Downloading and Using the Trend Micro Ransomware File Decryptor

  • Solution ID: 1114221
  • Last Updated: Nov. 17, 2017 1:27 PM (PST)
  • Applies to: Antivirus+ Security - 2016;Antivirus+ Security - 2017;Internet Security - 2016;Internet Security - 2017;Maximum Security - 2016;Maximum Security - 2017;OfficeScan - 10.6, 11.0;Premium Security - 2016;Premium Security - 2017;Worry-Free Business Security Services - 3.7, Worry-Free Business Security Services - 5.8, Worry-Free Business Security Services - 5.7;Worry-Free Business Security Services - 6.1;Worry-Free Business Security Standard/Advanced - 7.0, Worry-Free Business Security Standard/Advanced - 8.0, Worry-Free Business Security Standard/Advanced - 9.0;
  • Using the Trend Micro Ransomware File Decryptor Tool
 
As of May 21, 2017, limited decryption support for the WannaCry (WCRY) Ransomware has been added to this tool (primarily for Windows XP). Please read the notes and limitations below for more information.

This guide provides the instructions and location for downloading and using the latest Trend Micro Ransomware File Decryptor tool to attempt to decrypt files encrypted by certain ransomware families.

As an important reminder, the best protection against ransomware is preventing it from ever reaching your system.  While Trend Micro is constantly working to update our tools, ransomware writers are also constantly changing their methods and tactics, which can make previous versions of tools such as this one obsolete over time.

Customers are strongly encouraged to continue practicing safe security habits:

  1. Make sure you have regular offline or cloud backups of your most important and critical data.
  2. Ensure that you are always applying the latest critical updates and patches to your system OS and other key software (e.g. browsers).
  3. Install the latest versions of and apply best practice configurations of security solutions such as Trend Micro to provide mutli-layered security.

Trend Micro customers are encouraged to visit the following sites for more information on ransomware and prevention best practices:

Consumer (Home) customers may visit the following site: Consumer (Home) Customers' Guide on Ransomware: Introduction, Prevention and Trend Micro Security Solutions

Corporate (Business) customers may find additional information and guides here:  Corporate (Business) Customers' Guide on Ransomware: Solutions, Best Practice Configuration and Prevention using Trend Micro products

 
Learn how your Trend Micro Consumer (Home) product protects you against the latest WCRY (WannaCry) Ransomware Attack. Click here.

Supported Ransomware Families

The following list describes the known ransomware-encrypted files types can be handled by the latest version of the tool.

RansomwareFile name and extension
CryptXXX V1, V2, V3* {original file name}.crypt, cryp1, crypz, or 5 hexadecimal characters
CryptXXX V4, V5 {MD5 Hash}.5 hexadecimal characters
TeslaCrypt V1** {original file name}.ECC
TeslaCrypt V2** {original file name}.VVV, CCC, ZZZ, AAA, ABC, XYZ
TeslaCrypt V3 {original file name}.XXX or TTT or MP3 or MICRO
TeslaCrypt V4 File name and extension are unchanged
SNSLocker {Original file name}.RSNSLocked
AutoLocky {Original file name}.locky
BadBlock {Original file name}
777 {Original file name}.777
XORIST {Original file name}.xorist or random extension
XORBAT {Original file name}.crypted
CERBER V1 {10 random characters}.cerber
Stampado {Original file name}.locked
Nemucod {Original file name}.crypted
Chimera {Original file name}.crypt
LECHIFFRE {Original file name}.LeChiffre
MirCop Lock.{Original file name}
Jigsaw {Original file name}.random extension
Globe/Purge V1: {Original file name}.purge
V2: {Original file name}.{email address + random characters}
V3: Extension not fixed or file name encrypted
DXXD V1: {Original file name}.{Original extension}dxxd
Teamxrat/Xpan V2: {Original filename}.__xratteamLucked
Crysis .{id}.{email address}.xtbl, .{id}.{email address}.crypt, .{id}.{email addres}.dharma, .{id}.{email address}.wallet
TeleCrypt {Original file name}
DemoTool .demoadc
WannaCry (WCRY) {Original file name}.WNCRY, {Original file name}.WCRY
Petya N/A
 

* - CryptXXX V3 decryption may not recover the entire file (partial data decryption). Please see the section titled Important Note about Decrypting CryptXXX V3 below.

** - Users will need to contact Trend Micro technical Support to request the separate tool TeslacryptDecryptor 1.0.xxxx MUI for TeslaCrypt V1 and V2 files. Both tools support V3 and V4. 

Obtaining and Executing the Tool(s)

  1. Click the Download button below to obtain the latest version of the Trend Micro Ransomware File Decryptor tool. Decompress (unzip) and then launch the included RansomwareFileDecryptor exe file.

    Download RansomwareFileDecryptor

  2. Upon launch, users will be required to accept the End User License Agreement (EULA) to proceed.
  3. After accepting the EULA, the tool will proceed to the main user interface (UI). From here, users will be presented with a step-by-step guide to perform the file decryption.

    Anti-Ransomware

Step 1: Select the ransomware name

Most ransomware usually includes a text file or html file to inform the user that his/her system has been infected by a certain type of ransomware. Using this information, an affected user can select the suspected ransomware name to decrypt files. Users having trouble identifying the type of ransomware should contact Trend Micro Technical Support for further assistance.

Select Ransomware Name

Note: When selecting the "I don't know the ransomware name" option, the tool will prompt the user to select a target file to be decrypted and will try and automatically identify the ransomware based on the file signature. 

Step 2: Select the encrypted file or folder

The tool can either attempt to decrypt a single file or all files in a folder and its sub-folders by using recursive mode. By clicking “Select & Decrypt”, choose a folder or a file and click OK to start the decrypting process.

Select File 

Step 3: Start decrypting files

After the file(s) or folder(s) are selected, the tool will start scanning and decrypting files automatically.

Start decrypting files

If the scan target is a folder, the tool will collect some file information from the target folder first to help identify which files need to be decrypted. During the scan, a scrollbar will indicate the decrypting progress, and the UI will be updated to indicate how many files are encrypted and the number of files have been decrypted.

The tool can decrypt certain types of ransomware-encrypted files (e.g. TeslaCrypt) files very quickly. However, other file types (e.g. CryptXXX) may take significantly longer. The overall duration also depends on how many files are located in the target folder.

If Stop is clicked during scanning, the process will be interrupted.

Scanning Complete 

Step 4: Decrypting CyptXXX V1, XORIST, XORBAT, NEMUCOD or TeleCrypt (optional)

If the tool identifies files encrypted by one of the ransomware mentioned above, it will ask the user to provide additional information to proceed due to some unique processing required for the specific decryption.

Click here

After selecting the “click here” option highlighted above, another dialog will appear asking for a file pair. The user will need to select a infected file and a matching non-infected file if there is an available backup copy (the larger the file size the better).

file pair

Step 5: Finish decrypting files

Once the scan and decryption process is finished, the UI will show the results.

Scanning Complete 

By clicking See encrypted files, the tool opens the encrypted file location or folder which was selected for scanning. The decrypted files are resident in opened folder.

The decrypted file name(s) will be the same as the previously encrypted file(s), with the exception being the removal of the extension appended by the ransomware.

For those file(s) encrypted without the file name changing, the decrypted file name will be {original file name} decrypted.{extension}.

By clicking Done, the tool returns to the main UI. Repeat step 1 and 2 to decrypt more files.

Due to the advanced encryption of this particular Crypto-Ransomware, only partial data decryption is currently possible on files affected by CryptXXX V3.

The tool will try and fix certain file formats after the decryption attempt, including DOC, DOCX, XLS, XLSX, PPT, and PPTX (common Microsoft Office) files.  The fixed file will have the same name of the original file with "_fixed" appended to the file name and will be placed in the same location.  When opening the fixed file with Microsoft Office, it may present a message to try and repair the file again, and this process may be able to recover the document.  Please note that due to the different versions of Microsoft Office and particular file behaviors, it is not guaranteed that this method will completely recover the document.

However, for other files after the partial data decryption, users may have to utilize a 3rd party corrupted file recovery tool (such as the open source program JPEGSnoop*) to try and recover the full file.

An example of this would be a photo or image file that is partially recovered to show parts of the image, but not the entire image. A user would then determine if the file is critical enough to utilize a 3rd party tool or seek assistance from an 3rd party professional file recovery service.

Original Photo (before CryptXXX V3 infection)

Trend Micro Ransomware File Decryptor

Photo after partial data decryption

Trend Micro Ransomware File Decryptor

Unfortunately, Trend Micro Technical Support will be extremely limited in any sort assistance that can be provided regarding 3rd party file recovery.

 
Trend Micro does not specifically endorse nor is affiliated with the JPEGSnoop project in any way and is just referencing it as an example of the type of recovery tool that a user may need.

BadBlock can encypt essential system files, which may cause issues like not allowing the operating system (OS) to load properly after a reboot if infected. Because of the sensitivity of these files, when the tool attempts decryption of these files, it will backup selected key originally encrypted PE files and append “_bbbak” to the name. After the decryption, the original PE file name will be restored. For non-PE files, the decrypted names will be the original file name with “_decrypted” appended to the name of the file.

ince there are different ways that BadBlock can affect a system, there are a few different approaches the tool may use to try and decrypt affected files:

  1. If the system has been infected and had not yet had a reboot. In this situation, the user may try and run the tool and it will attempt to decrypt affected files.
  2. If the system has already been rebooted after an infection and cannot boot successfully into the OS. In this situation it is recommended that the user boot from an OS installation image (such as a Windows Recovery Disk) or other method to try and get to a state where the OS can boot successfully and then try and run the tool to decrypt other files.
  3. If the system OS cannot be recovered by an OS installation image as mentioned above. In this case, users may need to physically remove the affected hard disk drive (HDD) and mount it on another known working system as a extra drive and attempt to run the tool from the other system.

CERBER decryption must be executed on the infected machine itself (as opposed to another machine) since the tool needs to try and locate the first infected file for a critical decryption calculation.

Due to the method of decryption for CERBER, the tool may take several hours (average is 4) to complete decryption on a standard Intel i5 dual-core machine.   In addition, the encryption logic for CERBER also is built in such a way that the more cores a CPU has, the lower percentage chance of success for the decryption because of its complexity.

Similar to some other types of ransomware encryption, some files may be only partially decrypted and may require a subsequent file repair.

Because this tool uses brute-force to calculate keys for Globe/Purge, decryption could take more than twenty (20) hours. The average decryption time varies from approximately ten (10) hours with a 4-core CPU machine to thirty (30) hours with a single-core PC machine.

To decrypt Globe/Purge V1, the decryption process must be run on the originally infected machine.

Please note that the tool cannot decrypt files on a FAT32 system due to a bug in the ransomware itself. This is also a limitation of the ransomware author's original decryption tool.

This tool searches for a private key in the ransomware process memory - which means it is only effective if the original WannaCry ransomware process still exists and is actively running. If the infected machine is rebooted, the ransomware process is somehow stopped after the initial infection, or any other situation occurs that would affect the process memory of the infection machine the decryption will fail. It is very important that users do not try and reboot their system before trying the tool.

It is currently unknown how long the prime numbers (related to the private key) will be stored in the memory address space before being reused or overwritten. Therefore it is highly advantageous to run this tool early in the infection chain rather than later.

Based on internal Trend Micro testing, this tool has the highest success rate on Windows XP (x86) machines compared to a very low rate on other versions of Windows - but individual users' success rate will vary.

The Petya tool has a special UI. To boot your OS back to normal, do the following:

  1. Select the Petya family on your machine from the ransomware note screen then choose a screen font color from the dropdown option.
  2. Enter your personal decryption code in the boxes found on the ransomware note screen.

     
    The decryption code is case sensitive.
  3. Click the Decrypt Key button to show the decrypt key in the text box.
  4. On the infected machine, enter the decrypt key from the tool and click Enter to reboot the machine and boot your OS back to normal.

Enter personal decryption code

Click image to enlarge

The Trend Micro Ransomware File Decryptor tools will extract itself to the following temporary folder during execution:

%User%\AppData\Local\Temp\TMRDTSelfExtract\

After the completion of a scan, a folder titled “log” will appear in this location which contains logs detailing the decryption process with various timestamps.

Example of the temp directory:

Temp directory example

Examples of logs in the log subfolder:

Logs in subfolder example

Beginning with version 1.0.1657, users may send feedback directly to Trend Micro via the tool by selecting the "Feedback" button from the main menu.  

Users may select one of the pre-populated answers, or select "Other" and add comments as desired.

userfeedback

Trend Micro has created a Computer Based Training (CBT) module for customers with instructions on how to run the tool. Please click here to view the module.

  • TeslaCrypt V1, V2 decryption tool now is in a separate package
  • CryptXXX V2, V3 decryption does not support plain text files
  • CryptXXX V3 decryption does not support archive files or decrypt file sizes larger than 13MB
  • IMPORTANT NOTE: Files encrypted by CryptXXX V3 cannot be fully recovered to 100% (partial recovery), please see the notes above under CryptXXX V3 Partial Recovery
  • CryptXXX V4, V5 decryption process may not be able to recover the original file name Decryption for each file could potentially take up to 2 hours
  • LeChiffre decryption should be done on the original infected machine because it requires machine name and user name
  • Teamxrat/Xpan decryption tool must be run on an infected machine
  • WannaCry (WCRY) decryption is only effective on an infected machine with the ransomware process still active.  Currently, only Windows XP (x86) has a high success rate of decryption.
  • The tool can only decrypt Petya families discovered in 2016 which encrypts NTFS’s MFT. You need another Windows machine to run the tool since the infected machine cannot be booted normally. This Petya family is different from EternalPetya family discovered in 2017.

RansomwareFileDecryptor

  • RansomwareFileDecryptor 1.0.1668 MUI.exe uploaded on November 16, 2017 at 17:40 GMT
  • MD5: 5a64a4425aead92b9d9e1891be7572e3
  • SHA-256: db8c550e5d92d913ea84ca29b59342eeba001d9c2beb8c2320f791346c1bc3cc

Related Solution