0
(0)

RannohDecryptor tool is designed to decrypt files encrypted by the following ransomware:

  • Trojan-Ransom.Win32.Rannoh
  • Trojan-Ransom.Win32.AutoIt
  • Trojan-Ransom.Win32.Cryakl
  • Trojan-Ransom.Win32.CryptXXX version 1, 2, and 3
  • Trojan-Ransom.Win32.Crybola
  • Trojan-Ransom.Win32.Polyglot
  • Trojan-Ransom.Win32.Fury

In case of an infection, all files on the computer will be changed as follows:

Ransomware How files will be encrypted
Trojan-Ransom.Win32.Rannoh File names and extensions will be changed according to the template locked-<original_name>.<four_random_letters>.
Trojan-Ransom.Win32.AutoIt Extensions will be changed according to the template <original_name>@<mail server>_.<random_set_of_characters>. For example, [email protected]_.RZWDTDIC.
Trojan-Ransom.Win32.Cryakl The tag {CRYPTENDBLACKDC} is added to the end of file names.
Trojan-Ransom.Win32.CryptXXX Extensions will be changed according to the templates:

  • <original_name>.crypt
  • <original_name>.crypz
  • <original_name>.cryp1
Trojan-Ransom.Win32.Crybola Extensions will be changed according to the template <original_name>.ebola.

The other ransomware does not change file extensions.

If you want to decrypt files affected by Trojan-Ransom.Win32.CryptXXX, take into account the following:

  • RannohDecryptor utility scans a limited number of file formats:
  • 1cd, 7z, ai, avi, bz2, cab, cdr, cdw, cdx, cf, chm, dbf, djvu, doc, docm, docx, dt, dwg, epf, eps, erf, ert, fla, flac, flv, gif, gz, html, iso, jpeg, jpg, ldf, md, mdb, mdf, mov, mp3, mp4, mxl, nef, ods, odt, ogg, pdf, php, png, ppt, pptm, pptx, ps1, psd, pst, qbb, rar, rcf, rtf, sdf, sldasm, slddrw, tib, tif, tiff, vhd, vhdx, vsd, wav, xls, xlsm, xlsx, xlt, zip.
  • It may take a long time to restore the key for decrypting files affected by Trojan-Ransom.Win32.CryptXXX version 2. In this case, the utility displays a warning:

Key recovery can take a long time warning

 

How to disinfect the system

  1. Download the RannohDecryptor.zip archive.
  2. Run RannohDecryptor.exe on the infected computer.
  3. Carefully read through the End User License Agreement. If you agree with all the terms, click Accept.
  4. If you want the utility to automatically remove the decrypted files, do the following:
    1. In the main window, click Change parameters.
    2. Select the Delete crypted files after decryption checkbox.
    3. Selecting the Delete crypted files after decryption option
  5. In the main window, click Start scan.

Starting a scan in Kaspersky RannohDecryptor

  1. Specify the path to the encrypted file.
  2. To decrypt some files, the utility will request the original (not encrypted) copy of one encrypted file. You can find such a copy in your mail, on a removable drive, on your other computers, or in cloud storage. Click Continue and specify the path to the original file.

Specifying the path to the original file in Kaspersky Rannoh Decryptor

If the file is encrypted by Trojan-Ransom.Win32.CryptXXX, indicate the largest files. Only the files of this size or smaller ones will be decrypted.

  1. Wait until the encrypted files are found and decrypted.

If the file was encrypted by Trojan-Ransom.Win32.Cryakl, Trojan-Ransom.Win32.Polyglot, or Trojan-Ransom.Win32.Fury, the tool will save the file at its previous location with the extension .decryptedKLR.original_extension. If you selected the Delete crypted files after decryption checkbox, the tool will save the decrypted files with their original name.

If the file was encrypted by Trojan-Ransom.Win32.Rannoh, Trojan-Ransom.Win32.Cryakl, Trojan-Ransom.Win32.AutoIt, Trojan-Ransom.Win32.CryptXXX, or Trojan-Ransom.Win32.Crybola, the tool will save the file at its previous location with the original extension.

By default, the tool log is saved on the system disk with the operating system installed. Log file name is: UtilityName.Version_Date_Time_log.txt. For example, C:\RannohDecryptor.1.1.0.0_02.05.2012_15.31.43_log.txt

 

How to use the tool through the command line

Command name Value Example
-l <file_name> Creating a log file with the specified name. RannohDecryptor.exe -l C:\Users\Administrator\Downloads\log.txt
 

What to do if the tool did not help

If RannohDecryptor did not succeed in file decryption, download and launch the XoristDecryptor or RectorDecryptor tool.

To protect your computer from ransomware, downloadand installKaspersky Internet Security.

Source : Official Kaspersky Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

(Visited 25 times, 1 visits today)