Jump to content

Avast Ransomware Decryption Tools 1.0.0.537

oaxino

By oaxino
in Seguridad

 Share

Recommended Posts

oaxino Grand Master

oaxino

Posted
Posted (edited)

d0aa8ecdaedb591431df9ecf59c75e74.jpeg

 

Avast Ransomware Decryption Tools 1.0.0.537
File Size : 62.6 Mb

 

Avast Ransomware Decryption Tools contiene los 20 descifradores de ransomware disponibles de Avast.

Actualmente, Avast tiene herramientas gratuitas para desbloquear (descifrar) computadoras infectadas con el siguiente ransomware.


AES_NI
Alcatraz Locker
Apocalypse
B(Si bloquean la publicidad, el sitio NO tendrá recursos para mantenerse)
Bart
BTCWare
Crypt888
CryptoMix (Offline)
CrySiS
EncrypTile
FindZip
Globe HiddenTear
Jigsaw
Legion NoobCrypt
Stampado
SZFLocker
TeslaCrypt
XData
Whats New
Updates: official site does not provide any info about changes in this version

Homepage:

 

  

https://www.avast.com

 


Download link

rapidgator.net:

 

  

https://rapidgator.net/file/3705cbee8de1c4906dc7ffe69d1ec72c/hpdae.Avast.Ransomware.Decryption.Tools.1.0.0.537.rar.html

 


uploadgig.com:

 

  

https://uploadgig.com/file/download/7e5ef6D87a9977e9/hpdae.Avast.Ransomware.Decryption.Tools.1.0.0.537.rar

 


nitroflare.com:

 

  

https://nitroflare.com/view/01ADB1AD2C42746/hpdae.Avast.Ransomware.Decryption.Tools.1.0.0.537.rar

 


1dl.net:

 

  

https://1dl.net/q0jr7f93cme4/hpdae.Avast.Ransomware.Decryption.Tools.1.0.0.537.rar

 

Edited by GEODASOFT
Link to comment
Share on other sites
YTSTYA Grand Master

YTSTYA

Posted
Posted

AES_NI

AES_NI is a ransomware strain that first appeared in December 2016. Since then, we’ve observed multiple variants, with different file extensions. For encrypting files, the ransomware uses AES-256 combined with RSA-2048.

Filename changes:

The ransomware adds one of the following extensions to encrypted files:
.aes_ni
.aes256
.aes_ni_0day

In each folder with at least one encrypted file, the file "!!! READ THIS - IMPORTANT !!!.txt" can be found. Additionally, the ransomware creates a key file with name similar to: [PC_NAME]#9C43A95AC27D3A131D3E8A95F2163088-Bravo NEW-20175267812-78.key.aes_ni_0day in C:\ProgramData folder.

Ransom message:

The file “!!! READ THIS - IMPORTANT !!!.txt” contains the following ransom note:

01-aesni-ransom-message.png

Alcatraz Locker

Alcatraz Locker is a ransomware strain that was first observed in the middle of November 2016. For encrypting user's files, this ransomware uses AES 256 encryption combined with Base64 encoding.

Filename changes:

Encrypted files have the ".Alcatraz" extension.

Ransom message:

After encrypting your files, a similar message appears (it is located in a file "ransomed.html" in the user's desktop):

alcatraz-001.png

If Alcatraz Locker has encrypted your files, click here to download our free fix:

Apocalypse

Apocalypse is a form of ransomware first spotted in June 2016. Here are the signs of infection:

Filename changes:

Apocalypse adds .encrypted, .FuckYourData, .locked, .Encryptedfile, or .SecureCrypted to the end of filenames. (e.g., Thesis.doc = Thesis.doc.locked)

Ransom message:

Opening a file with the extension .How_To_Decrypt.txt, .README.Txt, .Contact_Here_To_Recover_Your_Files.txt, .How_to_Recover_Data.txt, or .Where_my_files.txt (e.g., Thesis.doc.How_To_Decrypt.txt) will display a variant of this message:

apocalypse-ransomware-screenshot-787x103
 
 

AtomSilo & LockFile

AtomSilo&LockFile are two ransomware strains analyzed by Jiří Vinopal. These two have very similar encryption schema, so this decryptor covers both variants. Victims can decrypt their files for free.

Filename changes:

Encrypted files can be recognized by one of these extensions:
.ATOMSILO
.lockfile

In each folder with at least one encrypted file, there's also ransom note file, named README-FILE-%ComputerName%-%Number%.hta or LOCKFILE-README-%ComputerName%-%Number%.hta, e.g.:

  • README-FILE-JOHN_PC-1634717562.hta
  • LOCKFILE-README-JOHN_PC-1635095048.hta

 

atomsilo-screen-01.pngatomsilo-screen-02.png

Babuk

Babuk is a Russian ransomware. In September 2021, the source code leaked with some of the decryption keys. Victims can decrypt their files for free.

Filename changes:

When encrypting file, Babuk appends one of the following extensions to the file name:
.babuk
.babyk
.doydo

In each folder with at least one encrypted file, the file Help Restore Your Files.txt can be found with the following content:

babuk-ransomnote-01.png

B(Si bloquean la publicidad, el sitio NO tendrá recursos para mantenerse)

B(Si bloquean la publicidad, el sitio NO tendrá recursos para mantenerse) is a form of ransomware first spotted in May 2016. Here are the signs of infection:

Filename changes:

B(Si bloquean la publicidad, el sitio NO tendrá recursos para mantenerse) does not rename your files.

Ransom message:

After encrypting your files, B(Si bloquean la publicidad, el sitio NO tendrá recursos para mantenerse) displays one of these messages (from a file named Help Decrypt.html):

badblock-ransomware-screenshot-2-1345x99badblock-ransomware-screenshot-1-993x601

If B(Si bloquean la publicidad, el sitio NO tendrá recursos para mantenerse) has encrypted your files, click here to download our free fix:

 
 

Bart

Bart is a form of ransomware first spotted at the end of June 2016. Here are the signs of infection:

Filename changes:

Bart adds .bart.zip to the end of filenames. (e.g., Thesis.doc = Thesis.docx.bart.zip) These are encrypted ZIP archives containing the original files.

Ransom message:

After encrypting your files, Bart changes your desktop wallpaper to an image like the one below. The text on this image can also be used to help identify Bart, and is stored on the desktop in files named recover.bmp and recover.txt.

ui-bart-recover.png

If Bart has encrypted your files, click here to download our free fix:

Acknowledgement: We'd like to thank Peter Conrad, author of PkCrack, who granted us permission to use his library in our Bart decryption tool.

BigBobRoss

BigBobRoss encrypts user's files using AES128 encryption. The encrypted files have new extension ".obfuscated" appended at the end of the file name.

Filename changes:

The ransomware adds the following extension: .obfuscated

foobar.doc -> foobar.doc.obfuscated
document.dat -> document.dat.obfuscated
document.xls -> document.xls.obfuscated
foobar.bmp -> foobar.bmp.obfuscated

Ransom message:

The ransomware also creates a text file named "Read Me.txt" in each folder. The content of the file is below.

bigbobross-001.png

BTCWare

BTCWare is a ransomware strain that first appeared in March 2017. Since then, we observed five variants, that can be distinguished by encrypted file extension. The ransomware uses two different encryption methods – RC4 and AES 192.

Filename changes:

Encrypted file names will have the following format: 
foobar.docx.[[email protected]].theva
foobar.docx.[[email protected]].cryptobyte
foobar.bmp.[[email protected]].cryptowin
foobar.bmp.[[email protected]].btcware
foobar.docx.onyon

Furthermore, one of the following files can be found on the PC 
Key.dat on %USERPROFILE%\Desktop
1.bmp in %USERPROFILE%\AppData\Roaming
#_README_#.inf or !#_DECRYPT_#!.inf in each folder with at least one encrypted file.

Ransom message:

After encrypting your files, the desktop wallpaper is changed to the following:

btcware-ransomnote-001.png

You may also see one of the following ransom notes:

btcware-ransomnote-002.pngbtcware-ransomnote-003.png

Crypt888

Crypt888 (also known as Mircop) is a form of ransomware first spotted in June 2016. Here are the signs of infection:

Filename changes:

Crypt888 adds Lock. to the beginning of filenames. (e.g., Thesis.doc = Lock.Thesis.doc)

Ransom message:

After encrypting your files, Crypt888 changes your desktop wallpaper to one of the following:

crypt888-ransomware-screenshot-1229x649.crypt888-ransomware-screenshot-2.pngcrypt888-ransomware-screenshot-3.jpgcrypt888-ransomware-screenshot-4.pngcrypt888-ransomware-screenshot-5.jpgcrypt888-ransomware-screenshot-6.jpgcrypt888-ransomware-screenshot-7.jpg

If Crypt888 has encrypted your files, click here to download our free fix:

 

Link to comment
Share on other sites
YTSTYA Grand Master

YTSTYA

Posted
Posted

CryptoMix (Offline)

CryptoMix (also known as CryptFile2 or Zeta) is a ransomware strain that was first spotted in March 2016. In early 2017, a new variant of CryptoMix, called CryptoShield emerged. Both variants encrypt files by using AES256 encryption with a unique encryption key downloaded from a remote server. However, if the server is not available or if the user is not connected to the internet, the ransomware will encrypt files with a fixed key ("offline key").

Important: The provided decryption tool only supports files encrypted using an "offline key". In cases where the offline key was not used to encrypt files, our tool will be unable to restore the files and no file modification will be done.
Update 2017-07-21: The decryptor was updated to also work with Mole variant.

Filename changes:

Encrypted files will have one of the following extensions: .CRYPTOSHIELD, .rdmk, .lesli, .scl, .code, .rmd, .rscl or .MOLE.

Ransom message:

The following files may be found on the PC after encrypting files:

cryptomix-message-001.pngcryptomix-message-002.pngcryptomix-message-003.pngcryptomix-message-004.pngcryptomix-message-005.png

If CryptoMix has encrypted your files, click here to download our free fix:

CrySiS

CrySiS (JohnyCryptor, Virus-Encode, Aura, Dharma) is a ransomware strain that has been observed since September 2015. It uses AES-256 combined with RSA-1024 asymmetric encryption.

Filename changes:

Encrypted files have many various extensions, including: 
[email protected],
[email protected],
[email protected],
[email protected],
.{[email protected]}.CrySiS,
.{[email protected]}.xtbl,
.{[email protected]}.xtbl,
.{[email protected]}.xtbl,
.{[email protected]}.dharma,
.{[email protected]}.dharma,
.wallet

Ransom message:

After encrypting your files, one of the following messages appears (see below). The message is located in "Decryption instructions.txt", "Decryptions instructions.txt", "README.txt", "Readme to restore your files.txt" or "HOW TO DECRYPT YOUR DATA.txt" on the user's desktop. Also, the desktop background is changed to one of the pictures below.

crysis-001.jpgcrysis-002.jpgcrysis-003.jpgcrysis-004.jpgcrysis-006.jpgcrysis-007.jpgcrysis-008.jpgcrysis-009.jpgcrysis-010.jpgcrysis-011.jpgcrysis-012.jpg

If CrySiS has encrypted your files, click here to download our free fix:

EncrypTile

EncrypTile is a ransomware that we first observed in November of 2016. After a half-year development, we caught a new, final version of this ransomware. It uses AES-128 encryption, using a key that is constant for a given PC and user.

Filename changes:

The ransomware adds the word “encrypTile” into a file name:

foobar.doc -> foobar.docEncrypTile.doc

foobar3 -> foobar3EncrypTile

The ransomware also creates four new files on user’s desktop. Names of these files are localized, here are their English versions:

encryptile-03.png
Ransom message:
encryptile-01.pngencryptile-02.jpg
How to run the decryptor

While running, the ransomware actively prevents the user from running any tools that might potentially remove it. Refer to the blog post for more detailed instructions how to run the decryptor in case the ransomware is running on your PC.

FindZip

FindZip is a ransomware strain that was observed at the end of February 2017. This ransomware spreads on Mac OS X (version 10.11 or newer). The encryption is based on creating ZIP files - each encrypted file is a ZIP archive, containing the original document.

Filename changes:

Encrypted files will have the .crypt extension.

Ransom message:

After encrypting your files, several files are created on the user’s desktop, with name variants of: DECRYPT.txt, HOW_TO_DECRYPT.txt, README.txt. They are all identical, containing the following text message:

findzip-001.png

Special: Because AVAST decryptors are Windows applications, it is necessary to install an emulation layer on Mac (WINE, CrossOver). For more information, please, read our blog post.

If Globe has encrypted your files, click here to download our free fix:

Fonix

The Fonix ransomware was active since June 2020. Written in C++, it uses three key encryption scheme (RSA-4096 master key, RSA-2048 session key, 256-bit file key for SALSA/ChaCha encryption). On February 2021, the ransomware authors shut their business down and published the master RSA key that can be used for decrypting files for free.

Filename changes:

Encrypted files will have one of these extensions:
.FONIX,
.XINOF

Ransom message:

After encrypting files on the victim machine, the ransomware shows the following screen:

fonix-ransomnote-01.png

If Fonix has encrypted your files, click here to download our free fix:

GandCrab

Gandcrab is one of the most prevalent ransomware in 2018. On 17. October 2018, Gandcrab developers released 997 keys for victims that are located in Syria. Also, in July 2018, FBI released master decryption keys for versions 4-5.2. This version of decryptor utilises all these keys and can decrypt files for free.

Filename changes:

The ransomware adds multiple possible extensions: 
.GDCB,
.CRAB,
.KRAB,
.%RandomLetters%
foobar.doc -> foobar.doc.GDCB
document.dat -> document.dat.CRAB
document.xls -> document.xls.KRAB
foobar.bmp -> foobar.bmp.gcnbo (letters are random)

Ransom message:

The ransomware also creates a text file named "GDCB-DECRYPT.txt", "CRAB-DECRYPT.txt", "KRAB_DECRYPT.txt", "%RandomLetters%-DECRYPT.txt" or "%RandomLetters%-MANUAL.txt" in each folder. The content of the file is below.

gandcrab-001.pnggandcrab-002.png

Later versions of the ransomware can also set the following image to the user's desktop:

gandcrab-003.png

Globe

Globe is a ransomware strain that has been observed since August 2016. Based on variant, it uses RC4 or Blowfish encryption method. Here are signs of infection:

Filename changes:

Globe adds one of the following extensions to the file name: ".ACRYPT", ".GSupport[0-9]", ".blackblock", ".dll555", ".duhust", ".exploit", ".frozen", ".globe", ".gsupport", ".kyra", ".purged", ".raid[0-9]", "[email protected]", ".xtbl", ".zendrz", ".zendr[0-9]", or ".hnyear". Furthermore, some of its versions encrypt the file name as well.

Ransom message:

After encrypting your files, a similar message appears (it is located in a file "How to restore files.hta" or "Read Me Please.hta"):

globe-001.pngglobe-002.pngglobe-002.png

If Globe has encrypted your files, click here to download our free fix:

HermeticRansom

HermeticRansom is ransomware that was used at the beginning of the Russian invasion to Ukraine. It is written in Go language and encrypts files with the AES GCM symmetric cipher. Victim of this ransomware attack can decrypt their files for free.

Filename changes:

Encrypted files can be recognized by the .[[email protected]].encryptedJB file extension. Also, a file named read_me.html is dropped to the user's desktop (see the image below).

hermetic.png

HiddenTear

HiddenTear is one of the first open-sourced ransomware codes hosted on GitHub and dates back to August 2015. Since then, hundreds of HiddenTear variants have been produced by crooks using the original source code. HiddenTear uses AES encryption.

Filename changes:

Encrypted files will have one of the following extensions (but not limited to): .locked, .34xxx, .bloccato, .BUGSECCCC, .Hollycrypt, .lock, .saeid, .unlockit, .razy, .mecpt, .monstro, .lok, .암호화됨, .8lock8, .fucked, .flyper, .kratos, .krypted, .CAZZO, .doomed.

Ransom message:

After encrypting files, a text file (READ_IT.txt, MSG_FROM_SITULA.txt, DECRYPT_YOUR_FILES.HTML) appears on the user's desktop. Various variants can also show a ransom message:

hiddentear-001.pnghiddentear-002.pnghiddentear-003.pnghiddentear-004.png

If HiddenTear has encrypted your files, click here to download our free fix:

Jigsaw

Jigsaw is a ransomware strain that has been around since March 2016. It’s named after the movie character “The Jigsaw Killer”. Several variants of this ransomware use the Jigsaw Killer’s picture in the ransom screen.

Filename changes:

Encrypted files will have one of the following extensions: .kkk, .btc, .gws, .J, .encrypted, .porno, .payransom, .pornoransom, .epic, .xyz, .versiegelt, .encrypted, .payb, .pays, .payms, .paymds, .paymts, .paymst, .payrms, .payrmts, .paymrts, .paybtcs, .fun, .hush, [email protected], or .gefickt.

Ransom message:

After encrypting your files, one of the screens below will appear:

jigsaw-001.pngjigsaw-002.pngjigsaw-003.pngjigsaw-004.pngjigsaw-005.pngjigsaw-006.png

If Jigsaw has encrypted your files, click here to download our free fix:

 

Link to comment
Share on other sites
YTSTYA Grand Master

YTSTYA

Posted
Posted

LambdaLocker

LambdaLocker is a ransomware strain that we first observed in May 2017. It is written in Python programming language and the currently prevalent variant is decryptable.

Filename changes:

The ransomware adds the “.MyChemicalRomance4EVER” extension after a file name:
foobar.doc -> foobar.doc.MyChemicalRomance4EVER
document.dat -> document.dat.MyChemicalRomance4EVER

The ransomware also creates a text file named "UNLOCK_guiDE.txt" on the user's desktop. The content of the file is below.

lambdalocker.png

Legion

Legion is a form of ransomware first spotted in June 2016. Here are the signs of infection:

Filename changes:

Legion adds a variant of [email protected]$.legion or [email protected]$.cbf to the end of filenames. (e.g., Thesis.doc = [email protected]$.legion)

Ransom message:

After encrypting your files, Legion changes your desktop wallpaper and displays a popup, like this:

legion-ransomware-screenshot-819x459.png

If Legion has encrypted your files, click here to download our free fix:

NoobCrypt

NoobCrypt is a ransomware strain that has been observed since the late July 2016. For encrypting user's files, this ransomware uses AES 256 encryption method.

Filename changes:

NoobCrypt doesn't change file name. Files that are encrypted are unable to be open with their associated application, however.

Ransom message:

After encrypting your files, a similar message appears (it is located in a file "ransomed.html" in the user's desktop):

noobcrypt-001.pngnoobcrypt-002.png

If NoobCrypt has encrypted your files, click here to download our free fix:

Prometheus

Prometheus ransomware is written in .NET (C#) and encrypts files either using Chacha20 or AES-256. The file encryption key is subsequently encrypted with RSA-2048 and stored to the end of the file. Some variants of the ransomware can be decrypted for free.

Filename changes:

 

Encrypted files can be recognized by one of these file extensions:

Also, a ransom note file is dropped to the user's desktop with one of these names:

  • HOW_TO_DECYPHER_FILES.txt
  • UNLOCK_FILES_INFO.txt
  • Инструкция.txt

 

prometheus.png

TargetCompany

TargetCompany is a ransomware that encrypts user files with Chacha20 cipher. Victim of this ransomware attack can now decrypt their files for free.

Filename changes:

Encrypted files can be recognized by one of these extensions: 
.mallox 
.exploit 
.architek 
.brg 
.carone

In each folder with at least one encrypted file, there's also ransom note file, named RECOVERY INFORMATION.txt (see the image below).

target-company-001.png
 
 

Stampado

Stampado is a ransomware strain written using the AutoIt script tool. It has been around since August 2016. It is being sold on the dark web, and new variants keep appearing. One of its versions is also called Philadelphia.

Filename changes:

Stampado adds the .locked extension to the encrypted files. Some variants also encrypt the filename itself, so the encrypted file name may look either as document.docx.locked or 85451F3CCCE348256B549378804965CD8564065FC3F8.locked.

Ransom message:

After encryption is complete, the following screen will appear:

stampado-001.pngstampado-002.png

If Stampado has encrypted your files, click here to download our free fix:

SZFLocker

SZFLocker is a form of ransomware first spotted in May 2016. Here are the signs of infection:

Filename changes:

SZFLocker adds .szf to the end of filenames. (e.g., Thesis.doc = Thesis.doc.szf)

Ransom message:

When you try to open an encrypted file, SZFLocker displays the following message (in Polish):

szflocker-ransomware-screenshot-525x240.

If SZFLocker has encrypted your files, click here to download our free fix:

TeslaCrypt

TeslaCrypt is a form of ransomware first spotted in February 2015. Here are the signs of infection:

Filename changes:

The latest version of TeslaCrypt does not rename your files.

Ransom message:

After encrypting your files, TeslaCrypt displays a variant of the following message:

teslacrypt-ransomware-600x300.png

If TeslaCrypt has encrypted your files, click here to download our free fix:

Troldesh / Shade

Troldesh, also known as Shade or Encoder.858 is a ransomware strain that was observed since 2016. At the end of April 2020, the ransomware authors shut their business down and published decryption keys that can be used for decrypting files for free.
More information:https://www.bleepingcomputer.com/news/security/shade-ransomware-shuts-down-releases-750k-decryption-keys/

Filename changes:

Encrypted files will have one of these extensions: 
• xtbl
• ytbl
• breaking_bad
• heisenberg
• better_call_saul
• los_pollos
• da_vinci_code
• magic_software_syndicate
• windows10
• windows8
• no_more_ransom
• tyson
• crypted000007
• crypted000078
• rsa3072
• decrypt_it
• dexter
• miami_california

Ransom message:

After encrypting your files, several files are created on the user’s desktop, with name of README1.txt to README10.txt. They are in different languages, containing this text:

troldesh-ransom-message.png

The users's desktop background is also changed and looks like picture below:

troldesh-ransom-desktop.png

If Troldesh has encrypted your files, click here to download our free fix:

XData

XData is a ransomware strain that was derived from AES_NI and like WannaCry, it uses the Eternal Blue exploit to spread to other machines.

Filename changes:

 

The ransomware adds the ".~xdata~" extension to the encrypted files.

In each folder with at least one encrypted file, the file "HOW_CAN_I_DECRYPT_MY_FILES.txt" can be found. Additionally, the ransomware creates a key file with name similar to:

[PC_NAME]#9C43A95AC27D3A131D3E8A95F2163088-Bravo NEW-20175267812-78.key.~xdata~ in the following folders:

• C:\

• C:\ProgramData

• Desktop

 

Ransom message:

The file “HOW_CAN_I_DECRYPT_MY_FILES.txt” contains the following ransom note:

01-xdata-ransom-screen.png

If Troldesh has encrypted your files, click here to download our free fix:

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...