Tool for decrypting files affected by Trojan-Ransom.Win32.Rannoh
Do you want to prevent infections? Be safe and private with new Kaspersky applications.
Kaspersky RannohDecryptor is a free tool for decrypting files affected by Trojan-Ransom.Win32.Rannoh.
To download RannohDecryptor, click Download.
RannohDecryptor tool is designed to decrypt files encrypted by the following ransomware:
- Trojan-Ransom.Win32.Rannoh
- Trojan-Ransom.Win32.AutoIt
- Trojan-Ransom.Win32.Cryakl
- Trojan-Ransom.Win32.CryptXXX version 1, 2, and 3
- Trojan-Ransom.Win32.Crybola
- Trojan-Ransom.Win32.Polyglot
- Trojan-Ransom.Win32.Fury
- Trojan-Ransom.Win32.Yanluowang
In case of an infection, all files on the computer will be changed as follows:
The other ransomware does not change file extensions.
If you want to decrypt files affected by Trojan-Ransom.Win32.CryptXXX, take into account the following:
- RannohDecryptor utility scans a limited number of file formats:
- 1cd, 7z, ai, avi, bz2, cab, cdr, cdw, cdx, cf, chm, dbf, djvu, doc, docm, docx, dt, dwg, epf, eps, erf, ert, fla, flac, flv, gif, gz, html, iso, jpeg, jpg, ldf, md, mdb, mdf, mov, mp3, mp4, mxl, nef, ods, odt, ogg, pdf, php, png, ppt, pptm, pptx, ps1, psd, pst, qbb, rar, rcf, rtf, sdf, sldasm, slddrw, tib, tif, tiff, vhd, vhdx, vsd, wav, xls, xlsm, xlsx, xlt, zip.
- It may take a long time to restore the key for decrypting files affected by Trojan-Ransom.Win32.CryptXXX version 2. In this case, the utility displays a warning:
.png "Key recovery can take a long time warning")
How to disinfect the system
- Download the RannohDecryptor.zip archive.
- Run RannohDecryptor.exe on the infected computer.
- Carefully read through the End User License Agreement. If you agree with all the terms, click Accept.
- If you want the utility to automatically remove the decrypted files, do the following:
- In the main window, click Change parameters.
-
Select the Delete crypted files after decryption checkbox.
- In the main window, click Start scan.
- Specify the path to the encrypted file.
- To decrypt some files, the utility will request the original (not encrypted) copy of one encrypted file. You can find such a copy in your mail, on a removable drive, on your other computers, or in cloud storage. Click Continue and specify the path to the original file.
If the file is encrypted by Trojan-Ransom.Win32.CryptXXX, indicate the largest files. Only the files of this size or smaller ones will be decrypted.
- Wait until the encrypted files are found and decrypted.
If the file was encrypted by Trojan-Ransom.Win32.Cryakl, Trojan-Ransom.Win32.Polyglot, or Trojan-Ransom.Win32.Fury, the tool will save the file at its previous location with the extension .decryptedKLR.original_extension. If you selected the Delete crypted files after decryption checkbox, the tool will save the decrypted files with their original name.
If the file was encrypted by Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.Cryakl, Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.CryptXXX, Trojan-Ransom.Win32.Crybola or Trojan-Ransom.Win32.Yanluowang, the tool will save the file at its previous location with the original extension.
By default, the tool log is saved on the system disk with the operating system installed. Log file name is: UtilityName.Version_Date_Time_log.txt. For example, C:\RannohDecryptor.1.1.0.0_02.05.2012_15.31.43_log.txt
How to use the tool through the command line
What to do if the tool did not help
If RannohDecryptor did not succeed in file decryption, download and launch the XoristDecryptor or RectorDecryptor tool.
To protect your computer from ransomware, download and install new Kaspersky applications.