<link href="//fonts.googleapis.com/css?family=Roboto+Slab:700%7CRoboto:700%7CRoboto:normal" rel="stylesheet">

Free Decryption Tools to Retrieve Files Encrypted by Ransomware

Ransomware is an evil malware that encrypts the victim’s files and then requests payment in return for the key to decrypt the encrypted data. Initially popular in Russia, the use of ransomware has grown internationally and has gone mainstream with several high-profile attacks. While many victims are paying the ransom trying to get their data back, many security firms have been working hard on the solutions to stop this cyber criminal.


AVG Virus Lab recently released six free decryption tools for recent ransomware strains. Good news for the victims of these six kinds of ransomware because they can take back what’s theirs without paying a cent to the criminals.

Before you run these tools to recover your data, it’s recommended you run a full scan of the infected computer and back up the encrypted files to an external storage so you can do the decryption on an uninfected computer. You will also need to identify the strain that causes the problem, and run the appropriate decryption tool.


The Apocalypse ransomware appends “.encrypted”, “.locked”, or “.SecureCrypted” to names of encrypted files and creates ransom messages in files with extensions “.How_To_Decrypt.txt”, “.README.Txt”, or “.Contact_Here_To_Recover_Your_Files.txt”.

There are two separate decryption tools for this strain, one for the early version of Apocalypse and the other one for the current version.



If you see this popping up on your computer, you are the victim to the BadBlock. But there is hope in the decryption tool, 32-bit and 64-bit.


Crypt888, aka Mircop, creates encrypted files with the prepended name “Lock.” and changes your desktop’s wallpaper to the following image:


The decryption tool can be downloaded here.

Note that Crypt888 is a badly-written piece of software that can’t even decrypt some of the encrypted files it created. So, AVG’s decryption may not be effective.


Legion encrypts and renames your files with names like “example.docx.[email protected]$.legion“, and changes the desktop wallpaper with a warning block about your encrypted files:


The decryption tool is available here.


The name of this ransomware originates from a string that is appended to the names of encrypted files (e.g. example.docx.szf). The original files are rewritten with the following Polish message:


You can find the decryption tool here.


The encrypted files come with different extensions, such as .vvv, .micro, .mp3, or with the original name only. It also displays a message like the following:


The decryption tool is available here and only supports decryptions of files encrypted by TeslaCrypt v3 and v4.

A few words

Obviously, the tools listed here won’t be able to cover all of the variations of the ransomware family. In fact, it’s still hopeless if you are hit by one of the top 3 ransomware in the wild today. But it’s a start. We intend to keep this post up-to-date as new decryption tools made available to the public. And if you know something that is not listed here, please share them in the comment.

Leave a Reply