→Safety 101

Safety 101: Virus-fighting tools

Tool for decrypting files affected by Trojan-Ransom.Win32.Rannoh infection

Latest update: 2019 Jun 10 ID: 8547

If the system is infected by a malicious program of the family Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.Fury, Trojan-Ransom.Win32.Crybola, Trojan-Ransom.Win32.Cryakl or Trojan-Ransom.Win32.CryptXXX, all files on the computer will be encrypted in the following way:

In case of a Trojan-Ransom.Win32.Rannoh infection, file names and extensions will be changed according to the template locked-<original_name>.<four_random_letters>.
In case of a Trojan-Ransom.Win32.Cryakl infection, the tag {CRYPTENDBLACKDC} is added to the end of file names.
In case of a Trojan-Ransom.Win32.AutoIt infection, extensions will be changed according to the template <original_name>@<mail server>_.<random_set_of_characters>.
Example: ioblomov@india.com_.RZWDTDIC.
In case of a Trojan-Ransom.Win32.CryptXXX infection, extensions will be changed according to the templates <original_name>.crypt, <original_name>.crypz, <original_name>.cryp1.

RannohDecryptor tool is designed to decrypt files dectypted by Trojan-Ransom.Win32.Polyglot, Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.Fury, Trojan-Ransom.Win32.Crybola, Trojan-Ransom.Win32.Cryakl or Trojan-Ransom.Win32.CryptXXX versions 1 and 2 and 3.