RakhniDecryptor tool for defending against Trojan Ransom.Win32.Rakhni ransomware
Do you want to prevent infections? Install Kaspersky for Windows
Use the Kaspersky RakhniDecryptor tool in case you files were encrypted by the following ransomware:
- Trojan-Ransom.Win32.Conti
- Trojan-Ransom.Win32.Ragnarok
- Trojan-Ransom.Win32.Fonix
- Trojan-Ransom.Win32.Rakhni
- Trojan-Ransom.Win32.Agent.iih
- Trojan-Ransom.Win32.Autoit
- Trojan-Ransom.Win32.Aura
- Trojan-Ransom.AndroidOS.Pletor
- Trojan-Ransom.Win32.Rotor
- Trojan-Ransom.Win32.Lamer
- Trojan-Ransom.Win32.Cryptokluchen
- Trojan-Ransom.Win32.Democry
- Trojan-Ransom.Win32.GandCrypt ver. 4 and 5
- Trojan-Ransom.Win32.Bitman ver. 3 and 4
- Trojan-Ransom.Win32.Libra
- Trojan-Ransom.MSIL.Lobzik
- Trojan-Ransom.MSIL.Lortok
- Trojan-Ransom.MSIL.Yatron
- Trojan-Ransom.Win32.Chimera
- Trojan-Ransom.Win32.CryFile
- Trojan-Ransom.Win32.Crypren.afjh (FortuneCrypt)
- Trojan-Ransom.Win32.Nemchig
- Trojan-Ransom.Win32.Mircop
- Trojan-Ransom.Win32.Mor
- Trojan-Ransom.Win32.Crusis (Dharma)
- Trojan-Ransom.Win32.AecHu
- Trojan-Ransom.Win32.Jaff
- Trojan-Ransom.Win32.Cryakl CL 1.0.0.0
- Trojan-Ransom.Win32.Cryakl CL 1.0.0.0.u
- Trojan-Ransom.Win32.Cryakl CL 1.2.0.0
- Trojan-Ransom.Win32.Cryakl CL 1.3.0.0
- Trojan-Ransom.Win32.Cryakl CL 1.3.1.0
- Trojan-Ransom.Win32.Maze
- Trojan-Ransom.Win32.Sekhmet
- Trojan-Ransom.Win32.Egregor
How to know if Kaspersky RakhniDecryptor can decrypt your file
The Kaspersky RakhniDecryptor tool decrypts files that have been changed according to the following patterns:
- Trojan-Ransom.Win32.Conti:
- <file_name>.KREMLIN
- <file_name>.RUSSIA
- <file_name>.PUTIN
- Trojan-Ransom.Win32.Ragnarok:
- <file_name>.<ID>.thor
- <file_name>.<ID>.odin
- <file_name>.<ID>.hela
For decryption, the utility asks for the file of the !!Read_Me.<ID>.html type.
- Trojan-Ransom.Win32.Fonix:
- <file_name>.<original_file_extension>.Email=[<mail>@<server>.<domain>]ID=[<id>].XINOF
- <file_name>.<original_file_extension>.Email=[<mail>@<server>.<domain>]ID=[<id>].FONIX
- Trojan-Ransom.Win32.Rakhni:
- <file_name>.<original_file_extension>.locked
- <file_name>.<original_file_extension>.kraken
- <file_name>.<original_file_extension>.darkness
- <file_name>.<original_file_extension>.oshit
- <file_name>.<original_file_extension>.nochance
- <file_name>.<original_file_extension>.oplata@qq_com
- <file_name>.<original_file_extension>.relock@qq_com
- <file_name>.<original_file_extension>.crypto
- <file_name>.<original_file_extension>.helpdecrypt@ukr.net
- <file_name>.<original_file_extension>.p***a@qq_com
- <file_name>.<original_file_extension>.dyatel@qq_com
- <file_name>.<original_file_extension>.nalog@qq_com
- <file_name>.<original_file_extension>.chifrator@gmail_com
- <file_name>.<original_file_extension>.gruzin@qq_com
- <file_name>.<original_file_extension>.troyancoder@gmail_com
- <file_name>.<original_file_extension>.coderksu@gmail_com_id373
- <file_name>.<original_file_extension>.coderksu@gmail_com_id371
- <file_name>.<original_file_extension>.coderksu@gmail_com_id372
- <file_name>.<original_file_extension>.coderksu@gmail_com_id374
- <file_name>.<original_file_extension>.coderksu@gmail_com_id375
- <file_name>.<original_file_extension>.coderksu@gmail_com_id376
- <file_name>.<original_file_extension>.coderksu@gmail_com_id392
- <file_name>.<original_file_extension>.coderksu@gmail_com_id357
- <file_name>.<original_file_extension>.coderksu@gmail_com_id356
- <file_name>.<original_file_extension>.coderksu@gmail_com_id358
- <file_name>.<original_file_extension>.coderksu@gmail_com_id359
- <file_name>.<original_file_extension>.coderksu@gmail_com_id360
- <file_name>.<original_file_extension>.coderksu@gmail_com_id20
- Trojan-Ransom.Win32.Mor: <file_name>.<original_file_extension>_crypt
- Trojan-Ransom.Win32.Autoit: <file_name>.<original_file_extension>.<_crypt@india.com_.letters>
- Trojan-Ransom.MSIL.Lortok:
- <file_name>.<original_file_extension>.cry
- <file_name>.<original_file_extension>.AES256
- Trojan-Ransom.MSIL.Yatron: <file_name>.<original_file_extension>.Yatron
- Trojan-Ransom.AndroidOS.Pletor: <file_name>.<original_file_extension>.enc
- Trojan-Ransom.Win32.Agent.iih: <file_name>.<original_file_extension>+<hb15>
- Trojan-Ransom.Win32.CryFile: <file_name>.<original_file_extension>.encrypted
- Trojan-Ransom.Win32.Democry:
- <file_name>.<original_file_extension>+<._data-time_$email@domain$.777>
- <file_name>.<original_file_extension>+<._data-time_$email@domain$.legion>
- Trojan-Ransom.Win32.GandCrypt:
- version 4: <ile_name>.<original_file_extension>.KRAB
- version 5: <ile_name>.<original_file_extension>.<line_of_random_characters>
- Trojan-Ransom.Win32.Bitman ver. 3:
- <file_name>.xxx
- <file_name>.ttt
- <file_name>.micro
- <file_name>.mp3
- Trojan-Ransom.Win32.Bitman ver. 4: <file_name>.<original_file_extension> (File name and its extension don't change).
- Trojan-Ransom.Win32.Libra:
- <file_name>.encrypted
- <file_name>.locked
- <file_name>.SecureCrypted
- Trojan-Ransom.MSIL.Lobzik:
- <file_name>.fun
- <file_name>.gws
- <file_name>.btc
- <file_name>.AFD
- <file_name>.porno
- <file_name>.pornoransom
- <file_name>.epic
- <file_name>.encrypted
- <file_name>.J
- <file_name>.payransom
- <file_name>.paybtcs
- <file_name>.paymds
- <file_name>.paymrss
- <file_name>.paymrts
- <file_name>.paymst
- <file_name>.paymts
- <file_name>.gefickt
- <file_name>.uk-dealer@sigaint.org
- Trojan-Ransom.Win32.Mircop: <Lock>.<file_name>.<original_file_extension>
- Trojan-Ransom.Win32.Crusis (Dharma):
- <file_name>.ID<…>.<mail>@<server>.<domain>.xtbl
- <file_name>.ID<…>.<mail>@<server>.<domain>.CrySiS
- <file_name>.id-<…>.<mail>@<server>.<domain>.xtbl
- <file_name>.id-<…>.<mail>@<server>.<domain>.wallet
- <file_name>.id-<…>.<mail>@<server>.<domain>.dhrama
- <file_name>.id-<…>.<mail>@<server>.<domain>.onion
- <file_name>.<mail>@<server>.<domain>.wallet
- <file_name>.<mail>@<server>.<domain>.dhrama
- <file_name>.<mail>@<server>.<domain>.onion
-
Examples of some e-mail addresses used to spread malware:
- webmafia@asia.com
- braker@plague.life
- crannbest@foxmail.com
- amagnus@india.com
- stopper@india.com
- bitcoin143@india.com
- worm01@india.com
- funa@india.com
- pay4help@india.com
- lavandos@dr.com
- mkgoro@india.com
- Trojan-Ransom.Win32.Crypren.afjh (FortuneCrypt) (File name and its extension don't change).
- Trojan-Ransom.Win32.Nemchig: <file_name>.<original_file_extension>.safefiles32@mail.ru
- Trojan-Ransom.Win32.Lamer:
- <file_name>.<original_file_extension>.bloked
- <file_name>.<original_file_extension>.cripaaaa
- <file_name>.<original_file_extension>.smit
- <file_name>.<original_file_extension>.fajlovnet
- <file_name>.<original_file_extension>.filesfucked
- <file_name>.<original_file_extension>.criptx
- <file_name>.<original_file_extension>.gopaymeb
- <file_name>.<original_file_extension>.cripted
- <file_name>.<original_file_extension>.bnmntftfmn
- <file_name>.<original_file_extension>.criptiks
- <file_name>.<original_file_extension>.cripttt
- <file_name>.<original_file_extension>.hithere
- <file_name>.<original_file_extension>.aga
- Trojan-Ransom.Win32.Cryptokluchen:
- <file_name>.<original_file_extension>.AMBA
- <file_name>.<original_file_extension>.PLAGUE17
- <file_name>.<original_file_extension>.ktldll
- Trojan-Ransom.Win32.Rotor:
- <file_name>.<original_file_extension>..-.DIRECTORAT1C@GMAIL.COM.roto
- <file_name>.<original_file_extension>..-.CRYPTSb@GMAIL.COM.roto
- <file_name>.<original_file_extension>..-.DIRECTORAT1C8@GMAIL.COM.roto
- <file_name>.<original_file_extension>.!______________DESKRYPTEDN81@GMAIL.COM.crypt
- <file_name>.<original_file_extension>.!___prosschiff@gmail.com_.crypt
- <file_name>.<original_file_extension>.!_______GASWAGEN123@GMAIL.COM____.crypt
- <file_name>.<original_file_extension>.!_________pkigxdaq@bk.ru_______.crypt
- <file_name>.<original_file_extension>.!____moskali1993@mail.ru___.crypt
- <file_name>.<original_file_extension>.!==helpsend369@gmail.com==.crypt
- <file_name>.<original_file_extension>.!-==kronstar21@gmail.com=--.crypt
- Trojan-Ransom.Win32.Chimera:
- <file_name>.<original_file_extension>.crypt
- <file_name>.<original_file_extension>.<4 random tokens>
- Trojan-Ransom.Win32.AecHu:
- <file_name>.aes256
- <file_name>.aes_ni
- <file_name>.aes_ni_gov
- <file_name>.aes_ni_0day
- <file_name>.lock
- <file_name>.decrypr_helper@freemail_hu
- <file_name>.decrypr_helper@india.com
- <file_name>.~xdata
- Trojan-Ransom.Win32.Jaff:
- <file_name>.jaff
- <file_name>.wlu
- <file_name>.sVn
- Trojan-Ransom.Win32.Cryakl: email-<...>.ver-<...>.id-<...>.randomname-<...>.<random_extension>
- Trojan-Ransom.Win32.Maze: <file_name>.<original_file_extension>.<random_extension>
- Trojan-Ransom.Win32.Sekhmet: <file_name>.<original_file_extension>.<random_extension>
- Trojan-Ransom.Win32.Egregor: <file_name>.<original_file_extension>.<random_extension>
To learn more about technologies Kaspersky uses for malware protection, go to this page.
How to decrypt files with Kaspersky RakhniDecryptor
- Download RakhniDecryptor.zip and extract the files from it. For instructions see this guide.
- Open the folder with the extracted files.
- Run the RakhniDecryptor.exe.
- Read the License Agreement carefully and click Accept if you agree to all its terms.
- Click the Change parameters link.
- Select the objects to scan (hard drives / removable drives / network drives).
- Select the checkbox Delete crypted files after decryption. In that case the tool will remove copies of encrypted files with extensions LOCKED, KRAKEN, DARKNESS etc.
- Click OK.
- Click Start scan.
- Select the encrypted file and click Open.
- Read the Warning and click OK.
Files will be decrypted.
File with CRYPT extension might be encrypted more than once. For example, if test.doc file was encrypted twice, the tool will decipher the first layer into the file test.1.doc.layerDecryptedKLR. In the tool performance report you will see: «Decryption success: disk:\path\test.doc_crypt -> dish:\path\test.1.doc.layerDecryptedKLR». You will need to decrypt this file once again. In case of successful decryption, the file will be saved under the original name test.doc.
Parameters for running the utility from the command line
For the sake of convenience and time saving, Kaspersky RakhniDecryptor supports the following command line parameters:
What to do if you notice a suspicious file on your computer
What to do if the utility did not help
If the utility did not help, contact Kaspersky Customer Service by choosing the topic and filling out the form.