Hidden Tear Decryptor

Information

This decryptor will not work if you have shutdown or restart the infected computer since your files were encrypted.

You must run this decryptor on the infected computer, against the original encrypted files otherwise the key calculation may fail.

Usage

1. Run the decryptor by double-clicking it or via Powershell/cmd.

2. When the decryptor starts, enter the extension that has been added to your encrypted files by the ransomware (e.g. locked, hidden tear).

3. Choose the validation method you wish to use. The validation process will use a single file to calculate the decryption key, once it has identified the key the rest of your files will be decrypted.

a. Content match (1) will search the specified file for a specific piece of content that you provide. For example, if you know that the file originally contained the phrase “the quick brown fox”, the decryptor will use that phrase to confirm it has found the correct key.

b. Exact file match (2) is useful if you have an exact, unencrypted copy of one of the encrypted files. If you have such a copy, the decryptor will use the entire file to confirm it has found the correct key.

4. Provide your validation data.

Developed by Alex Seymour

Download the decryptor here

CryptConsole – Sequre Variant Decryptor

Information

This decryptor has only been tested again the sequre variant of CryptConsole. Files encrypted by this variant will have sequre@tuta.io at the start of their name. Due to the ransomware’s unreliable encryption routine, some files may be unrecoverable. This decryptor is capable of recovering the original name for encrypted files. Files that are decrypted will also have their original name restored.

If you are unable to access the file browser because the ransomware has encrypted your quick launch items and start menu items you can access it by holding down the windows key (between CTRL and ALT) and pressing R, then enter explorer in the windows that appear and press enter.

Usage

1. Run the decryptor with administrator privileges by right-clicking on it and selecting ‘Run as administrator’. Without administrator permissions, the decryptor will not be able to decrypt files in protected locations.

2. The ransomware will have left a text file on your desktop, enter the name (and extension) of the file so the decryptor can extract the required information from it.

3. Decide if you would like the decryptor to delete encrypted files after it successfully decrypts them. If the decryptor fails to decrypt a file it will not be removed.

4. Wait until the decryptor completes. If the decryptor is unable to decrypt any files it will list them in a file on your desktop. The decryptor will also attempt to remove all of the ransom notes from your system.

Developed by Alex Seymour

Download the decryptor here

CryBrazil Decryptor

The decryptor was developed by Alex Seymour as part of his MSc Thesis in IoT and Cyber Security

Usage

1. Run the decryptor by double-clicking it or via Powershell/cmd.

2. Decide if you would like the decryptor to delete encrypted files after it successfully decrypts them. If the decryptor fails to decrypt a file it will not be removed.

3. Wait until the decryptor completes. If the decryptor is unable to decrypt any files it will list them in a file on your desktop. The decryptor will also remove the malware, ransom note and desktop wallpaper image from your system.

Developed by Alex Seymour

Download the decryptor here

Shrug ransomware victim? Here’s how to retrieve your locked files for free

From zdnet.com

A new form of ransomware is being distributed through drive-by attacks, but victims can retrieve their locked files for free due to mistakes in the attack’s code.

Shrug ransomware first appeared in the wild on July 6, and comes embedded in fake software and gaming apps. Those who get tricked into downloading and running the file-encrypting malware are met with an extensive and mocking ransom note penned by an attacker calling themselves Martha.

More information here

Ransomware tracker for prevention

In order for the ransomware to fully succeed in encrypting your files, it needs to connect to its key server. This essentially means that there is a window of opportunity to protect your computer by interrupting the encryption process. Many AV vendors have blocklists incorporated in their products; there are also publicly available ones, like the one maintained by abuse.ch. Ideally though the best mitigation by far is to perform regular backups of your data and either store them off-line, or have a version control system.

 

My computer has been infected by ransomware. What should I do?

First of all, do not panic! A good starting point is to establish whether you can get your files back using one of the decryptors published in nomoreransom.org: Access Crypto Sheriff. You will need to upload two of your encrypted files and hopefully you will be directed to the right decryptor.

For more info, please visit The No More Ransom Project.