Ransomware, cryptovirussen/cryptoware, gijzelsoftware

Ransomware, crypto virussen en cryptoware, wat wel en niet kan worden teruggehaald.

Een veel gestelde vraag door slachtoffers van cybercrime : Wat kunnen jullie herstellen in het geval van ransomware, crypto virussen en cryptoware?

In het ergste geval rest slechts een zoektocht naar eerder verwijderde bestanden en een zogenoemde “signature search”. Hierbij wordt gekeken of er nog bruikbare data uit de “unallocated area” van de data drager kan worden gehaald. Ook worden de niet geïnfecteerde / versleutelde bestanden verzameld. Het alternatief is betalen en hopen dat de sleutel wordt geleverd.

In andere situaties heeft Kroll Ontrack decrypt software of een decrypt proces. Een overzicht van de mogelijkheden*:

Ransomware Kroll SolutionExtension
777Have decrypt software for this.777
7ev3nHave decrypt software for this.R4A, .R5A
7h9rNo specific tools, possible undelete/sigsearch.7h9r
8Lock8Have decrypt software/process for this.8lock8
AES_NINo specific tools, possible undelete/sigsearch
AlcatrazHave decrypt software for this.Alcatraz
AlfaHave decrypt software for this.bin
AlmaHave decrypt software for thisrandom
Al-NamroodHave decrypt software for this.unavailable or .disappeared
AlphaHave decrypt software for this.encrypt
AmbaNo specific tools, possible undelete/sigsearch.amba
AmnesiaNo specific tools, possible undelete/sigsearch.amnesia
AnglerNo specific tools, possible undelete/sigsearch
Angry Duck.adk
ApocalypseHave decrypt software for this.encrypted, .SecureCrypted, .FuckYourData, .unavailable, .bleepYourFiles, .Where_my_files.txt
ApocalypseVM.encrypted, .locked
AutoIt - See RannohHave decrypt software for this
AutoLockyHave decrypt software for this.locky
AxCrypterNo specific tools, possible undelete/sigsearch
BadBlockHave decrypt software for this
BaksoCrypt.adr
BankAccountSummaryNo specific tools, possible undelete/sigsearch
BartHave decrypt software for this.bart.zip, .perl
BitCryptorHave decrypt software for this
BitMessageNo specific tools, possible undelete/sigsearch
BITSTAKHave decrypt software for this.bitstak
Black ShadesNo specific tools, possible undelete/sigsearch.silent
BlocattoNo specific tools, possible undelete/sigsearch
BooyahNo specific tools, possible undelete/sigsearch
Brazilian RansomwareNo specific tools, possible undelete/sigsearch
BrickerBotNo specific tools, possible firmware fix or possible undelete/sigsearch
BuyUnlockCodeNo specific tools, possible undelete/sigsearch
CerberNo specific tools, possible undelete/sigsearch
ChimeraHave decrypt software for this
CoinVaultHave decrypt software for this
CovertonNo specific tools, possible undelete/sigsearch
Cryakl - See RannohHave decrypt software for this
Crybola - See RannohHave decrypt software for this
CryFileNo specific tools, possible undelete/sigsearch
CrypBossHave decrypt software for this
CrypenHave decrypt software for this.encrypted
Crypt0L0ckerNo specific tools, possible undelete/sigsearch
Crypt38Have decrypt software for this.crypt38
Crypt888Have decrypt software for thisCrypt888 adds Lock. to the beginning of filenames
CryptInfiniteHave decrypt software for this
CryptMicNo specific tools, possible undelete/sigsearch
CryptoDefenseHave decrypt software for this
CryptoFinancial
CryptoFortressNo specific tools, possible undelete/sigsearch
CryptoHasYouNo specific tools, possible undelete/sigsearch
CryptoHitmanNo specific tools, possible undelete/sigsearch.porno
CryptoHostHave decrypt process for this
CryptoJokerNo specific tools, possible undelete/sigsearch
CryptoKidHave decrypt software for this.criptokod
CryptoLockerNo specific tools, possible undelete/sigsearch
CryptoMixNo specific tools, possible undelete/sigsearch
CryptONHave decrypt process for this".id-_locked", ".id-_locked_by_krec", ".id-_locked_by_perfect", ".id-_x3m", ".id-_r9oj", ".id-_garryweber@protonmail.ch", ".id-_steaveiwalker@india.com_", ".id-_julia.crown@india.com_", ".id-_tom.cruz@india.com_", ".id-_CarlosBoltehero@india.com_" and ".id-_maria.lopez1@india.com_"
CryptoRogerNo specific tools, possible undelete/sigsearch.crptrgr
CryptoShocker.locked
CryptoTorLockerNo specific tools, possible undelete/sigsearch
CryptoWallNo specific tools, possible undelete/sigsearch
CryptoWall 2.0No specific tools, possible undelete/sigsearch
CryptoWall 3.0No specific tools, possible undelete/sigsearch
CryptoWall 4.0No specific tools, possible undelete/sigsearch
CryptoWire
CryptXXX  - v1-v5Have decrypt software for v1-v5v1-3 - {original file name}.crypt, cryp1, crypz, or 5 hexadecimal characters
v4-5 - {MD5 Hash}.5 hexadecimal characters
CrySiSHave decrypt software for this.johnycryptor@hackermail.com.xtbl, .ecovector2@aol.com.xtbl, .systemdown@india.com.xtbl, .Vegclass@aol.com.xtbl, .{milarepa.lotos@aol.com}.CrySiS, .{Greg_blood@india.com}.xtbl, .{savepanda@india.com}.xtbl, .{arzamass7@163.com}.xtbl, .centurion_legion.aol.com.xtbl
CTB - CritroniNo specific tools, possible undelete/sigsearch
CTB-FakerHave decrypt process for this
CTB-LockerNo specific tools, possible undelete/sigsearch
DamageHave decrypt process for this.damage
DeathNoteHave decrypt process for this
DED.ded
DerialockHave decrypt software for this
DharmaPossible tools (old versions only), otherwise undelete/sigsearch
DMA LockerHave decrypt software for this
DMA Locker 2.0Have decrypt software for this
DMA Locker 3.0No specific tools, possible undelete/sigsearch
DMA Locker 4.0No specific tools, possible undelete/sigsearchdoesn’t modify file names
DR.JIMBO@BK.RU
DXXDNo specific tools, possible undelete/sigsearch.theDXXD .DXXD
ECLR RansomwareNo specific tools, possible undelete/sigsearch
EDA2
EduCrypt/EduWareDecrypt password provided by the ransomware
EnjeyNo specific tools, possible undelete/sigsearch
Encryptor RaaSNo specific tools, possible undelete/sigsearch
EnigmaNo specific tools, possible undelete/sigsearch
FenixLockerHave decrypt software for this
FLocker
FsocietyNo specific tools, possible undelete/sigsearch.realfsociety@sigaint.org.fsociety
Fury - See RannohHave decrypt software for this
GhostCryptHave decrypt software for this.Z81928819 extension
GlobeHave decrypt software for thisGlobe adds one of the following extensions to the file name: ".ACRYPT", ".GSupport[0-9]", ".blackblock", ".dll555", ".duhust", ".exploit", ".frozen", ".globe", ".gsupport", ".kyra", ".purged", ".raid[0-9]", ".siri-down@india.com", ".xtbl", ".zendrz", or ".zendr[0-9]". Furthermore, some of its versions encrypt the file name as well.
Globe2Have decrypt software for this
Globe3Have decrypt software for this.decrypt2017 and .hnumkhotep
GlobeImposterHave decrypt process for this*.crypt
GNL LockerNo specific tools, possible undelete/sigsearch.locked
GoliathNo specific tools, possible undelete/sigsearch
GomasomHave decrypt software for this
Hades LockerNo specific tools, possible undelete/sigsearch
HarasomHave decrypt software for this
HerbstNo specific tools, possible undelete/sigsearch.herbst
Hi Buddy!No specific tools, possible undelete/sigsearch
HOLYCRYPT
Hucky
HydraCryptHave decrypt software for this
IFN643
Jack.Pot
JigsawHave decrypt software for this.paybtc, .paymst, .payms, .pays, .paym, .paymrs, .payrms, .paymts, .epic
JobCrypterNo specific tools, possible undelete/sigsearch.css
JonnycryptorHave decrypt software for this
JuicyLemonHave decrypt software for this
KeRangerNo specific tools, possible undelete/sigsearch
KeyBTCHave decrypt software for this
KEYHolderNo specific tools, possible undelete/sigsearch
KillDiskNo specific tools, possible undelete/sigsearch
KillerlockerNo specific tools, possible undelete/sigsearch.rip
KimcilWareNo specific tools, possible undelete/sigsearch
KoolovaHave decrypt process for this
Kozy.jozyNo specific tools, possible undelete/sigsearch
KratosCryptHave decrypt process for this.kratos
KriptovoNo specific tools, possible undelete/sigsearch
KryptoLockerNo specific tools, possible undelete/sigsearch
LeChiffreHave decrypt software for this
LegionHave decrypt software for thisLegion adds a variant of ._23-06-2016-20-27-23_$f_tactics@aol.com$.legion or .$centurion_legion@aol.com$.cbf to the end of filenames. (e.g., Thesis.doc = Thesis.doc._23-06-2016-20-27-23_$f_tactics@aol.com$.legion)
Linux Encoder v1Have decrypt software for this
Linux Encoder v3Have decrypt software for this
Lock93
LockerHave decrypt software for this
LockyNo specific tools, possible undelete/sigsearch
LockyDumpNo specific tools, possible undelete/sigsearch
LortokNo specific tools, possible undelete/sigsearch
MagicNo specific tools, possible undelete/sigsearch
MaktubNo specific tools, possible undelete/sigsearch
Maktub LockerNo specific tools, possible undelete/sigsearch
MarlboroHave decrypt process for this.oops
MarsJokeHave decrypt software for this
MicroCopHave decrypt process for this
MireWareNo specific tools, possible undelete/sigsearch
MischaNo specific tools, possible undelete/sigsearch
MobefNo specific tools, possible undelete/sigsearch
MRCRHave decrypt process for this.PEGS1", ".MRCR1", ".RARE1", ".MERRY", or ".RMCM1
n1n1n1
NanoLockerNo specific tools, possible undelete/sigsearch
NemucodHave decrypt software for this.crypted
Nemucod-7zNo specific tools, possible undelete/sigsearch
NMoreiraHave decrypt software for this*.maktub or *.__AiraCropEncrypted!
NoobCryptHave decrypt software for thisNoobCrypt doesn't change file name. Files that are encrypted are unable to be open with their associated application, however.
NukeNo specific tools, possible undelete/sigsearch.0x5bm
ODCODCHave decrypt process for thisFile renaming format as follows: [attacker’s_email]-[original_filename].odcodc
OMG! RansomcryptNo specific tools, possible undelete/sigsearch
Onyx
OpenToYouHave decrypt process for this*.-opentoyou@india.com
OsirisNo specific tools, possible undelete/sigsearch
OzozalockerHave decrypt software for this*.locked
PadCryptNo specific tools, possible undelete/sigsearch.padcrypt
PClockHave decrypt software for this
PetyaHave decrypt process for this
Petya-MischaHave decrypt process for this
PetrWrapNo specific tools, possible undelete/sigsearch
PhiladelphiaHave decrypt software for this
PHPHave decrypt software for this
PIZZACRYPTSHave decrypt software for thisUses the .id-[unique_victim_id]-maestro@pizzacrypts.info extension
PolyGlotHave decrypt process for this
PowerWareHave decrypt process for this
Princess LockerHave decrypt process for this
Protected RansomwareNo specific tools, possible undelete/sigsearch
RAANo specific tools, possible undelete/sigsearch.locked
RAAS a/k/a Encryptor RAASNo specific tools, possible undelete/sigsearch
RadamantHave decrypt software for this
Radamant v2.1Unknown
RakhniHave decrypt software for this
Rannoh FamilyHave decrypt software for this
RazyNo specific tools, possible undelete/sigsearch
RemindMeNo specific tools, possible undelete/sigsearch
RevengeThe format for a renamed file is [16_hex_char_vicimt_id][16_hex_char_encrypted_filename][unknown_8_hex_char_string][8_char_encrypted_filename].REVENGE
RokkuNo specific tools, possible undelete/sigsearch
Russian EDA2No specific tools, possible undelete/sigsearch
SamasNo specific tools, possible undelete/sigsearch
SanctionNo specific tools, possible undelete/sigsearch
SantanaNo specific tools, possible undelete/sigsearch
SatanNo specific tools, possible undelete/sigsearch.stn
SATANA
ShadeHave decrypt process for this.da_vinci_code
Shamoon
ShujinNo specific tools, possible undelete/sigsearch
SIMPLE_ENCODERNo specific tools, possible undelete/sigsearch.~ file extension
SimpleLockerNo specific tools, possible undelete/sigsearch
SNSLockerNo specific tools, possible undelete/sigsearch.RSNSlocked
Spora
SportNo specific tools, possible undelete/sigsearch
StampadoHave decrypt software for this
SuperCryptNo specific tools, possible undelete/sigsearch
SurpriseNo specific tools, possible undelete/sigsearch
SynoLockerNo specific tools, possible undelete/sigsearch
SZFLockerHave decrypt software for thisSZFLocker adds .szf to the end of filenames. (e.g., Thesis.doc = Thesis.doc.szf)
TeamXratNo specific tools, possible undelete/sigsearch
TeslaCrypt 0.xHave decrypt software for thisThe latest version of TeslaCrypt does not rename your files.
TeslaCrypt 2.xHave decrypt software for this
TeslaCrypt 3.0Have decrypt software for this
TeslaCrypt 4.0Have decrypt software for this
TorLockerHave decrypt software for this
TowerWebNo specific tools, possible undelete/sigsearch
ToxNo specific tools, possible undelete/sigsearch
TroldeshNo specific tools, possible undelete/sigsearch
TrueCrypterHave decrypt process for this
UltraCrypter.cryptz
UmbreCryptHave decrypt process for this
Unlock92Have decrypt process for this.CCCRRRPPP
VaultCryptHave decrypt process for this
Venus LockerNo specific tools, possible undelete/sigsearch.vluni
Wanna Decrypt0rNo specific tools, possible undelete/sigsearch.wcry, wcryt, wncry, wncryt
WildFire LockerHave decrypt software for this
WonderCrypterHave decrypt process for this
XoristHave decrypt software for this
XortNo specific tools, possible undelete/sigsearch
ZcryptNo specific tools, possible undelete/sigsearch.zcrypt
ZeptoNo specific tools, possible undelete/sigsearch
ZimbraHave decrypt software for this
ZyklonNo specific tools, possible undelete/sigsearch.zyklon, .locked

*Cyber criminelen zitten niet stil de lijst is aan verandering onderhevig.

Additional Resources

http://www.nomoreransom.org/ - provides decryption software
http://bleepingcomputer.com - good resource site
https://id-ransomware.malwarehunterteam.com/ - can ID different types of ransomware
http://privacy-pc.com/articles/ransomware-chronicle.html - history of ransomware
https://blog.avast.com/avast-releases-four-free-ransomware-decryptors - free decryptors from Avast
https://www.nomoreransom.org/crypto-sheriff.php - can ID different types of ransomware