojan-Ransom.Win32.Cryakl or Trojan-Ransom.Win32.CryptXXX, all files on the computer will be encrypted in the following way:

  • In case of a Trojan-Ransom.Win32.Rannoh infection, file names and extensions will be changed according to the template locked-<original_name>.<four_random_letters>.
  • In case of a Trojan-Ransom.Win32.Cryakl infection, the tag {CRYPTENDBLACKDC} is added to the end of file names.
  • In case of a Trojan-Ransom.Win32.AutoIt infection, extensions will be changed according to the template<original_name>@<mail server>_.<random_set_of_characters>.
    Example: [email protected]_.RZWDTDIC.
  • In case of a Trojan-Ransom.Win32.CryptXXX infection, extensions will be changed according to the template<original_name>.crypt.

RannohDecryptor tool is designed to decrypt files dectypted by Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.AutoIt,Trojan-Ransom.Win32.Fury, Trojan-Ransom.Win32.Crybola, Trojan-Ransom.Win32.Cryakl or Trojan-Ransom.Win32.CryptXXX versions 1 and 2 (files encrypted by Trojan-Ransom.Win32.CryptXXX version 3 are detected, but not decrypted).

 

Disinfection

To disinfect the system:

http://media.kaspersky.com/utilities/VirusUtilities/EN/rannohdecryptor.zip

  1. Download RannohDecryptor.zip. The following pages contain information on how to download the file.
  2. Run RannohDecryptor.exe on the infected computer.
  3. In the main window, click Start scan.

RD_8547_1

  1. Indicate path to one encrypted file and one not encrypted file.
    If the file is encrypted by Trojan-Ransom.Win32.CryptXXX, indicate the largest files. Only the files of this size or smaller ones will be decrypted.
  2. Wait until the files are found and decrypted.
  3. Reboot the computer, if needed.
  4. To delete copies of encrypted files named like locked-<original_name>.<four_random_letters> after a successful decryption, use the option Delete encrypted files after decryption.
Please note. If the file was encrypted by Trojan-Ransom.Win32.Cryakl, the tool will save the files with the extension.decryptedKLR.original_extension. If you select the option Delete encrypted files after decryption, the decrypted file will be saved under the original name.
  1. By default, the tool log is saved on system disk (the one with the operating system installed).Log file name is: UtilityName.Version_Date_Time_log.txt

    For example, C:\RannohDecryptor.1.1.0.0_02.05.2012_15.31.43_log.txt

If the system is encrypted by Trojan-Ransom.Win32.CryptXXX, the tool scans a limited number of files. If you have selected a file encrypted by CryptXXX v2, the encryption key restoration can take a rather long time. In this case the tool views the following message:

RD_8547_2

 

Command line options

-l <file_name> – create a log file with given name.

-y – close the window after decryption.