RakhniDecryptor tool for removing Trojan-Ransom.Win32.Rakhni malicious software (.oshit and others)

 

 

Safety 101: Virus-fighting utilities

 
 
 

RakhniDecryptor tool for removing Trojan-Ransom.Win32.Rakhni malicious software (.oshit and others)

Back to "Virus-fighting utilities"
2016 May 24 ID: 10556
 
 
 
 

The malicious programs Trojan-Ransom.Win32.Rakhni, Trojan-Ransom.Win32.Agent.iih, Trojan-Ransom.Win32.Aura, Trojan-Ransom.Win32.Autoit, Trojan-Ransom.AndroidOS.Pletor, Trojan-Ransom.Win32.Rotor, Trojan-Ransom.Win32.Lamer, Trojan-Ransom.MSIL.Lortok, Trojan-Ransom.Win32.Cryptokluchen, Trojan-Ransom.Win32.Democry, and Trojan-Ransom.Win32.Bitman version 3 and 4 are used by malefactors to encrypt files so that their extensions are changed as follows:

  • <filename>.<original_extension>.<locked>
  • <filename>.<original_extension>.<kraken>
  • <filename>.<original_extension>.<darkness> 
  • <filename>.<original_extension>.<nochance> 
  • <filename>.<original_extension>.<oshit> 
  • <filename>.<original_extension>.<oplata@qq_com>
  • <filename>.<original_extension>.<relock@qq_com>
  • <filename>.<original_extension>.<crypto>
  • <filename>.<original_extension>.<helpdecrypt@ukr.net>
  • <filename>.<original_extension>.<pizda@qq_com>
  • <filename>.<original_extension>.<dyatel@qq_com>
  • <filename>.<original_extension>_crypt
  • <filename>.<original_extension>.<nalog@qq_com>
  • <filename>.<original_extension>.<chifrator@qq_com>
  • <filename>.<original_extension>.<gruzin@qq_com>  
  • <filename>.<original_extension>.<troyancoder@qq_com>
  • <filename>.<original_extension>.<encrypted>
  • <filename>.<original_extension>.<cry>
  • <filename>.<original_extension>.<AES256>
  • <filename>.<original_extension>.<enc>
  • <filename>.<original_extension>.<coderksu@gmail_com_id371>
  • <filename>.<original_extension>.<coderksu@gmail_com_id372>
  • <filename>.<original_extension>.<coderksu@gmail_com_id374>
  • <filename>.<original_extension>.<coderksu@gmail_com_id375>
  • <filename>.<original_extension>.<coderksu@gmail_com_id376>
  • <filename>.<original_extension>.<coderksu@gmail_com_id392>
  • <filename>.<original_extension>.<coderksu@gmail_com_id357>
  • <filename>.<original_extension>.<coderksu@gmail_com_id356>
  • <filename>.<original_extension>.<coderksu@gmail_com_id358>
  • <filename>.<original_extension>.<coderksu@gmail_com_id359>
  • <filename>.<original_extension>.<coderksu@gmail_com_id360>
  • <filename>.<original_extension>.<coderksu@gmail_com_id20>
  • <filename>.crypt@india.com.random_characters>
  • <filename>.<original_extension>+<hb15>
Trojan-Ransom.Win32.Democry:
  • <file_name>.<original_extension>+<._date-time_$address@domain$.777>
Trojan-Ransom.Win32.Bitman version 3:
  • <file_name>.<xxx>
  • <file_name>.<ttt>
  • <file_name>.<micro>
  • <file_name>.<mp3>
Trojan-Ransom.Win32.Bitman version 4:
  • <file_name>.<original_extension> (name and extension are not changed)

For example:

Before: file.doc / After: file.doc.locked

Before: 1.doc / After: 1.dochb15

To regain control over the files encrypted by Trojan-Ransom.Win32.Rakhni, Trojan-Ransom.Win32.Aura, Trojan-Ransom.Win32.Agent.iih, Trojan-Ransom.Win32.Autoit, Trojan-Ransom.AndroidOS.Pletor, Trojan-Ransom.Win32.Rotor, Trojan-Ransom.Win32.Lamer, and Trojan-Ransom.Win32.Cryptokluchen, use the RakhniDecryptor utility developed by Kaspersky Lab specialists.

 
 
 
 
 

1. How to work with the utility

 
 
 
 
 

2. Parameters for running the utility from the command prompt

 
 
 
 
Was this information helpful?
Yes No
 

 
 

Feedback on Technical Support Site

Please let us know what you think about the site design, improvements we could add and any errors we need to eliminate

Send My Website Feedback Send My Website Feedback

Thank you!

Thank you for submitting your feedback.
We will review your feedback shortly.