/// technical service
Verschlüsselungs-Trojaner Trojan:W32/RansomCrypt entfernen
Verschlüsselungs-Trojaner Trojan:W32/RansomCrypt entfernen Neuer Decrypter: DecryptHelper
----^^^---ZUERST AUSPROBIEREN ------^^^---
F-Secure hat für die Entschlüsselung der Dateien ein Python-Script erstellt (Meldung
Our analysts have created a decryption script, written in Python, for our support team. Fortunately, we've only seen a small number of customer cases. The decryption script works with two variants of Ransomcrypt. |
• Trojan:W32/RansomCrypt.A, SHA1: b8f60c64c70f03c263bf9e9261aa157a73864aaf
• Trojan:W32/RansomCrypt.B, SHA1: 1e41e641e54bb6fb26b5706e39b90c93165bcb0b
License Agreement |
Please read the following license agreement carefully
This application is an F-Secure Labs support tool. It is provided "as is", without warranty or product support. Redistribution of this tool is prohibited.
This tool will search and decrypt files encrypted by Trojan:W32/RansomCrypt.
- Give the location of the encrypted files as a parameter, that folder will be scanned recursively (ie. all sub-folders and their sub-folders etc. will be inspected for encrypted files).
- For example: fs_randec.py c:\ will decrypt all files on the c-drive
- For example: fs_randec.py c:\encrypted_files will decrypt files in that particular folder and all of its sub-folders.
THINGS TO NOTE BEFORE RUNNING THIS TOOL
- This tool does not remove the trojan or the registry changes it has made, please make sure the trojan has been removed before running this tool so the files are not re-encrypted.
- A variant specific fs_randec_conf.ini is required and must be in the same folder as this tool. Using the wrong configuration file will result in incorrectly decrypted files.
- The encrypted files must not have been renamed after they were encrypted.
- The encrypted files are not deleted after decryption.
- A decrypted file will be created with its original file name in the same folder where the decrypted file is, if a file with the original name already exists in the folder, decryption is not performed.
- The following files need to be in the same folder as fs_randec.py: EULT.txt and fs_randec_conf.ini
- Python is required for running this tool, if it is not already installed on the system please download and install the appropriate version from http://www.python.org/download/releases/2.7.3/
- If you have a lot of large files that have been encrypted you may want to first copy a few of them to a new folder and decrypt the content of that folder to get an idea how long it would take to decrypt the whole hard drive.
- For optimal use collect just the files you wish to have decrypted to the same folder and only decrypt the content of that folder.
- Once you have confirmed that all the files you wanted to restore have been successfully decrypted you can remove the encrypted files for example by using the built-in Windows search to find all files that have the file extension added by the trojan, selecting all found files and deleting them.
- Do not delete the encrypted files until you are absolutely sure all the files you wish to restore have been successully decrypted.
- You can find and delete the text files notifying of the encryption with the same method as the encrypted files. You may also want to consider storing all of the encrypted files on a separate drive in case you later realise some file was not decrypted correctly.
- The encrypted files cause no danger to the system except taking up disc space so it is not imperative to delete them.
- Pressing Ctrl-C will abort the decryption process.
We will attempt to decrypt the files encrypted by Trojan:W32/RansomCrypt to their original content and their original filenames but at your own responsibility and at your own risk.