Ransomware attacks are dominating news headlines, with ransomware-as-a-service (RaaS) operators actively seeking to exploit network vulnerabilities and infect unsuspecting victims. The healthcare sector and financial industry are especially vulnerable to ransomware attacks, as they store valuable personally identifiable data (PII) which can be misused to carry out lucrative crimes, like identity theft and fraud.
During a successful ransomware attack, cyber attackers encrypt this sensitive data, preventing organizations from accessing it. The attackers then demand a hefty cryptocurrency ransom payment in exchange for a decryption key that provides access to it again.
If your organization is infected by ransomware, time is of the essence to prevent further data breaches. Thankfully, there are now many free decryption tools available to help you defend against common variants of ransomware. Read on to learn how to decrypt ransomware and prevent future infections through defensive measures.
How To Recover Data From a Ransomware Attack
In the event of a ransomware attack, follow these steps to recover your data. If you’re not sure what ransomware is, read our guide to ransomware here.
1. Find the Source of Infection
Ransomware spreads quickly once it has entered a target system. Many ransomware or malware types, such as cryptoworms, will actively seek multiple infection points. A fast response is crucial to preventing a costly data breach.
Firstly, you must identify the source of infection and isolate it from all other devices on the network – both physically and electronically.
The isolation process involves:
- Unplugging the device’s power source.
- Disconnecting the device from Wi-Fi and other network connections.
- Removing any connected devices, e.g. external storage.
There’s a high chance that the ransomware has entered through more than one device. You should also treat all devices connected to the first identified source of infection with similar caution and follow appropriate cybersecurity measures.
2. Identify the Type of Ransomware You're Infected With
You’ll need to identify which type of ransomware is infecting your systems to take the most appropriate restorative actions. Kaspersky research shows ransomware is rapidly evolving, with new variants emerging at pace with the growing number of attacks.
While many hackers will identify themselves through the filename of their ransom notes or encrypted files (.exe or .txt). Aside from relying on the file extension, there are also many identification sites now available such as: Crypto Sheriff and ID Ransomware.
3. Report to Law Enforcement
Ransomware attackers will demand payment in Bitcoin (or another cryptocurrency) in exchange for a private key to unlock your encrypted files. Most law enforcement agencies urge ransomware victims not to pay the ransom. In many cases, ransom payment only encourages further financial demands and there is no guarantee you will be given access back to your data. Reporting the attack will provide authorities with relevant information to assist in identifying the perpetrators in your case and other similar ransomware attacks.
Learn how to reduce the impact of ransomware attacks.
4. Restore Systems From a Back-Up
Given the rapid development of ransomware and many different types, there is no single way to remove it from your systems. If you have an external backup available, you should completely wipe your systems to restore the original files. Ensure the backup is from a date prior to the ransomware attack to prevent re-infection.
Keep in mind that removing the ransomware doesn’t necessarily decrypt files or restore original files – this can only be done using a ransomware decryptor (if available for the variant of infection). It’s best not to rely solely on these tools and to instead adopt ransomware prevention measures, such as the 3-2-1 backup strategy and installing an anti-malware / anti-virus solution, to protect against future attacks.
Top 10 Free Ransomware Decryption Tools
There are currently many free ransomware decryption tools available for some of the most common types of ransomware. Below are the top 10 free decryptor tools to help you recover files encrypted following a ransomware attack.
1. Avast Ransomware Decryption Tools
Avast currently offers 30 free ransomware decryption tools for Microsoft Windows operating systems. Some ransomware variants covered include:
- Alcatraz Locker
- CryptoMix (Offline)
- Troldesh / Shade
AVG currently offers 7 free ransomware decryption tools, for the following variants:
Emsisoft currently offers 84 free ransomware decryption tools, such as:
- REvil / Sodinokibi
- Unknown XTBL
Kaspersky currently offers 6 free ransomware decryption tools, for the following variants:
- Shade Decryptor
- Rakhni Decryptor
- Rannoh Decryptor
- CoinVault Decryptor
- Wildfire Decryptor
- Xorist Decryptor
McAfee’s Ransomware Recover (Mr2) is a framework designed to alleviate the time and resources required to develop a decryption framework from members of the cybersecurity community who have decryption keys and decryption logic.
6. No More Ransom Project
The No More Ransom Project is a joint initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky and McAfee. The project aims to help victims of ransomware retrieve their encrypted data and avoid paying ransom to cybercriminals.
7. Quick Heal
Quick Heal currently offers 20 free ransomware decryption tools, such as:
- STOP Djvu
8. Trend Micro
Trend Micro currently offers 27 free ransomware decryption tools, such as:
- Globe / Purge
- CryptXXX v1,v2,v3,v4,v5
WannaDecrypt is a free ransomware decryption tool for 5 ransomware variants, including:
Based off WannaDecrypt, Wanakiwi is a free ransomware decryption tool for systems affected by WannaCry ransomware.
Ransomware decryption tools should only be used in the final stages of a comprehensive ransomware defense strategy if all other security controls fail.
To learn how to implement a series of security controls to reduce the impact of ransomware attacks and potentially avoid the need for decryption tools, read this post.