When malware encrypts files, it changes the file extensions. For example:

• before file.doc / after file.doc.locked
• before 1.doc / after 1.dochb15
• before 1.doc / after 1.doc._17-05-2016-20-27-37_$seven_legion@india.com$.777

The  RakhniDecryptor.zip   tool can decrypt the files encrypted according to the following templates:

• <file_name>.<original_extension>.<locked>
• <file_name>.<original_extension>.<kraken>
• <file_name>.<original_extension>.<darkness>
• <file_name>.<original_extension>.<oshit>
• <file_name>.<original_extension>.<nochance>
• <file_name>.<original_extension>.<oplata@qq_com>
• <file_name>.<original_extension>.<relock@qq_com>
• <file_name>.<original_extension>.<crypto>
• <file_name>.<original_extension>.<helpdecrypt@ukr.net>
• <file_name>.<original_extension>.<pizda@qq_com>
• <file_name>.<original_extension>.<dyatel@qq_com>
• <file_name>.<original_extension>.<nalog@qq_com>
• <file_name>.<original_extension>.<chifrator@gmail_com>
• <file_name>.<original_extension>.<gruzin@qq_com>
• <file_name>.<original_extension>.<troyancoder@gmail_com>
• <file_name>.<original_extension>.<coderksu@gmail_com_id373>
• <file_name>.<original_extension>.<coderksu@gmail_com_id371>
• <file_name>.<original_extension>.<coderksu@gmail_com_id372>
• <file_name>.<original_extension>.<coderksu@gmail_com_id374>
• <file_name>.<original_extension>.<coderksu@gmail_com_id375>
• <file_name>.<original_extension>.<coderksu@gmail_com_id376>
• <file_name>.<original_extension>.<coderksu@gmail_com_id392>
• <file_name>.<original_extension>.<coderksu@gmail_com_id357>
• <file_name>.<original_extension>.<coderksu@gmail_com_id356>
• <file_name>.<original_extension>.<coderksu@gmail_com_id358>
• <file_name>.<original_extension>.<coderksu@gmail_com_id359>
• <file_name>.<original_extension>.<coderksu@gmail_com_id360>
• <file_name>.<original_extension>.<coderksu@gmail_com_id20>

• <file_name>.<original_extension>_crypt

• <<file_name>.<original_extension>.<_crypt@india.com_.random characters>

• <file_name>.<original_extension>.<cry>
• <file_name>.<original_extension>.<AES256>

• <file_name>.<original_extension>.<enc>

• <file_name>.<original_extension>+<hb15>

• <file_name>.<original_extension>.<encrypted>

• <file_name>.<original_extension>+<._date-time_$email@domain$.777>
• <file_name>.<original_extension>+<._date-time_$email@domain$.legion>

• <file_name>.<xxx>
• <file_name>.<ttt>
• <file_name>.<micro>
• <file_name>.<mp3>

• <file_name>.<original_extension> (file name and extension are not changed)

To decrypt the files, do the following:

1. Download the  RakhniDecryptor.zip  archive, using a file archiver (for example, 7zip).
2. Run the RakhniDecryptor.exe file on the infected computer.
3. In the Kaspersky RakhniDecryptor window click the Change parameters link.

4. In the Settings window select the objects to scan (hard drives / removable drives / network drives).
5. Select the checkbox Delete crypted files after decryption (the utility will be deleting copies of original files with the .locked, .kraken and .darkness extensions).
6. Click ОК.

7. In the Kaspersky RakhniDecryptor, click Start scan.

8. In the Specify the path to one of encrypted files, select the file you need to restore and click Open.

9. The utility will start recovering the password. Please mind the Warning! window message.

10. Wait until the utility is done with decrypting the file (do not exit the program or shut down the computer).

The file can be encrypted with the _crypt extension more than once. For example, the file test.doc was encrypted twice. The first encryption layer will be decrypted to test.1.doc.layerDecryptedKLR. In the tool performance report, the line Decryption success: disk:\path\test.doc_crypt -> disk:\path\test.1.doc.layerDecryptedKLR will appear. You will need to decrypt this file using the tool once again. In case of successful decryption, the file will be saved under the original name test.doc.

If you know how to use the command line, using it may help make the decryption process quicker. The RakhniDecryptor tool supports the following command line parameters:

• To start the utility for multi-thread password cracking, use the command –threads
  For example: RakhniDecryptor.exe –threads 6
  The utility starts a 6-thread bruteforce. If the parameter is not specified, the number of threads corresponds to the number of cores.
  
• To restart password cracking from a certain value: –start <number>. To stop password cracking at a certain value: –end <number>.

• The lowest value is 0, the highest value is 1000000.

• All information about the password cracking process is saved to the report (C:\RakhniDecryptor.<version>_<date>_<creation_time>_log.txt).

• For example: 
  RakhniDecryptor.exe –start 123 – range [123, 1000000] 
  RakhniDecryptor.exe –start 100 –end 50000 – range [100, 50000] 
  RakhniDecryptor.exe –end 7000 – range [0, 7000] 
  RakhniDecryptor.exe – full range [0, 1000000]

• Specify the name of the file where the report will be saved.
• To display help for the command line options, press -h.