Downloading and Using the Trend Micro Ransomware File Decryptor

  • Solution ID:1114221
  • Last Updated:Apr. 19, 2018 12:07 AM (PST)
  • Applies to:Antivirus+ Security - 2016;Antivirus+ Security - 2017;Internet Security - 2016;Internet Security - 2017;Maximum Security - 2016;Maximum Security - 2017;OfficeScan - 10.6, 11.0;Premium Security - 2016;Premium Security - 2017;Worry-Free Business Security Services - 3.7, Worry-Free Business Security Services - 5.8, Worry-Free Business Security Services - 5.7;Worry-Free Business Security Services - 6.1, Worry-Free Business Security Services - 6.2, Worry-Free Business Security Services - 6.3;Worry-Free Business Security Standard/Advanced - 7.0, Worry-Free Business Security Standard/Advanced - 8.0, Worry-Free Business Security Standard/Advanced - 9.0;
  • Using the Trend Micro Ransomware File Decryptor Tool
As of May 21, 2017, limited decryption support for the WannaCry (WCRY) Ransomware has been added to this tool (primarily for Windows XP). Please read the notes and limitations below for more information.

This guide provides the instructions and location for downloading and using the latest Trend Micro Ransomware File Decryptor tool to attempt to decrypt files encrypted by certain ransomware families.

As an important reminder, the best protection against ransomware is preventing it from ever reaching your system.  While Trend Micro is constantly working to update our tools, ransomware writers are also constantly changing their methods and tactics, which can make previous versions of tools such as this one obsolete over time.

Customers are strongly encouraged to continue practicing safe security habits:

  1. Make sure you have regular offline or cloud backups of your most important and critical data.
  2. Ensure that you are always applying the latest critical updates and patches to your system OS and other key software (e.g. browsers).
  3. Install the latest versions of and apply best practice configurations of security solutions such as Trend Micro to provide mutli-layered security.

Trend Micro customers are encouraged to visit the following sites for more information on ransomware and prevention best practices:

Consumer (Home) customers may visit the following site: Consumer (Home) Customers' Guide on Ransomware: Introduction, Prevention and Trend Micro Security Solutions

Corporate (Business) customers may find additional information and guides here:  Corporate (Business) Customers' Guide on Ransomware: Solutions, Best Practice Configuration and Prevention using Trend Micro products

Learn how your Trend Micro Consumer (Home) product protects you against the latest WCRY (WannaCry) Ransomware Attack. Click here.

Supported Ransomware Families

The following list describes the known ransomware-encrypted files types can be handled by the latest version of the tool.

RansomwareFile name and extension
CryptXXX V1, V2, V3* {original file name}.crypt, cryp1, crypz, or 5 hexadecimal characters
CryptXXX V4, V5 {MD5 Hash}.5 hexadecimal characters
TeslaCrypt V1** {original file name}.ECC
TeslaCrypt V2** {original file name}.VVV, CCC, ZZZ, AAA, ABC, XYZ
TeslaCrypt V3 {original file name}.XXX or TTT or MP3 or MICRO
TeslaCrypt V4 File name and extension are unchanged
SNSLocker {Original file name}.RSNSLocked
AutoLocky {Original file name}.locky
BadBlock {Original file name}
777 {Original file name}.777
XORIST {Original file name}.xorist or random extension
XORBAT {Original file name}.crypted
CERBER V1 {10 random characters}.cerber
Stampado {Original file name}.locked
Nemucod {Original file name}.crypted
Chimera {Original file name}.crypt
LECHIFFRE {Original file name}.LeChiffre
MirCop Lock.{Original file name}
Jigsaw {Original file name}.random extension
Globe/Purge V1: {Original file name}.purge
V2: {Original file name}.{email address + random characters}
V3: Extension not fixed or file name encrypted
DXXD V1: {Original file name}.{Original extension}dxxd
Teamxrat/Xpan V2: {Original filename}.__xratteamLucked
Crysis .{id}.{email address}.xtbl, .{id}.{email address}.crypt, .{id}.{email addres}.dharma, .{id}.{email address}.wallet
TeleCrypt {Original file name}
DemoTool .demoadc
WannaCry (WCRY) {Original file name}.WNCRY, {Original file name}.WCRY
Petya N/A

* - CryptXXX V3 decryption may not recover the entire file (partial data decryption). Please see the section titled Important Note about Decrypting CryptXXX V3 below.

** - Users will need to contact Trend Micro technical Support to request the separate tool TeslacryptDecryptor 1.0.xxxx MUI for TeslaCrypt V1 and V2 files. Both tools support V3 and V4. 

Obtaining and Executing the Tool(s)

  1. Click the Download button below to obtain the latest version of the Trend Micro Ransomware File Decryptor tool. Decompress (unzip) and then launch the included RansomwareFileDecryptor exe file.

    Download RansomwareFileDecryptor

  2. Upon launch, users will be required to accept the End User License Agreement (EULA) to proceed.
  3. After accepting the EULA, the tool will proceed to the main user interface (UI). From here, users will be presented with a step-by-step guide to perform the file decryption.


Detailed Steps
Important Note about Decrypting CryptXXX V3
Decrypting BadBlock
CERBER Decryption Limitations
Globe/Purge Decryption Limitations
WannaCry (WCRY) Decryption Limitations
Petya Decryption Key
Obtaining Tool Logs
Send User Feedback
Video How-to
Notes and Limitations
File Verification and Checksums

Related Solution