The Kaspersky RakhniDecryptor tool decrypts files that have been changed according to the following patterns:
Trojan-Ransom.Win32.Rakhni creates exit.hhr.oshit file, where you can find an encrypted password to the user’s files. If it remains on the infected computer, deciphering will take considerably less time. In case exit.hhr.oshit file was removed, recover it with the help of software that recovers deleted files, then put this file into %APPDATA% folder and re-run utilite scan. You can find exit.hhr.oshit file following this path: C:\Users<user_name>\AppData\Roaming
If file is encrypted with CRYPT extension, decrypting might take much time. For example, running on Intel Core i5-2400 processor, it may take 120 days approximately .
- Trojan-Ransom.Win32.Chimera:
- <file_name>.<original_file_extension>.crypt
- <file_name>.<original_file_extension>.<4 random tokens>
- Trojan-Ransom.Win32.AecHu:
- <file_name>.aes256
- <file_name>.aes_ni
- <file_name>.aes_ni_gov
- <file_name>.aes_ni_0day
- <file_name>.lock
- <file_name>.decrypr_helper@freemail_hu
- <file_name>.decrypr_helper@india.com
- <file_name>.~xdata
- Trojan-Ransom.Win32.Jaff:
- <file_name>.jaff
- <file_name>.wlu
- <file_name>.sVn
- Trojan-Ransom.Win32.Cryakl: email-<...>.ver-<...>.id-<...>.randomname-<...>.<random_extension>
- Trojan-Ransom.Win32.Maze: <file_name>.<original_file_extension>.<random_extension>
- Trojan-Ransom.Win32.Sekhmet: <file_name>.<original_file_extension>.<random_extension>
- Trojan-Ransom.Win32.Egregor: <file_name>.<original_file_extension>.<random_extension>
If the file is encrypted by Trojan-Ransom.Win32.Maze, Trojan-Ransom.Win32.Sekhmet, or Trojan-Ransom.Win32.Egregor, the utility will ask for the file with the ransomware claims. Without this file, the decryption is impossible. Possible names of this file are DECRYPT-FILES.txt, RECOVER-FILES.txt, or DECRYPT-FILES.html.
Malware version |
Email address |
CL 1.0.0.0
|
cryptolocker@aol.com
iizomer@aol.com
seven_Legion2@aol.com
oduvansh@aol.com
ivanivanov34@aol.com
trojanencoder@aol.com
load180@aol.com
moshiax@aol.com
vpupkin3@aol.com
watnik91@aol.com
|
1.0.0.0.u
|
cryptolocker@aol.com_graf1
cryptolocker@aol.com_mod
byaki_buki@aol.com_mod2
|
CL 1.2.0.0
|
oduvansh@aol.com
cryptolocker@aol.com
|
CL 1.3.0.0
|
cryptolocker@aol.com
|
CL 1.3.1.0
|
byaki_buki@aol.com
byaki_buki@aol.com_grafdrkula@gmail.com
vpupkin3@aol.com
|
To learn more about technologies Kaspersky uses for malware protection, go to this page.