The Definitive Collection of Ransomware Decryption Tools on the Web
The Definitive Collection of Ransomware Decryption Tools on the Web [2020/11/27] [source]
- Identify your ransomware variant by visiting ID Ransomware
- Utilize the free ransomware decrypter tools listed below
- Try to restore from a backup
| Decryptor Download | Read Me | Encrypted File Extension | Creator/Contributor |
| Cute | Instructions | aaaddress1 | |
| my-Little-Ransomware | Instructions | aaaddress1 | |
| AES_NI | Instructions | *.aes_ni, *.aes256, *.aes_ni_0day | Avast |
| Alcatraz Locker | Instructions | *.Alcatraz | Avast |
| Apocalypse | Instructions | *.encrypted, *.FuckYourData, *.locked, *.Encryptedfile, *.SecureCrypted | Avast |
| ApocalypseVM | Instructions | *.encrypted, *.FuckYourData, *.Encryptedfile, *.SecureCrypted | Avast |
| BadBlock | Instructions | Doesn’t change file extension. Look for BadBlock in ransom note (32-Bit) | Avast |
| BadBlock | Instructions | Doesn’t change file extension. Look for BadBlock in ransom note (64-Bit) | Avast |
| Bart | Instructions | *.bart.zip | Avast |
| BigBobRoss | Instructions | *.obfuscated | Avast |
| BTCWare | Instructions | *.btcware, *.cryptobyte, *.cryptowin, *.theva, *.onyon | Avast |
| Crypt888 | Instructions | This ransomware adds Lock. to the beginning of file names | Avast |
| CryptFile2 | Instructions | *.CRYPTOSHIELD, *.rdmk, *.lesli, *.scl, *.code, *.rmd*.rscl | Avast |
| CryptoMix (Offline) | Instructions | *.CRYPTOSHIELD, *.rdmk, *.lesli, *.scl, *.code, *.rmd*.rscl, *.MOLE | Avast |
| CryptoShield | Instructions | *.CRYPTOSHIELD, *.rdmk, *.lesli, *.scl, *.code, *.rmd*.rscl, *.MOLE | Avast |
| Zeta | Instructions | *.CRYPTOSHIELD, *.rdmk, *.lesli, *.scl, *.code, *.rmd*.rscl | Avast |
| Crysis | Instructions | *.johnycryptor@hackermail.com.xtbl, *.ecovector2@aol.com.xtbl, *.systemdown@india.com.xtbl, *.Vegclass@aol.com.xtbl, *.{milarepa.lotos@aol.com}.CrySiS, *.{Greg_blood@india.com}.xtbl, *.{savepanda@india.com}.xtbl, *.{arzamass7@163.com}.xtbl, *.{3angle@india.com}.dharma, *.{tombit@india.com}.dharma, *.wallet | Avast |
| EncrypTile | Instructions | The ransomware adds the word “encryptTile” into a file name | Avast |
| EncrypTile | Instructions | *.EncrypTile | Avast |
| FindZip | Instructions | *.crypt | Avast |
| GandCrab | Instructions | *.GDCB, *.CRAB, *.KRAB, *.%RandomLetters% | Avast |
| Globe | Instructions | *.ACRYPT, *.GSupport[0-9], *.blackblock, *.dll555, *.duhust, *exploit, *.frozen, *.globe, *.gsupport, *.kyra, *.purged, *.raid[0-9], *.siri-down@india.com, *.xtlb, *.zendrz, *.zendr[0-9], *.hnyear | Avast |
| HiddenTear | Instructions | *.locked, *.34xxx, *.bloccato, *.BUGSECCCC, *.Hollycrypt, *.lock, *.saeid, *.unlockit, *.razy, *.mecpt, *.monstro, *.lok, *.암호화됨, *.8lock8, *.fucked, *.flyper, *.kratos, *.drypted, *.CAZZO, *.doomed | Avast |
| Jigsaw | Instructions | *.kkk, *.btc, *.gws, *.J, *.encrypted, *.porno, *.payransom, *.pornoransom, *.epic, *.xyz, *.versiegelt, *.encrypted, *.payb, *.payb, *.pays, *.payms, *.paymds, *,paymts, *.payrms, *.payrmts, *.paymrts, *.paybtcs, *.fun, *.hush, *.uk-dealer@sigaint.org, *.gefickt | Avast |
| LambdaLocker | Instructions | *.MyChemicalRomance4EVER | Avast |
| Legion | Instructions | *._23-06-2016-20-27-23_$f_tactics@aol.com$.legion, *.$centurion_legion@aol.com$.cbf | Avast |
| NoobCrypt | Instructions | NoobCrypt doesn’t change the file name. Leaves “ransomed.html” message | Avast |
| Stampado | Instructions | *.locked | Avast |
| SZFLocker | Instructions | *.szf | Avast |
| TeslaCrypt | Instructions | The latest version of TeslaCrypt doesn’t rename files. | Avast |
| XData | Instructions | *.~xdata~ | Avast |
| Apocalypse | Instructions | *.encrypted, *.FuckYourData, *.locked, *.Encryptedfile, *.SecureCrypted | AVG |
| ApocalypseVM | Instructions | *.encrypted, *.FuckYourData, *.locked, *.Encryptedfile, *.SecureCrypted | AVG |
| BadBlock 32-Bit | Instructions | Doesn’t change file extension. Look for BadBlock in ransom note | AVG |
| BadBlock 64-Bit | Instructions | Doesn’t change file extension. Look for BadBlock in ransom note | AVG |
| Bart | Instructions | *.bart.zip | AVG |
| Crypt888 | Instructions | This ransomware adds Lock. to the beginning of file names | AVG |
| MirCop | Instructions | Lock.{Original file name} | AVG |
| Legion | Instructions | *._23-06-2016-20-27-23_$f_tactics@aol.com$.legion, *..$centurion_legion@aol.com$.cbf or *.$centurion_legion@aol.com$.cbf to end of filename | AVG |
| SZFLocker | Instructions | *.szf | AVG |
| TeslaCrypt | Instructions | Decryptor for variant that doesn’t rename files | AVG |
| Annabelle | Instructions | *.ANNABELLE | BitDefender |
| Bart | *.Bart | BitDefender | |
| GandCrab (V1, V4 and V5 up to V5.2 versions) | Instructions | *.GDCB, *.CRAB, *.KRAB, *.%RandomLetters% | BitDefender |
| Juicy Lemon | Instructions | *.id-{number}_maestro@pizzacrypts.info | Bleeping Computer |
| PizzaCrypts | Instructions | *.id-{number}_, .id-{number}_sos@juicylemon.biz, .id-{number}_*@juicylemon.biz*protonmail.com*, .id-{number}_*@juicylemon.biz_BitMessage_* | Bleeping Computer |
| ODCODC | Instructions | *.odcodc | Bleeping Computer |
| Cryptorbit | Instructions | locks files and creates HowDecrypt.txt and HowDecrypt.gif | Bleeping Computer |
| Operation Global III | Instructions | *.exe | Bleeping Computer |
| BitStak | Instructions | *.bitstak | Bleeping Computer |
| GhostCrypt | Instructions | *.Z81928819 | Bleeping Computer |
| Jigsaw | Instructions | *.FUN, *.KKK, *.GWS, *.BTC | Bleeping Computer |
| Princess Locker | Instructions | Ransomware appends random characters to the file extension | Bleeping Computer |
| Aurora | Instructions | *.Nano | Bleeping Computer |
| FilesLocker v1 and v2 | Instructions | *.[fileslocker@pm.me] | Bleeping Computer |
| Everbe | Instructions | *.insane, *.DUESCRYPT, *.deuscrypt, *.Tornado, *.twist, *.everbe, *.embrace, *.pain, *.volcano | Bleeping Computer |
| InsaneCrypt | Instructions | *.[everbe@airmail.cc].everbe, *.embrace, *.pain | Bleeping Computer |
| Annabelle | Instructions | *.ANNABELLE | Bleeping Computer |
| CryptoDevil | Instructions | *.devil | Bleeping Computer |
| Zyka | Instructions | *.lock | Bleeping Computer |
| Unlock92 | Instructions | *.CRRRT | Bleeping Computer |
| CryptoHost | CryptoHost | Detected as Ransom:MSIL/Manamecrypt.A and Ransom_CRYPTOHOST.A. | Bleeping Computer |
| TorrentLocker | Instructions | *.encrypted, *.enc | Bleeping Computer |
| Alpha | Instructions | *.encrypt | BleepingComputer |
| BitKangaroo | Instructions | *.bitkangaroo | BleepingComputer |
| Crypt38 | Instructions | *.crypt38 | BleepingComputer |
| DCry | Instructions | *.dcry | BleepingComputer |
| MicroCop | Instructions | Adds Locked to the beginning of your encrypted files | BleepingComputer |
| Mole02 | Instructions | N/A | BleepingComputer |
| Offline CryptoMix | Instructions | *.CRYPTOSHIELD, *.scl, *.rscl, *.lesli, *.rdmk, *.code, *.rmd | BleepingComputer |
| PowerLocky | Instructions | *.locky | BleepingComputer |
| StrikedDecrypter | Instructions | *.Andrey.gorlachev@aol.com,*.nukem@mortalkombat.top, *.rap@mortalkombat.top, *.m.pirat@aol.com, *.duk@mortalkombat.top, *.jekabro@mortalkombat.top, *.bitcoin@mortalkombat.top | BleepingComputer |
| AnDROid | Instructions | *.android | BleepingComputer |
| Anti-DDos | Instructions | *.f*cked | BleepingComputer |
| Crypt0 | Instructions | *_crypt0 | BleepingComputer |
| Crypto-Blocker | Instructions | *.corrupted | BleepingComputer |
| CryptoLocker by NTK | Instructions | *.powned | BleepingComputer |
| CryptoSomware | Instructions | *.FailedAccess | BleepingComputer |
| DeriaLock | Instructions | *.deria | BleepingComputer |
| DoNotOpen | Instructions | *.killedXXX | BleepingComputer |
| EnkripsiPC | Instructions | *.bleeped | BleepingComputer |
| F*ckTheSystem | Instructions | *.anon | BleepingComputer |
| Harzhuangzi | Instructions | *.Harzhuangzi | BleepingComputer |
| Haters | Instructions | *.haters | BleepingComputer |
| Hitler | Instructions | *.Nazi | BleepingComputer |
| JeepersCrypt | Instructions | *.jeepers | BleepingComputer |
| Manifestus | Instructions | *.f*cked | BleepingComputer |
| Mikoyan | Instructions | *.MIKOYAN | BleepingComputer |
| NullByte | Instructions | *._nullbyte | BleepingComputer |
| SnakeEye | Instructions | *.SnakeEye | BleepingComputer |
| Xncrypt | Instructions | *.xncrypt | BleepingComputer |
| Mole | Instructions | *.mole | CERT-PL |
| BarRax | Instructions | *.barrax | Check Point |
| Merry X-Mas | Instructions | *.PEGS1, *.MRCR1, *.RARE1, *.MERRY, *.RMCM1 | Check Point |
| Jigsaw | Instructions | *.FUN, *.KKK, *.GWS, *.BTC | Check Point |
| Pylocky | Instructions | RANSOM_PYLOCKY.A | Cisco |
| TeslaCrypt | Instructions | {original file name}.ECC | Cisco |
| Thanatos | Instructions | *.THANATOS | Cisco |
| Nanolocker | Instructions | Cyberclues | |
| Popcorn | Instructions | *.filock | Elevenpaths |
| Decrypt Protect | Instructions | *.html | Emsisoft |
| 777 | Instructions | *.777 | Emsisoft |
| Al-Namrood | Instructions | *.unavailable, *.disappeared | Emsisoft |
| Amnesia2 | Instructions | *.amnesia | Emsisoft |
| Apocalypse | Instructions | *.encrypted, *.FuckYourData, *.Encryptedfile, *.SecureCrypted | Emsisoft |
| ApocalypseVM | Instructions | *.encrypted, *.locked | Emsisoft |
| Aurora | Instructions | *.Aurora, *.aurora, *.animus, *.cryptoid, *.peekaboo, *.isolated, *.infected, *.locked | Emsisoft |
| AutoLocky | Instructions | *.locky | Emsisoft |
| BadBlock | Instructions | Doesn’t change file extension. Look for BadBlock in ransom note | Emsisoft |
| Cry128 | Instructions | *.fgb45ft3pqamyji7.onion.to._ or *.id__gebdp3k7bolalnd4.onion._’ or *.id__2irbar3mjvbap6gt.onion.to._ or *.id-_[qg6m5wo7h3id55ym.onion.to].63vc4 | Emsisoft |
| Cry9 | Instructions | *.fgb45ft3pqamyji7.onion.to._, 8.id__gebdp3k7bolalnd4.onion._, *.id__2irbar3mjvbap6gt.onion.to._, *.id-_[qg6m5wo7h3id55ym.onion.to].63vc4 | Emsisoft |
| CrypBoss | Instructions | *.crypt, *.R16M01D0 | Emsisoft |
| CryptInfinite | Instructions | *.CRINF | Emsisoft |
| CryptoDefense | Instructions | Identifes as CryptoDefense leaves note HOW_DECRYPT.txt | Emsisoft |
| Crypton | Instructions | *.id-_locked, *.id-_locked_by_krec, *.id-_locked_by_perfect, *.id-_x3m, *.id-_r9oj, *.id-_garryweber@protonmail.ch, *.id-_steaveiwalker@india.com_, *.id-_julia.crown@india.com_, *.id-_tom.cruz@india.com_, *.id-_CarlosBoltehero@india.com_,*.id-_maria.lopez1@india.com_ | Emsisoft |
| Damage | Instructions | *.damage | Emsisoft |
| DMALocker | Instructions | DMALocker with ID “DMALOCK 41:55:16:13:51:76:67:99 | Emsisoft |
| DMALocker2 | Instructions | DMALocker2 with ID “DMALOCK 43:41:90:35:25:13:61:92 | Emsisoft |
| Fabiansomware | Instructions | *.encrypted | Emsisoft |
| FenixLocker | Instructions | *.centrumfr@india.com!! | Emsisoft |
| GetCrypt | Instructions | Appends a random 4-character extension to files | Emsisoft |
| Globe | Instructions | *.purge, *.globe, *.okean-1955@india.com.!dsvgdfvdDVGR3SsdvfEF75sddf#xbkNY45fg6}P{cg.xtbl. | Emsisoft |
| Globe2 | Instructions | *.raid10, *.blt, *.globe, *.encrypted,*[mia.kokers@aol.com] | Emsisoft |
| Globe3 | Instructions | *.decrypt2017, *.hnumkhotep | Emsisoft |
| GlobeImposter | Instructions | *.crypt | Emsisoft |
| Gomasom | Instructions | *.crypt | Emsisoft |
| Harasom | Instructions | *.html and note from Spamhaus or US Department of Justice | Emsisoft |
| HKCrypt | Instructions | *.hacked | Emsisoft |
| HydraCrypt | Instructions | *.hyrdacrypt, *.umbrecrypt | Emsisoft |
| UmbreCrypt | Instructions | *.hydracrypt, *.umbrecrypt | Emsisoft |
| ImS00rry | Instructions | Emsisoft | |
| JSWorm 4.0 | Instructions | *.[ID-9LF5BNP][symmetries@tutamail.com].JSWRM | Emsisoft |
| JSWorm | Instructions | *.[ID.194958][remarkpaul77@cock.li].JSWORM | Emsisoft |
| KeyBTC | Instructions | Leaves ransom note called Decrypt_Your_Files.txt on your system that asks you to contact keybtc@inbox.com for decryption. | Emsisoft |
| LeChiffre | Instructions | *.LeChiffre and the ransom note asks you to contact decrypt.my.files@gmail.com via email. | Emsisoft |
| Instructions | *.lcphr | Emsisoft | |
| Marlboro | Instructions | *.oops | Emsisoft |
| MegaLocker | Instructions | *.nampohyu | Emsisoft |
| MRCR or Merry X-Mas | Instructions | *.PEGS1, *.MRCR1, *.RARE1, *.MERRY, *.RMCM1 | Emsisoft |
| Nemucod | Instructions | *.crypted and you find a ransom note named DECRYPT.txt on your desktop. | Emsisoft |
| NemucodAES | Instructions | Does not change file extension and a ransom note named “DECRYPT.hta” can be found on your desktop. | Emsisoft |
| NMoreira | Instructions | *.maktub, *._AiraCropEncrypted! | Emsisoft |
| OpenToYou | Instructions | *.-opentoyou@india.com | Emsisoft |
| OzozaLocker | Instructions | *.locked With a ransom note named “HOW TO DECRYPT YOU FILES.txt” on your desktop. Note is from santa_helper@protonmail.com | Emsisoft |
| PClock | Instructions | Doesn’t change extension look for enc_files.txt | Emsisoft |
| Pewcrypt | Instructions | *.PewCrypt | Emsisoft |
| Philadelphia | Instructions | *.locked | Emsisoft |
| Planetary | Instructions | *.mira | Emsisoft |
| Radamant | Instructions | *.rdm, *.rrk | Emsisoft |
| Stampado | Instructions | *.locked Known variants of this ransomware ask victims to contact paytodecrypt@sigaint.org, getfiles@tutanota.com, successl@qip.ru, clesline212@openmailbox.org or ransom64@sigaint.org | Emsisoft |
| Syrk | Instructions | *.Syrk | Emsisoft |
| Xorist | Instructions | *.EnCiPhErEd, *.0JELvV, *.p5tkjw, *.6FKR8d, *.UslJ6m, *.n1wLp0, *.5vypSa, *.YNhlv1 | Emsisoft |
| ZQ | Instructions | *.zq | Emsisoft |
| WannaCryFake | Instructions | *.wannacry | Emsisoft |
| Avest | Instructions | *.ckey().email().pack14 | Emsisoft |
| TeslaCrypt | Instructions | *.xxx, *.ttt, *.micro, *.mp3 | ESET |
| Virlock | Instructions | *.exe | ESET |
| Crysis | Instructions | *.xtbl, *.crysis, *.crypt, *.lock, *.crypted, *.dharma, *.wallet, *.onion | ESET |
| Simplocker | Instructions | ESET | |
| Trustezeb | Instructions | ESET | |
| Mira | Instructions | *.mira | F-Secure |
| TeslaCrypt | Instructions | *.vvv, *.ccc, *.zzz, *.aaa, *.abc | Googulator |
| 7even-HONE$T | Python Script | {sequential number}.R4A or{sequential number}.R5A | hasherezade |
| Bitcryptor | Instructions | .cvlst | Kaspersky |
| Agent.iih | Instructions | Kaspersky | |
| Aura | Instructions | Kaspersky | |
| AutoIT | Instructions | {Original Filename}@<mail server>_.<random_set_of_characters>. | Kaspersky |
| AutoLT | Instructions | Renames files “<original_name>@<mail server>_.<random_set_of_characters>” | Kaspersky |
| Bitman v.3 | Instructions | *.xxx, *.ttt, *.micro, *.mp3 | Kaspersky |
| Bitman v.4 | Instructions | Does not change file extension. | Kaspersky |
| Cerber | Instructions | {10 random characters}.cerber | Kaspersky |
| Chimera | Instructions | {Original file name}.crypt | Kaspersky |
| Cryptokluchen | Instructions | Kaspersky | |
| Crysis | Instructions | id}.{email address}.xtbl, crypt | Kaspersky |
| Democry | Instructions | *._date-time_$address@domain$.777 OR *._date-time_$address@domain$.legion | Kaspersky |
| Dharma | Instructions | *.wallet | Kaspersky |
| Jaff | Instructions | *.Jaff | Kaspersky |
| Lamer | Instructions | Kaspersky | |
| Lobzik | Instructions | *.fun, *.gws, *.btc, *.AFD, *.porno, *.pornoransom, *.epic, *.encrypted, *.J, *.payransom, *.paybtcs, *.paymds, *.paymrss, *.paymrts, *.paymst, *.paymts, *.payrms | Kaspersky |
| Lortok | Instructions | *.crime | Kaspersky |
| Pletor | Instructions | Kaspersky | |
| Rakhni | Instructions | *.locked, *.kraken | Kaspersky |
| Rotor | Instructions | *.!____GLOK9200@GMAIL.COM____.tar, *.!____cocoslim98@gmail.com____.tar | Kaspersky |
| TeslaCrypt v3 | Instructions | {original file name}.XXX or TTT or MP3 or MICRO | Kaspersky |
| TeslaCrypt v4 | Instructions | File name and extension are unchanged | Kaspersky |
| XData | Instructions | *.~xdata~ | Kaspersky |
| AutoLT | Instructions | Renames files “<original_name>@<mail server>_.<random_set_of_characters>” | Kaspersky |
| Cryakl | Instructions | Infected with Trojan-Ransom.Win32.Cryakl (also tags end of file name with{CRYPTENDBLACKDC}) | Kaspersky |
| Crybola | Instructions | Infected with Trojan-Ransom.Win32.Crybola | Kaspersky |
| CryptXXX v1 | Instructions | {original file name}.crypt, cryp1, crypz, or 5 hexadecimal characters | Kaspersky |
| CryptXXX v2 | Instructions | {original file name}.crypt, cryp1, crypz, or 5 hexadecimal characters | Kaspersky |
| CryptXXX v3 | Instructions | {original file name}.crypt, cryp1, crypz, or 5 hexadecimal characters | Kaspersky |
| Fury | Instructions | Infected with Trojan-Ransom.Win32.Fury | Kaspersky |
| Marsjoke | Instructions | *.a19 or *p19 | Kaspersky |
| Polyglot | Instructions | Infected with Trojan-Ransom.Win32.Polyglot | Kaspersky |
| Rannoh | Instructions | Renames files “locked-<original_name>.<four_random_letters>” | Kaspersky |
| Shade | Instructions | *.xtbl, *.ytbl, *.breaking_bad, *.heisenberg | Kaspersky |
| Wildfire | Instructions | *.wflx | Kaspersky |
| Xorist | Instructions | *.xorist (or adds a random extension) | Kaspersky |
| Rector | Instructions | Trojan-Ransom.Win32.Rector | Kaspersky |
| Scraper | Instructions | Trojan-Ransom.Win32.Scraper | Kaspersky |
| Crysis | Instructions | *.johnycryptor@hackermail.com.xtbl, *.ecovector2@aol.com.xtbl, *.systemdown@india.com.xtbl, *.Vegclass@aol.com.xtbl, *.{milarepa.lotos@aol.com}.CrySiS, *.{Greg_blood@india.com}.xtbl, *.{savepanda@india.com}.xtbl, *.{arzamass7@163.com}.xtbl, *.{3angle@india.com}.dharma, *.{tombit@india.com}.dharma, *.wallet | Kaspersky |
| CoinVault | Instructions | *.cvlst | Kaspersky |
| FortuneCrypt | Instructions | Kaspersky | |
| Yatron | Instructions | *.yatron | Kaspersky |
| Petya | Instructions | leo-stone | |
| TeslaCrypt | Instructions | *.xxx, *.ttt, *.micro, *.mp3 | McAfee |
| TeslaCrypt V3 | Instructions | *.mp3, *.micro, *.xxx, *.ttt | McAfee |
| PoshCoder | PoshCoder | *.locky | pan-unit42 |
| Crypren | Instructions | *.encrypted | pekeinfo |
| Alma | Instructions | Adds 5 random characters at the end of each file and a unique 8 character victim ID | PHISHLABS |
| Lock Screen USB | Instructions | Lockscreen ransomware | Trend Micro |
| Lock Screen | Instructions | Lockscreen ransomware | Trend Micro |
| 777 | Instructions | {Original file name}.777 | Trend Micro |
| AutoLocky | Instructions | {Original file name}.locky | Trend Micro |
| Cerber .v1 | Instructions | {10 random characters}.cerber | Trend Micro |
| Chimera | Instructions | {Original file name}.crypt | Trend Micro |
| DemoTool | Instructions | *.demoadc | Trend Micro |
| DXXD v.1 | Instructions | {Original file name}.{Original extension}dxxd | Trend Micro |
| Globe .v1 | Instructions | {Original file name}.purge | Trend Micro |
| Globe .v2 | Instructions | {Original file name}.{email address + random characters} | Trend Micro |
| Globe v.3 | Instructions | Extension not fixed or file name encrypted | Trend Micro |
| Jigsaw | Instructions | *.FUN, *.KKK, *.GWS, *.BTC | Trend Micro |
| LeChiffre | Instructions | {Original file name}.LeChiffre | Trend Micro |
| MirCop | Instructions | Lock.{Original file name} | Trend Micro |
| Nemucod | Instructions | {Original file name}.crypted | Trend Micro |
| Purge v.1 | Instructions | {Original file name}.purge | Trend Micro |
| Purge v.2 | Instructions | {Original file name}.{email address + random characters} | Trend Micro |
| Purge v.3 | Instructions | {Original file name}.{email address + random characters} | Trend Micro |
| SNSLocker | Instructions | {Original file name}.RSNSLocked | Trend Micro |
| Stampado | Instructions | *.locked | Trend Micro |
| Teamxrat | Instructions | {Original filename}.__xratteamLucked | Trend Micro |
| TeleCrypt | Instructions | {Original file name} | Trend Micro |
| TeslaCrypt v3 | Instructions | {original file name}.XXX or TTT or MP3 or MICRO | Trend Micro |
| TeslaCrypt v4 | Instructions | File name and extension are unchanged | Trend Micro |
| XORBAT | Instructions | {Original file name}.crypted | Trend Micro |
| Xorist | Instructions | *.xorist (or adds a random extension) | Trend Micro |
| Xpan | Instructions | {Original filename}.__xratteamLucked | Trend Micro |
| Instructions | {original file name}.ECC | Trend Micro | |
| BadBlock | Instructions | Doesn’t change file extension. Look for BadBlock in ransom note | Trend Micro |
| MacRansom | Instructions | Trend Micro | |
| 777 | Instructions | *.777 | Trend Micro |
| CryptXXX v1 | Instructions | {original file name}.crypt, cryp1, crypz, or 5 hexadecimal characters | Trend Micro |
| CryptXXX v2 | Instructions | {original file name}.crypt, cryp1, crypz, or 5 hexadecimal characters | Trend Micro |
| CryptXXX v3 | Instructions | {original file name}.crypt, cryp1, crypz, or 5 hexadecimal characters | Trend Micro |
| CryptXXX v4 | Instructions | *.5 hexadecimal characters | Trend Micro |
| CryptXXX v5 | Instructions | *.5 hexadecimal characters | Trend Micro |
| Crysis | Instructions | *.johnycryptor@hackermail.com.xtbl, *.ecovector2@aol.com.xtbl, *.systemdown@india.com.xtbl, *.Vegclass@aol.com.xtbl, *.{milarepa.lotos@aol.com}.CrySiS, *.{Greg_blood@india.com}.xtbl, *.{savepanda@india.com}.xtbl, *.{arzamass7@163.com}.xtbl, *.{3angle@india.com}.dharma, *.{tombit@india.com}.dharma, *.wallet | Trend Micro |
| TeslaCrypt V2 | Instructions | {original file name}.VVV, CCC, ZZZ, AAA, ABC, XYZ | Trend Micro |
| XRatTeam | Instructions | *.xratteamLucked | Trend Micro |
