The Kaspersky RakhniDecryptor tool decrypts files that have been changed according to the following patterns:

• Trojan-Ransom.Win32.Rakhni:
  • <file_name>.<original_file_extension>.locked
  • <file_name>.<original_file_extension>.kraken
  • <file_name>.<original_file_extension>.darkness
  • <file_name>.<original_file_extension>.oshit
  • <file_name>.<original_file_extension>.nochance
  • <file_name>.<original_file_extension>.oplata@qq_com
  • <file_name>.<original_file_extension>.relock@qq_com
  • <file_name>.<original_file_extension>.crypto
  • <file_name>.<original_file_extension>.helpdecrypt@ukr.net
  • <file_name>.<original_file_extension>.p***a@qq_com
  • <file_name>.<original_file_extension>.dyatel@qq_com
  • <file_name>.<original_file_extension>.nalog@qq_com
  • <file_name>.<original_file_extension>.chifrator@gmail_com
  • <file_name>.<original_file_extension>.gruzin@qq_com
  • <file_name>.<original_file_extension>.troyancoder@gmail_com
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id373
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id371
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id372
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id374
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id375
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id376
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id392
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id357
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id356
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id358
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id359
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id360
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id20

• Trojan-Ransom.Win32.Mor: <file_name>.<original_file_extension>_crypt
• Trojan-Ransom.Win32.Autoit: <file_name>.<original_file_extension>.<_crypt@india.com_.letters>
• Trojan-Ransom.MSIL.Lortok:
  • <file_name>.<original_file_extension>.cry
  • <file_name>.<original_file_extension>.AES256
• Trojan-Ransom.AndroidOS.Pletor: <file_name>.<original_file_extension>.enc.
• Trojan-Ransom.Win32.Agent.iih: <file_name>.<original_file_extension>+<hb15>
• Trojan-Ransom.Win32.CryFile: <file_name>.<original_file_extension>.encrypted
• Trojan-Ransom.Win32.Democry:
  • <file_name>.<original_file_extension>+<._data-time_$email@domain$.777>
  • <file_name>.<original_file_extension>+<._data-time_$email@domain$.legion>
• Trojan-Ransom.Win32.GandCrypt:
  • version 4: <ile_name>.<original_file_extension>.KRAB
  • version 5: <ile_name>.<original_file_extension>.<line_of_random_characters>
• Trojan-Ransom.Win32.Bitman ver. 3:
  • <file_name>.xxx
  • <file_name>.ttt
  • <file_name>.micro
  • <file_name>.mp3
• Trojan-Ransom.Win32.Bitman ver. 4: <file_name>.<original_file_extension> (File name and its extension don’t change).
• Trojan-Ransom.Win32.Libra:
  • <file_name>.encrypted
  • <file_name>.locked
  • <file_name>.SecureCrypted
• Trojan-Ransom.MSIL.Lobzik:
  • <file_name>.fun
  • <file_name>.gws
  • <file_name>.btc
  • <file_name>.AFD
  • <file_name>.porno
  • <file_name>.pornoransom
  • <file_name>.epic
  • <file_name>.encrypted
  • <file_name>.J
  • <file_name>.payransom
  • <file_name>.paybtcs
  • <file_name>.paymds
  • <file_name>.paymrss
  • <file_name>.paymrts
  • <file_name>.paymst
  • <file_name>.paymts
  • <file_name>.gefickt
  • <file_name>.uk-dealer@sigaint.org
• Trojan-Ransom.Win32.Mircop: <Lock>.<file_name>.<original_file_extension>.
• Trojan-Ransom.Win32.Crusis (Dharma):
  • <file_name>.ID<…>.<mail>@<server>.<domain>.xtbl
  • <file_name>.ID<…>.<mail>@<server>.<domain>.CrySiS
  • <file_name>.id-<…>.<mail>@<server>.<domain>.xtbl
  • <file_name>.id-<…>.<mail>@<server>.<domain>.wallet
  • <file_name>.id-<…>.<mail>@<server>.<domain>.dhrama
  • <file_name>.id-<…>.<mail>@<server>.<domain>.onion
  • <file_name>.<mail>@<server>.<domain>.wallet
  • <file_name>.<mail>@<server>.<domain>.dhrama
  • <file_name>.<mail>@<server>.<domain>.onion

• Examples of some e-mail addresses used to spread malware:

  • webmafia@asia.com
  • braker@plague.life
  • crannbest@foxmail.com
  • amagnus@india.com
  • stopper@india.com
  • bitcoin143@india.com
  • worm01@india.com
  • funa@india.com
  • pay4help@india.com
  • lavandos@dr.com
  • mkgoro@india.com
• Trojan-Ransom.Win32.Nemchig: <file_name>.<original_file_extension>.safefiles32@mail.ru.
• Trojan-Ransom.Win32.Lamer:
  • <file_name>.<original_file_extension>.bloked
  • <file_name>.<original_file_extension>.cripaaaa
  • <file_name>.<original_file_extension>.smit
  • <file_name>.<original_file_extension>.fajlovnet
  • <file_name>.<original_file_extension>.filesfucked
  • <file_name>.<original_file_extension>.criptx
  • <file_name>.<original_file_extension>.gopaymeb
  • <file_name>.<original_file_extension>.cripted
  • <file_name>.<original_file_extension>.bnmntftfmn
  • <file_name>.<original_file_extension>.criptiks
  • <file_name>.<original_file_extension>.cripttt
  • <file_name>.<original_file_extension>.hithere
  • <file_name>.<original_file_extension>.aga
• Trojan-Ransom.Win32.Cryptokluchen:
  • <file_name>.<original_file_extension>.AMBA
  • <file_name>.<original_file_extension>.PLAGUE17
  • <file_name>.<original_file_extension>.ktldll
• Trojan-Ransom.Win32.Rotor:
  • <file_name>.<original_file_extension>..-.DIRECTORAT1C@GMAIL.COM.roto
  • <file_name>.<original_file_extension>..-.CRYPTSb@GMAIL.COM.roto
  • <file_name>.<original_file_extension>..-.DIRECTORAT1C8@GMAIL.COM.roto
  • <file_name>.<original_file_extension>.!______________DESKRYPTEDN81@GMAIL.COM.crypt
  • <file_name>.<original_file_extension>.!___prosschiff@gmail.com_.crypt
  • <file_name>.<original_file_extension>.!_______GASWAGEN123@GMAIL.COM____.crypt
  • <file_name>.<original_file_extension>.!_________pkigxdaq@bk.ru_______.crypt
  • <file_name>.<original_file_extension>.!____moskali1993@mail.ru___.crypt
  • <file_name>.<original_file_extension>.!==helpsend369@gmail.com==.crypt
  • <file_name>.<original_file_extension>.!-==kronstar21@gmail.com=--.crypt

• Trojan-Ransom.Win32.Chimera:
  • <file_name>.<original_file_extension>.crypt
  • <file_name>.<original_file_extension>.<4 random tokens>
• Trojan-Ransom.Win32.AecHu:
  • <file_name>.aes256
  • <file_name>.aes_ni
  • <file_name>.aes_ni_gov
  • <file_name>.aes_ni_0day
  • <file_name>.lock
  • <file_name>.decrypr_helper@freemail_hu
  • <file_name>.decrypr_helper@india.com
  • <file_name>.~xdata
• Trojan-Ransom.Win32.Jaff:
  • <file_name>.jaff
  • <file_name>.wlu
  • <file_name>.sVn

• Trojan-Ransom.Win32.Cryakl: email-<...>.ver-<...>.id-<...>.randomname-<...>.<randomextension>.

• Malware version	Email address
  CL 1.0.0.0	cryptolocker@aol.com iizomer@aol.com seven_Legion2@aol.com oduvansh@aol.com ivanivanov34@aol.com trojanencoder@aol.com load180@aol.com moshiax@aol.com vpupkin3@aol.com watnik91@aol.com
  1.0.0.0.u	cryptolocker@aol.com_graf1 cryptolocker@aol.com_mod byaki_buki@aol.com_mod2
  CL 1.2.0.0	oduvansh@aol.com cryptolocker@aol.com
  CL 1.3.0.0	cryptolocker@aol.com
  CL 1.3.1.0	byaki_buki@aol.com byaki_buki@aol.com_grafdrkula@gmail.com vpupkin3@aol.com

To learn more about technologies Kaspersky Lab uses for malware protection, go to this page.

1. Download RakhniDecryptor.zip and extract the files from it. For instructions see this guide.
2. Open the folder with the extracted files.
3. Run the RakhniDecryptor.exe.

• Click Change parameters link.

5. Select the objects to scan (hard drives / removable drives / network drives).
6. Select the checkbox Delete crypted files after decryption. In that case the tool will remove copies of encrypted files with extensions LOCKED, KRAKEN, DARKNESS etc.
7. Click OK.

8. Click Start scan.

9. Select the encrypted file and click Open.

10. Read the Warning and click OK.

Files will be decrypted.

File with CRYPT extension might be encrypted more than once. For example, if test.doc file was encrypted twice, the tool will decipher the first layer into the file test.1.doc.layerDecryptedKLR. In the tool performance report you will see: «Decryption success: disk:\path\test.doc_crypt -> dish:\path\test.1.doc.layerDecryptedKLR». You will need to decrypt this file once again. In case of successful decryption, the file will be saved under the original name test.doc.

For the sake of convenience and time saving, Kaspersky RakhniDecryptor supports the following command line parameters: