- Download the RannohDecryptor.zip archive.
- Run RannohDecryptor.exe on the infected computer.
- Carefully read through the End User License Agreement. If you agree with all the terms, click Accept.
- If you want the utility to automatically remove the decrypted files, do the following:
- In the main window, click Change parameters.
-
Select the Delete crypted files after decryption checkbox.

- In the main window, click Start scan.

- Specify the path to the encrypted file.
- To decrypt some files, the utility will request the original (not encrypted) copy of one encrypted file. You can find such a copy in your mail, on a removable drive, on your other computers, or in cloud storage. Click Continue and specify the path to the original file.
If the file is encrypted by Trojan-Ransom.Win32.CryptXXX, indicate the largest files. Only the files of this size or smaller ones will be decrypted.
- Wait until the encrypted files are found and decrypted.
If the file was encrypted by Trojan-Ransom.Win32.Cryakl, Trojan-Ransom.Win32.Polyglot, or Trojan-Ransom.Win32.Fury, the tool will save the file at its previous location with the extension .decryptedKLR.original_extension. If you selected the Delete crypted files after decryption checkbox, the tool will save the decrypted files with their original name.
If the file was encrypted by Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.Cryakl, Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.CryptXXX, Trojan-Ransom.Win32.Crybola or Trojan-Ransom.Win32.Yanluowang, the tool will save the file at its previous location with the original extension.
By default, the tool log is saved on the system disk with the operating system installed. Log file name is: UtilityName.Version_Date_Time_log.txt. For example, C:\RannohDecryptor.1.1.0.0_02.05.2012_15.31.43_log.txt