Hit by ransomware?

We're here to fix that.

Use our free ransomware decryption tools to unlock your files without paying the ransom

Please note that these free tools are provided as-is and without warranty of any kind. The tools may only work with specific ransomware versions, and may not work with versions that were released after a tool was created. Technical support for the tools is available only to customers using a paid Emsisoft product.

icon
[May, 17, 2016] - Version: 1.0.0.29

777 decryptor

Use this decrypter if your files have been encrypted and renamed to *.777. It may be necessary to select the correct version of the malware in the options tab for the decrypter to work properly.

Download
160012 downloads
icon
[Sep, 28, 2016] - Version: 1.0.0.51

Al-Namrood decryptor

The Al-Namrood ransomware is a fork of the Apocalypse ransomware. The group behind it primarily attacks servers that have remote desktop services enabled. Encrypted files are renamed to .unavailable or .disappeared and for each file a ransom note is created with the name *.Read_Me.Txt. The ransomware asks the victim to contact "[email protected]" or "[email protected]". To decrypt your files the decrypter requires your ID. The ID can be set within the "Options" tab. By default the decrypter will set the ID to the ID that corresponds to the system the decrypter runs on. However, if that is not the same system the malware infection and encryption took place on, make sure to put in the ID as specified in the ransom note.

Download
71422 downloads
icon
[Jun, 12, 2016] - Version: 1.0.0.24

Apocalypse decryptor

Use this decrypter if your files have been encrypted and renamed to .encrypted, .FuckYourData, .Encryptedfile or .SecureCrypted with ransom notes named .How_To_Decrypt.txt, .Where_my_files.txt, .How_to_Recover_Data.txt or .Contact_Here_To_Recover_Your_Files.txt created for each encrypted file. The ransom note asks you to contact "[email protected]", "[email protected]", "[email protected]" or "[email protected]".

Download
71392 downloads
icon
[Jun, 18, 2016] - Version: 1.0.0.34

ApocalypseVM decryptor

Use this decrypter if your files have been encrypted and renamed to .encrypted or .locked with ransom notes named .How_To_Decrypt.txt, .README.txt, .How_to_Decrypt_Your_Files.txt or .How_To_Get_Back.txt created for each encrypted file. The ransom note asks you to contact "[email protected]", "[email protected]" or "[email protected]" and contains a personal ID. To use the decrypter you will require an encrypted file of at least 4096 bytes in size as well as its unencrypted version. To start the decrypter select both the encrypted and unencrypted file and drag and drop them onto the decrypter executable.

Download
63935 downloads
icon
[Jul, 7, 2022] - Version: 1.0.0.0

AstraLocker decryptor

AstraLocker is a ransomware based on the leaked Babuk source code, and encrypts files using a modified HC-128 encryption algorithm, and Curve25519. The extension ".Astra" or ".babyk" is appended to files.

Download
23205 downloads
icon
[Apr, 1, 2019] - Version: 1.0.0.10

Aurora decryptor

Aurora is a ransomware family that encrypts files using XTEA and RSA, and may also be known as "Zorro", "Desu", or "AnimusLocker". Known extensions include ".Aurora", ".aurora", ".animus", ".ONI", ".Nano", ".cryptoid", ".peekaboo", ".isolated", ".infected", ".locked", ".veracrypt", ".masked", ".crypton", ".coronolock", ".bukyak", ".serpom", and ".systems32x".

Download
65672 downloads
icon
[Apr, 16, 2016] - Version: 1.0.0.11

AutoLocky decryptor

Use this decrypter if your files have been encrypted and renamed to *.locky, but the file base name is still unchanged, and you find a ransom note named info.txt or info.html on your Desktop.

Download
184404 downloads
icon
[May, 28, 2016] - Version: 1.0.0.174

BadBlock decryptor

Use this decrypter if your files have been encrypted but not renamed. The malware identifies itself as BadBlock both in the red ransomware screen as well as in the ransomnote "Help Decrypt.html" that can be found on the Desktop.

Download
51269 downloads
icon
[May, 2, 2017] - Version: 1.0.0.54

Cry128 decryptor

Cry128 belongs to the CryptON/Nemesis ransomware family that is mostly used for targetted attacks via RDP. Files are encrypted using a customized version of AES and RSA. We have seen the following extensions being used by Cry128: ".fgb45ft3pqamyji7.onion.to.", ".idgebdp3k7bolalnd4.onion.", ".id_2irbar3mjvbap6gt.onion.to." and ".id-_[qg6m5wo7h3id55ym.onion.to].63vc4".

Download
85637 downloads
icon
[Apr, 6, 2017] - Version: 1.0.0.41

Cry9 decryptor

Cry9 is the successor of the CryptON ransomware family that is mostly used for targetted attacks via RDP. Files are encrypted using a customized version of AES, RSA and SHA-512. We have seen the following extensions being used by Cry9: ".-juccy[a]protonmail.ch", ".id-", ".id-_[[email protected]].xj5v2", ".id-_r9oj", ".id-x3m", ".id-[[email protected]]_[[email protected]].x3m", ".", ".-sofialobster[a]protonmail.ch" and ".[wqfhdgpdelcgww4g.onion.to].r2vy6".

Download
81983 downloads
icon
[Mar, 7, 2017] - Version: 1.0.0.41

CryptON decryptor

CryptON aka Nemesis aka X3M is a ransomware family that is mostly used for targetted attacks via RDP. Files are encrypted using a mix of RSA, AES-256 and SHA-256. We have seen the following extensions being used by CryptON: ".id-_locked", ".id-_locked_by_krec", ".id-_locked_by_perfect", ".id-_x3m", ".id-_r9oj", ".id-[email protected]", ".id-[email protected]", ".id-[email protected]", ".id-[email protected]", ".id-[email protected]" and ".id-[email protected]".

Download
129611 downloads
icon
[Apr, 11, 2019] - Version: 1.0.0.0

CryptoPokemon decryptor

CryptoPokemon uses SHA256 and AES-128 to capture victim's files, and adds the extension ".CRYPTOPOKEMON". The victim is then presented a ransom note and website claiming to be "PokemonGO".

Download
29898 downloads
icon
[Sep, 14, 2020] - Version: 1.0.0.0

Cyborg decryptor

The Cyborg ransomware first appeared in late 2019, and encrypts its victims files using AES-256. Known extensions include ".petra", ".EncryptedFilePayToGetBack", ".Cyborg1", and ".LockIt".

Download
57074 downloads
icon
[Mar, 11, 2017] - Version: 1.0.0.12

Damage decryptor

Damage is a ransomware written in Delphi. It uses a combination of SHA-1 and Blowfish to encrypt the first and last 8 kb of a file. Encrypted files have the extension ".damage" and the ransom note, which is named "[email protected][COMPUTERNAME].txt", asks to contact "[email protected]".

Download
74032 downloads
icon
[Feb, 18, 2016] - Version: 1.0.0.187

DMALocker2 decryptor

Use this decrypter if your files have been encrypted but not renamed. The malware identifies itself as DMA Locker and the ID is "DMALOCK 43:41:90:35:25:13:61:92".

Download
51152 downloads
icon
[Sep, 16, 2016] - Version: 1.0.0.31

Fabiansomware decryptor

Use this decrypter if your files have been encrypted and renamed to .encrypted with ransom notes named .How_To_Decrypt_Your_Files.txt. The ransom note asks you to contact "[email protected]", "[email protected]" or "[email protected]". To use the decrypter you will require a file pair containing both an encrypted file and its non-encrypted original version. It is important to use a file pair that is as large as possible, as it determines the maximum file size up to which the decrypter will be able to decrypt your files. Select both the encrypted and unencrypted file and drag and drop both of them onto the decrypter file in your download directory.

Download
41954 downloads
icon
[Sep, 18, 2016] - Version: 1.0.0.13

FenixLocker decryptor

Use this decrypter if your files have been encrypted by the FenixLocker ransomware. FenixLocker encrypts files and renames them by appending the "[email protected]!!" extension. It leaves behind a ransom note named "CryptoLocker.txt" or "Help to decrypt.txt" on your Desktop, instructing you to contact "[email protected]". To start the decrypter simply drag and drop one of your encrypted files onto the decrypter executable.

Download
100414 downloads
icon
[Oct, 3, 2019] - Version: 1.0.0.0

GalactiCrypter decryptor

The GalactiCrypter ransomware encrypts its victims files with AES-256 and prepends the filename with "ENCx45cR"; for example, "ENCx45cRChrysanthemum.jpg".

Download
32732 downloads
icon
[May, 22, 2019] - Version: 1.0.0.0

GetCrypt decryptor

GetCrypt is a ransomware spread by the RIG exploit kit, and encrypts victim's files using Salsa20 and RSA-4096. It appends a random 4-character extension to files that is unique to the victim.

Download
73154 downloads
icon
[Oct, 1, 2016] - Version: 1.0.0.11

Globe decryptor

Globe is a ransomware kit that was first discovered at the end of August. Files are encrypted using Blowfish. Since the extension of encrypted files is configurable, several different file extensions are possible. The most commonly used extensions are .purge, .globe and [email protected].!dsvgdfvdDVGR3SsdvfEF75sddf#xbkNY45fg6}P{cg.xtbl. To use the decrypter you will require a file pair containing both an encrypted file and its non-encrypted original version. It is important to use a file pair that is as large as possible, as it determines the maximum file size up to which the decrypter will be able to decrypt your files. Select both the encrypted and unencrypted file and drag and drop both of them onto the decrypter file in your download directory.

Download
80298 downloads
icon
[Oct, 8, 2016] - Version: 1.0.0.18

Globe2 decryptor

Globe2 is a ransomware kit that was first discovered at the beginning of October. Globe2 encrypts files and optionally file names using RC4. Since the extension of encrypted files is configurable, several different file extensions are possible. The most commonly used extensions are .raid10, .blt, .globe, .encrypted and .[[email protected]]. To use the decrypter you will require a file pair containing both an encrypted file and its non-encrypted original version. Select both the encrypted and unencrypted file and drag and drop both of them onto the decrypter file in your download directory. If file names are encrypted, please use the file size to determine the correct file. Encrypted and original file will have exactly the same size.

Download
83809 downloads
icon
[Jan, 4, 2017] - Version: 1.0.0.22

Globe3 decryptor

Globe3 is a ransomware kit that we first discovered at the beginning of 2017. Globe3 encrypts files and optionally filenames using AES-256. Since the extension of encrypted files is configurable, several different file extensions are possible. The most commonly used extensions are .decrypt2017 and .hnumkhotep. To use the decrypter, you will require a file pair containing both an encrypted file and its non-encrypted original version. Select both the encrypted and unencrypted file and drag and drop both of them onto the decrypter file in your download directory. If file names are encrypted, please use the file size to determine the correct file. The encrypted and the original file will have the same size for files greater than 64 kb.

Download
78209 downloads
icon
[Dec, 23, 2016] - Version: 1.0.0.35

GlobeImposter decryptor

GlobeImposter is a Globe copycat that imitates the ransom notes and file extension found in the Globe ransomware kit. Encrypted files have the extension *.crypt and the base name of the file is unchanged. The ransom note is named "HOW_OPEN_FILES.hta" and can be found in all folders that contain encrypted files.

Download
110366 downloads
icon
[Jan, 25, 2016] - Version: 1.0.0.172

Gomasom decryptor

Use this decrypter if files have been encrypted, renamed to *.crypt and the file name contains an email address to contact.

Download
60086 downloads
icon
[Mar, 25, 2019] - Version: 1.0.0.0

HKCrypt decryptor

HKCrypt (also known as "Hacked Ransomware") first appeared in late 2017, and encrypts a victim's files using the RC4 algorithm, then adds the extension ".hacked" to files. The malware pretends to be running a Windows update, then shows a lock screen telling the victim to contact "[email protected]".

Download
44315 downloads
icon
[Jul, 12, 2019] - Version: 1.0.0.0

Ims00rry decryptor

The Ims00rry ransomware encrypts files using AES-128, and does not add an extension. Instead, the text "---shlangan AES-256---" is prepended to the file contents. The victim is asked to contact the criminals on Telegram @Ims00rybot.

Download
27458 downloads
icon
[Aug, 8, 2019] - Version: 1.0.0.1

JSWorm 4.0 decryptor

JSWorm 4.0 is a ransomware written in C++ that uses a modified version of AES-256 to encrypt files, and adds the extension ".[ID-][].JSWRM to files.

Download
37948 downloads
icon
[Jan, 12, 2017] - Version: 1.0.0.116

Marlboro decryptor

The Marlboro ransomware was first seen on January 11th, 2017. It is written in C++ and uses a simple XOR based encryption algorithm. Encrypted files are renamed to ".oops". The ransom note is stored inside a file named "_HELP_RecoverFiles.html" and includes no further point of contact.
Due to a bug in the malware's code, the malware will truncate up to the last 7 bytes from files it encrypts. It is, unfortunately, impossible for the decrypter to reconstruct these bytes.

Download
56036 downloads
icon
[May, 2, 2019] - Version: 1.0.0.2

MegaLocker decryptor

MegaLocker encrypts a victim's files using AES-128 ECB, and adds the extension ".nampohyu" to files. The ransom note "!DECRYPT_INSTRUCTION.TXT" instructs the victim to go to a Tor website to contact the criminals.

Download
59655 downloads
icon
[Jan, 12, 2017] - Version: 1.0.0.61

MRCR decryptor

MRCR or Merry X-Mas is a ransomware family that first appeared in December last year. It is written in Delphi and uses a custom encryption algorithm. Encrypted files will have either ".PEGS1", ".MRCR1", ".RARE1", ".MERRY", or ".RMCM1" as an extension. The ransom note is named "YOUR_FILES_ARE_DEAD.HTA" or "MERRY_I_LOVE_YOU_BRUCE.HTA" and asks victims to contact either "[email protected]" or "comodosecurity" via the secure mobile messenger Telegram.

Download
72869 downloads
icon
[Mar, 22, 2016] - Version: 1.0.0.26

Nemucod decryptor

Use this decrypter if your files have been renamed to *.crypted and you find a ransomnote named DECRYPT.txt on your desktop. To use the decrypter you will require an encrypted file of at least 4096 bytes in size as well as its unencrypted version. To start the decrypter select both the encrypted and unencrypted file and drag and drop them onto the decrypter executable.

Download
106674 downloads
icon
[Jul, 13, 2017] - Version: 1.0.0.80

NemucodAES decryptor

NemucodAES is a new variant of the Nemucod ransomware family. Written in a combination of JavaScript and PHP it uses AES and RSA in order to encrypt your files. Encrypted files will keep their original file names and a ransom note named "DECRYPT.hta" can be found on your Desktop.

Download
129914 downloads
icon
[Nov, 29, 2016] - Version: 1.0.0.15

NMoreira decryptor

Use this decrypter if your files have been renamed to either .maktub or .__AiraCropEncrypted! and you find a ransom note named either "Recupere seus arquivos. Leia-me!.txt" or "How to decrypt your files.txt" on your system.

Download
91395 downloads
icon
[Dec, 30, 2016] - Version: 1.0.0.34

OpenToYou decryptor

OpenToDecrypt is a ransomware written in the Delphi programming language that encrypts your files using the RC4 encryption algorithm. Encrypted files get renamed to *[email protected] and a ransom note named "!!!.txt" can be found on your Desktop.

Download
44468 downloads
icon
[Nov, 23, 2016] - Version: 1.0.0.30

OzozaLocker decryptor

Use this decrypter if your files have been renamed to *.locked and you find a ransom note named "HOW TO DECRYPT YOU FILES.txt" on your desktop. Double clicking an encrypted file will also display a message box instructing you to contact "[email protected]". To use the decrypter you will require an encrypted file of at least 510 bytes in size as well as its unencrypted version. To start the decrypter select both the encrypted and unencrypted file and drag and drop them onto the decrypter executable.

Download
56481 downloads
icon
[Oct, 30, 2019] - Version: 1.0.0.2

Paradise decryptor

The Paradise ransomware encrypts victims using Salsa20 and RSA-1024, and appends one of several extensions such as ".paradise", "2ksys19", ".p3rf0rm4", ".FC", ".CORP", and ".STUB"

Download
46961 downloads
icon
[Mar, 19, 2019] - Version: 1.0.0.0

PewCrypt decryptor

PewCrypt is a ransomware written in Java that uses AES and RSA to encrypt a victim's files, adding the extension ".PewCrypt". The malware then asks the victim to subscribe to PewDiePie.

Download
37399 downloads
icon
[Sep, 10, 2016] - Version: 1.0.0.17

Philadelphia decryptor

Philadelphia is a ransomware kit offered within various hacking communities. Written in AutoIt, it encrypts files using AES-256 encryption, file names using RC4 encryption and uses the *.locked file extension. It is based on a similar ransomware kit called "Stampado" that is written by the same author. To use the decrypter you will require a file pair containing both an encrypted file and its non-encrypted original version. Due to the file name encryption this can be a bit tricky. The best way is to simply compare file sizes. Encrypted files will have the size of the original file rounded up to the next 16 byte boundary. So if a the original file was 1020 bytes large, the encrypted file will be 1024. Select both the encrypted and non-encrypted file and drag and drop both of them onto the decrypter file in your download directory.

Download
61575 downloads
icon
[Apr, 4, 2019] - Version: 1.0.0.0

Planetary decryptor

Planetary is a ransomware family that uses AES-256 to encrypt files, adding the extension ".mira", ".yum", ".Neptune", or ".Pluto" - the latter of which give this ransomware its name. The ransom note "!!!READ_IT!!!.txt" then asks the victim to contact "[email protected]".

Download
42661 downloads
icon
[Jun, 4, 2020] - Version: 1.1.0.0

RedRum decryptor

RedRum Ransomware encrypts victim's files using AES256 GCM and RSA-1024, adding the extension ".id-.[].redrum" or ".id-.[].thanos" to files.

Download
31987 downloads
icon
[Jul, 22, 2016] - Version: 1.0.0.205

Stampado decryptor

Stampado is a ransomware kit offered within various hacking communities. Written in AutoIt, it encrypts files using AES-256 encryption and renames them to *.locked. Known variants of this ransomware ask victims to contact [email protected], [email protected], [email protected], [email protected] or [email protected] to facilitate payment. In order for the decrypter to work you will require both the email you are asked to contact as well as your ID. Please keep in mind that both are case sensitive, so proper capitalization does matter. Please put both information into the appropriate fields in the options tab.
Since version 1.17.0 each Stampado infection also has a unique "salt" that is specific to the ransomware buyer. The salt can either be specified manually or detected automatically. In order to determine the salt automatically the ransomware has to be running on the system. Fill in the ID and email address and click the "Detect ..." button next to the salt input field.
If the malware has already been removed, please don't attempt to reinfect yourself. Instead submit the malware file via email to [email protected] so I can extract the correct salt for you. You can also try the pre-configured salts that have been used by known Stampado campaigns in the wild so far.

Download
70627 downloads
icon
[Oct, 18, 2019] - Version: 1.0.0.0

STOP Puma decryptor

The STOP Puma ransomware encrypts victim's files and appends the extension ".puma", ".pumas", or ".pumax" to files. Other supported extensions also include ".INFOWAIT" and ".DATAWAIT".

Download
418342 downloads
icon
[Aug, 19, 2021] - Version: 1.1.0.0

SynAck decryptor

SynAck is a ransomware that was first spotted in 2017, and encrypts files using either ECIES and AES-256, or RSA-2048 and AES-256.

Download
32829 downloads
icon
[Nov, 22, 2019] - Version: 1.0.0.1

TurkStatik decryptor

The TurkStatik ransomware targets Turkish victims and encrypts their files using Rijndael 256. It appends the ".ciphered" extension to the encrypted files.

Download
45392 downloads
icon
[Sep, 25, 2019] - Version: 1.0.0.0

WannaCryFake decryptor

This ransomware pretends to be WannaCry by using the extension ".WannaCry". WannaCryFake uses AES-256 to encrypt it's victim's files, and displays a note that mimics Phobos.

Download
47505 downloads
icon
[May, 17, 2016] - Version: 1.0.0.33

Xorist decryptor

Use this decrypter if your files have been encrypted by the Xorist ransomware. Typical extensions used by Xorist include .EnCiPhErEd, .0JELvV, .p5tkjw, .6FKR8d, .UslJ6m, .n1wLp0, .5vypSa and .YNhlv1. The ransomnote can usually be found on the Desktop with the name "HOW TO DECRYPT FILES.txt". To use the decrypter you will require an encrypted file of at least 144 bytes in size as well as its unencrypted version. To start the decrypter select both the encrypted and unencrypted file and drag and drop them onto the decrypter executable.

Download
97615 downloads
icon
[Jul, 7, 2022] - Version: 1.0.0.0

Yashma decryptor

Yashma is a ransomware distributed under the name of "AstraLocker 2.0", and is based on the Chaos ransomware builder, using a combination of AES-128 and RSA-2048 to encrypt files. It was distributed under the name of "AstraLocker 2.0". The extension ".AstraLocker", or a random 4-character alphanumeric extension is appended to files.

Download
8806 downloads
icon
[Jun, 8, 2020] - Version: 1.0.0.0

Zorab decryptor

Zorab pretends to be a ransomware decryptor, but instead re-encrypts it's victims files with AES-256 and adds the extension ".ZRB" to files.

Download
44656 downloads