The Kaspersky RakhniDecryptor tool decrypts files that have been changed according to the following patterns:

• Trojan-Ransom.Win32.Conti:
  • <file_name>.KREMLIN
  • <file_name>.RUSSIA
  • <file_name>.PUTIN

• Trojan-Ransom.Win32.Ragnarok:
  • <file_name>.<ID>.thor
  • <file_name>.<ID>.odin
  • <file_name>.<ID>.hela

  For decryption, the utility asks for the file of the !!Read_Me.<ID>.html type.

• Trojan-Ransom.Win32.Fonix:
  • <file_name>.<original_file_extension>.Email=[<mail>@<server>.<domain>]ID=[<id>].XINOF
  • <file_name>.<original_file_extension>.Email=[<mail>@<server>.<domain>]ID=[<id>].FONIX
• Trojan-Ransom.Win32.Rakhni:
  • <file_name>.<original_file_extension>.locked
  • <file_name>.<original_file_extension>.kraken
  • <file_name>.<original_file_extension>.darkness
  • <file_name>.<original_file_extension>.oshit
  • <file_name>.<original_file_extension>.nochance
  • <file_name>.<original_file_extension>.oplata@qq_com
  • <file_name>.<original_file_extension>.relock@qq_com
  • <file_name>.<original_file_extension>.crypto
  • <file_name>.<original_file_extension>.helpdecrypt@ukr.net
  • <file_name>.<original_file_extension>.p***a@qq_com
  • <file_name>.<original_file_extension>.dyatel@qq_com
  • <file_name>.<original_file_extension>.nalog@qq_com
  • <file_name>.<original_file_extension>.chifrator@gmail_com
  • <file_name>.<original_file_extension>.gruzin@qq_com
  • <file_name>.<original_file_extension>.troyancoder@gmail_com
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id373
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id371
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id372
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id374
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id375
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id376
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id392
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id357
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id356
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id358
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id359
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id360
  • <file_name>.<original_file_extension>.coderksu@gmail_com_id20

• Trojan-Ransom.Win32.Mor: <file_name>.<original_file_extension>_crypt
• Trojan-Ransom.Win32.Autoit: <file_name>.<original_file_extension>.<_crypt@india.com_.letters>
• Trojan-Ransom.MSIL.Lortok:
  • <file_name>.<original_file_extension>.cry
  • <file_name>.<original_file_extension>.AES256
• Trojan-Ransom.MSIL.Yatron: <file_name>.<original_file_extension>.Yatron
• Trojan-Ransom.AndroidOS.Pletor: <file_name>.<original_file_extension>.enc
• Trojan-Ransom.Win32.Agent.iih: <file_name>.<original_file_extension>+<hb15>
• Trojan-Ransom.Win32.CryFile: <file_name>.<original_file_extension>.encrypted
• Trojan-Ransom.Win32.Democry:
  • <file_name>.<original_file_extension>+<._data-time_$email@domain$.777>
  • <file_name>.<original_file_extension>+<._data-time_$email@domain$.legion>
• Trojan-Ransom.Win32.GandCrypt:
  • version 4: <ile_name>.<original_file_extension>.KRAB
  • version 5: <ile_name>.<original_file_extension>.<line_of_random_characters>
• Trojan-Ransom.Win32.Bitman ver. 3:
  • <file_name>.xxx
  • <file_name>.ttt
  • <file_name>.micro
  • <file_name>.mp3
• Trojan-Ransom.Win32.Bitman ver. 4: <file_name>.<original_file_extension> (File name and its extension don't change).
• Trojan-Ransom.Win32.Libra:
  • <file_name>.encrypted
  • <file_name>.locked
  • <file_name>.SecureCrypted
• Trojan-Ransom.MSIL.Lobzik:
  • <file_name>.fun
  • <file_name>.gws
  • <file_name>.btc
  • <file_name>.AFD
  • <file_name>.porno
  • <file_name>.pornoransom
  • <file_name>.epic
  • <file_name>.encrypted
  • <file_name>.J
  • <file_name>.payransom
  • <file_name>.paybtcs
  • <file_name>.paymds
  • <file_name>.paymrss
  • <file_name>.paymrts
  • <file_name>.paymst
  • <file_name>.paymts
  • <file_name>.gefickt
  • <file_name>.uk-dealer@sigaint.org
• Trojan-Ransom.Win32.Mircop: <Lock>.<file_name>.<original_file_extension>
• Trojan-Ransom.Win32.Crusis (Dharma):
  • <file_name>.ID<…>.<mail>@<server>.<domain>.xtbl
  • <file_name>.ID<…>.<mail>@<server>.<domain>.CrySiS
  • <file_name>.id-<…>.<mail>@<server>.<domain>.xtbl
  • <file_name>.id-<…>.<mail>@<server>.<domain>.wallet
  • <file_name>.id-<…>.<mail>@<server>.<domain>.dhrama
  • <file_name>.id-<…>.<mail>@<server>.<domain>.onion
  • <file_name>.<mail>@<server>.<domain>.wallet
  • <file_name>.<mail>@<server>.<domain>.dhrama
  • <file_name>.<mail>@<server>.<domain>.onion

• Examples of some e-mail addresses used to spread malware:

  • webmafia@asia.com
  • braker@plague.life
  • crannbest@foxmail.com
  • amagnus@india.com
  • stopper@india.com
  • bitcoin143@india.com
  • worm01@india.com
  • funa@india.com
  • pay4help@india.com
  • lavandos@dr.com
  • mkgoro@india.com
• Trojan-Ransom.Win32.Crypren.afjh (FortuneCrypt) (File name and its extension don't change).
• Trojan-Ransom.Win32.Nemchig: <file_name>.<original_file_extension>.safefiles32@mail.ru
• Trojan-Ransom.Win32.Lamer:
  • <file_name>.<original_file_extension>.bloked
  • <file_name>.<original_file_extension>.cripaaaa
  • <file_name>.<original_file_extension>.smit
  • <file_name>.<original_file_extension>.fajlovnet
  • <file_name>.<original_file_extension>.filesfucked
  • <file_name>.<original_file_extension>.criptx
  • <file_name>.<original_file_extension>.gopaymeb
  • <file_name>.<original_file_extension>.cripted
  • <file_name>.<original_file_extension>.bnmntftfmn
  • <file_name>.<original_file_extension>.criptiks
  • <file_name>.<original_file_extension>.cripttt
  • <file_name>.<original_file_extension>.hithere
  • <file_name>.<original_file_extension>.aga
• Trojan-Ransom.Win32.Cryptokluchen:
  • <file_name>.<original_file_extension>.AMBA
  • <file_name>.<original_file_extension>.PLAGUE17
  • <file_name>.<original_file_extension>.ktldll
• Trojan-Ransom.Win32.Rotor:
  • <file_name>.<original_file_extension>..-.DIRECTORAT1C@GMAIL.COM.roto
  • <file_name>.<original_file_extension>..-.CRYPTSb@GMAIL.COM.roto
  • <file_name>.<original_file_extension>..-.DIRECTORAT1C8@GMAIL.COM.roto
  • <file_name>.<original_file_extension>.!______________DESKRYPTEDN81@GMAIL.COM.crypt
  • <file_name>.<original_file_extension>.!___prosschiff@gmail.com_.crypt
  • <file_name>.<original_file_extension>.!_______GASWAGEN123@GMAIL.COM____.crypt
  • <file_name>.<original_file_extension>.!_________pkigxdaq@bk.ru_______.crypt
  • <file_name>.<original_file_extension>.!____moskali1993@mail.ru___.crypt
  • <file_name>.<original_file_extension>.!==helpsend369@gmail.com==.crypt
  • <file_name>.<original_file_extension>.!-==kronstar21@gmail.com=--.crypt

• Trojan-Ransom.Win32.Chimera:
  • <file_name>.<original_file_extension>.crypt
  • <file_name>.<original_file_extension>.<4 random tokens>
• Trojan-Ransom.Win32.AecHu:
  • <file_name>.aes256
  • <file_name>.aes_ni
  • <file_name>.aes_ni_gov
  • <file_name>.aes_ni_0day
  • <file_name>.lock
  • <file_name>.decrypr_helper@freemail_hu
  • <file_name>.decrypr_helper@india.com
  • <file_name>.~xdata
• Trojan-Ransom.Win32.Jaff:
  • <file_name>.jaff
  • <file_name>.wlu
  • <file_name>.sVn
• Trojan-Ransom.Win32.Cryakl: email-<...>.ver-<...>.id-<...>.randomname-<...>.<random_extension>
• Trojan-Ransom.Win32.Maze: <file_name>.<original_file_extension>.<random_extension>
• Trojan-Ransom.Win32.Sekhmet: <file_name>.<original_file_extension>.<random_extension>
• Trojan-Ransom.Win32.Egregor: <file_name>.<original_file_extension>.<random_extension>

To learn more about technologies Kaspersky uses for malware protection, go to this page.

1. Download RakhniDecryptor.zip and extract the files from it. For instructions see this guide.
2. Open the folder with the extracted files.
3. Run the RakhniDecryptor.exe.
4. Read the License Agreement carefully and click Accept if you agree to all its terms.
5. Click the Change parameters link.

6. Select the objects to scan (hard drives / removable drives / network drives).
7. Select the checkbox Delete crypted files after decryption. In that case the tool will remove copies of encrypted files with extensions LOCKED, KRAKEN, DARKNESS etc.
8. Click OK.

9. Click Start scan.

10. Select the encrypted file and click Open.

11. Read the Warning and click OK.

Files will be decrypted.

File with CRYPT extension might be encrypted more than once. For example, if test.doc file was encrypted twice, the tool will decipher the first layer into the file test.1.doc.layerDecryptedKLR. In the tool performance report you will see: «Decryption success: disk:\path\test.doc_crypt -> dish:\path\test.1.doc.layerDecryptedKLR». You will need to decrypt this file once again. In case of successful decryption, the file will be saved under the original name test.doc.

For the sake of convenience and time saving, Kaspersky RakhniDecryptor supports the following command line parameters:

If the utility did not help, contact Kaspersky Customer Service by choosing the topic and filling out the form.