How to Decrypt Ransomware

This page was created to help users decrypt Ransomware.

Ransomware can be devastating. They get in your system and render all your files inaccessible until you pay a demanded ransom. Often, even paying the ransom won’t restore the access to your files. Fortunately, there are quite a few free decryptor tools, that you can download online. They are not universal panacea – often they will not be able to decrypt files targeted by the most modern encryption protocols. But for older ransomware they will do their job just fine – after all plenty of those older ransomware programs are still active around the web.

  • Remember that paid decryptors are almost always a rip-off compilation from a number of free tools OR created by the hackers themselves. All programs that are actually able to decrypt ransomware don’t require payment!
  • Decryptor tools are not to be confused with anti-malware programs that specialize in removing the virus itself, as these two types of software supplement each other.



Before you begin restoring your files you need to make sure that the Ransomware program itself has been neutralized. Use the guide you came from to remove it, or it may encrypt your files again. For the best result we advise you to download SpyHunter and use it together with our instructions to locate the source of the infection and delete it for good.



Below you will find a list of free decryption tools that can possibly help you recover your files. However, you need the right tool for the type of encryption used on your files. To learn that use ID Ransomware – a free online service that will tell you which ransomware is currently messing with your files. You’ll be asked to upload the ransom note file (usually found on your desktop), as well as a sample encrypted file.

ID ransomware

Click on Choose file in each highlighted field and navigate to the files in question

Once it’s done analyzing ID Ransomware will tell you exactly which ransomware version you are dealing with.

Below you will find a list of all known ransomware file decryptors. Browse through the list and look for a decryptor for your particular type of ransomware. They are listed both by virus name and by extension used on your files.



We do not 100% guarantee any of these will work and they are provided by their creators as is, but most of the time they will get the job done!

  • Naturally, before you try any of them it is recommended that you make backups for all files.
  • Autolocky – file extension: .locky
  • Nemucod – file extension: .crypted
  • DMALocker2 – file extension: unchanged
  • DMALocker – file extension: unchanged
  • Gomasom – file extension: .crypt
  • LeChiffre – file extension: .lechiffre
  • KeyBTC – file extension: .[email protected]_com
  • Radamant – file extension: .rdm or .rrk
  • PClock – file extension: unchanged
  • CryptoDefense – file extension: unchanged
  • Harasom – file extension: .HTML
  • Decrypt Protect – file extension: .HTML
  • Apocalypse – .encrypted
  • ApocalypseVM variant – .ecrypted .locked
  • Xorist – .cerber (for the Cerber ransomware including .cerber and .cerber2 look below)
  • Globe ransomware – .globe

A company called Emsisoft has created decryptors for all above mentioned ransomware programs. Kudos to those guys.

Click to see how to use all decryptors from Emsisoft

Emsisoft is a company that specialized in ransomware decryption and they are doing a pretty good job at that. You can download all decryptors for the ransomware from the list above from their website here.

Their decryptors are user-friendly and there’s nothing difficult about using them. Most decryptor tools by Emsisoft have similar interface and are used in the same way. Simply run the tool designed for the specific ransomware(no installation required) and in the resulting window choose the folder/disk you’d like to have decrypted. You can add or remove folders with the buttons below. Once you’re ready, simply select the folder in question and click on Decrypt.


HydraCrypt and UmbreCrypt – file extension: .hydracrypt and .umbrecrypt

Click to see how to decrypt files infected by HydraCrypt and UmbreCrypt
Those two ransomware viruses are the latest additions to CrypBoss ransomware. The decryptor is also developed by Emsisoft. Here’s a download link for this decryptor.

This decryptor tool works a bit differently compared to most other decryptors by Emsisoft and this is the reason we separated the instructions on how to use it from the rest. In order to use it, you will need to find an encrypted file on your computer, where you also have its un-encrypted version. Once you have the pair, you’ll need to select both of them and drag-drop them over the tool’s icon.

In case you’re unable to get such a pair (pretty likely scenario), find an encrypted PNG file (basically a picture, Windows has sample PNG picture files in the Picture category in My Documents) in your system and then download a random PNG picture from the internet. The files in question need not be the same – only the extension matters! Use the two PNG files as your pair. Doing this will enable the decryptor to bust the code for the encryption.


Note that this guide method may apply to future Emsisoft decryptors as well.

Petya password generator – no extension, whole HDD is locked

Click to see detailed instructions on how to handle Petya
Petya is among the latest of ransomware viruses. It renders your PC unbootable and also makes you unable to enter safe-mode. In other words, this virus encrypts your whole PC. Decrypting files by Petya is therefore a bit more complicated.

First you will need to unplug your infected HDD/SSD and plug it into another machine. Make sure the other computer has an anti-virus installed and running! Petya should be already inert, but we don’t want to take any chances.

Now download and start the Petya Sector Extractor by Wosar. It will scan the infected HDD and extract the relevant data, which you’ll copy and use to fill in the fields of this site Here. Once done hit submit and you will get a code. Write it down on paper. Put the HDD back into your PC and start Windows as normal. When Petya prompts for the key use it and you should now have access to your files..

Operation Global III – file extension: .exe

Click to see how to deal with Operation Global III
An important note about this particular ransomware is that each file that it has encrypted are potential carriers of the virus. Therefore, do not, under any circumstances, transfer encrypted files to other computers/devices.

The name of the tool used here is OG3 Patcher. Click here to download. This tool is simple and easy to use. Once you’ve downloaded it, just run it and in the resulting window click on Patch. After the patching has finished a simple double-click on any encrypted files should be enough to bring them back to normal.


Keep in mind that using this tool to decrypt executable files might occasionally render them unusable, therefore, you may need to reinstall the program associated with them. This happens due to the fact that the ransomware itself is problematic and there is nothing really that can be done about it. Also, it is strongly advised that you reinstall your whole OS  and format all affected drives (or at least do a deep security sweep) once you’ve secured and backed-up any important files. This will ensure that there are no traces of Operation Global III left on your machine.

TeslaCrypt – file extensions .ECC, .EXX, and .EZZ

Click to see how to recover TeslaCrypt files with the .ECC, .EXX or .EZZ extension
Talos decryptor by Cisco –  you can download the decryptor from here. This command line tool helps you bust the code that is used for the encryption of your files by the early TeslaCrypt ransomware virus. It will not work for TeslaCrypt version 2.0 and later (which has other file extensions), for those look at the other decryptor below.

In order to use this tool you’ll need the “key.dat” file that is created by TeslaCrypt. The tool will NOT work without this file, period!

The tool will automatically search for “key.dat” in the original location of the file, if it doesn’t find it there it will look in the directory it has been installed it. If it doesn’t find it there it will exit with an error message. Make sure “key.dat” is found in either of these two directories!

You will need to input the directory you need decrypted. You’ll need to provide either the path of the name of file to be decrypted.

For example if you dump everything in a directory called Decryption that is located in the C drive you need to write the following:


Group the files you need decrypted, enter the directory, hit enter and you are done!

The tool supports the following command line options

  • /help – Shows the help messages
  • /key – Specify the master key for the decryption manually  (32 bytes/64 digits)
  • /keyfile – Specify a specific path to the “key.dat” file, other than the default.
  • /file – Input name of specific file to be decrypted.
  • /dir – Selected directory will have all files decrypted.
  • /scanEntirePc – This will scan your entire PC for .ecc files.
  • /KeepOriginal – This will keep the encrypted copies after decryption is done.
  • /deleteTeslaCrypt – This command will kill any active TeslaCrypt dropper files

TeslaCrypt – file extensions .micro, .xxx, .ttt, .mp3 or “unchanged”

Here we handle TeslaCrypt with the .micro, .xxx, .ttt, .mp3 and unchanged extensions
Decryptor name TeslaCrypt Decryptor – This decryption tool was developed by the antivirus company ESET. It can be obtained from their official site here.

  1. Download the Decryptor and save it to your Desktop
  2. Open your start menu and search for Command Prompt (or CMD). Right Click on the executable file and select Run as Administrator
  3. Type the following command inside – cd %userprofile%\Desktop – type the command as written here, you do not need to replace userprofile with your username.
  4. Type ESETTeslaCryptDecryptor.exe and hit Enter.
  5. Type ESETTeslaCryptDecryptor.exe C: and hit Enter to scan your C drive. Do the same with other drive letters if you have D, E, F installed etc.
  6. Files encrypted by TeslaCrypt (extensions .micro, .xxx, .ttt, .mp3 or “unchanged”) will be decrypted automatically eset

BitCryptor and CoinVault – file extension: 7z.encrypted

Click to see instructions for the BitCryptor and CoinVault with 7z.encrypted extension
Last year Kaspersky busted the codes used by those two ransomware programs and have released a decryptor that will aid with restoring access to your files. You can download the free tool from here. Unzip the compressed file and run the decryptor. It’s simple and easy to use.

  1. Once you open it, click on Start Scan. A file-selection window will open.
  2. Here, you’ll need to navigate to a specific file named filelist.cvlst. This is a file left by the ransomware and locating it is required to proceed with the decryption process.
  3. If you’re unable to locate that file, you’ll have to move all your encrypted files into a single folder and use the Folder with encrypted files. This setting can be accessed from the decryptor main window by clicking on Change Parameters.
  4. After the setting is checked, carry on with the scanning, this time choosing the folder with all encrypted files in the file-selection window.
  5. After the decryptor is done unlocking your files, it will make accessible copies of them with decryptedKLR added to their names. If you want the program to outright replace the encrypted files with the decrypted ones, you can choose that setting from Change Parameters.

4 (3) 6 (2)

Kaspersky has also developed decryptors for the following ransomware viruses:

Rector  – file extension: unknown

Rakhni  – file extension: .locked

.kraken; .nochance; .oshit; .[email protected]_com; .[email protected]_com; .crypto; .[email protected]; .[email protected]_com; .[email protected]_com; .crypt; .[email protected]_com; .[email protected]_com; .[email protected]_com; .[email protected]_com; .encrypted; .cry .AES256; .enc; .[email protected]_com_id371; [email protected]_com_id372 .[email protected]_com_id374; .[email protected]_com_id375; .[email protected]_com_id376; .[email protected]_com_id392; .[email protected]_com_id357; .[email protected]_com_id356; .[email protected]_com_id358; .[email protected]_com_id359; .[email protected]_com_id360; .[email protected]_com_id20; .[email protected]_characters; .hb15;

.[email protected]$.777; .xxx; .ttt; .micro; .mp3

Scatter  – file extensions: .pzdc .crypt .good

Xorist – file extension: unknown

Rannoh  – possible file extensions locked-<original_name>.<four_random_letters> ; <original_name>@<mail server>_<random_set_of_characters> ; <original_name>.crypt

The instructions on how to tackle these are there

Rector (decryptor link)

Rakhni (decryptor link)

Scatter (decryptor link)

Xorist (decryptor link)

Rannoh (decryptor link)

Please note that decryptors for all of these ransomware are pretty similar to the one used for CoinVault and BitCryptor above, so if you follow the guide for that one, you should do fine with the rest of these tools.

Trend Micro’s Decrypter will allow you to decrypt files affected by:

TeslaCrypt(v3, v4) – extensions .micro, .xxx, .ttt, .mp3 or “unchanged

AutoLocky – extension: .locky

SNSLockeр – extension: .RSNSlocked

CryptXXX(v1, v2, v3) – extension: .crypt

Click to see how to handle files affected by TeslaCrypt(v3, v4); AutoLocky; SNSLocker; CryptXXX(v1, v2, v3)

This is a tool developed by Trend Micro that will help you with the decryption of your files. There are several ransomware encryptions that this tool can deal with. We’ve listed them above. To download the decryptor click here.

  1. Once you’ve downloaded the tool, open it and accept End User License Agreement.
  2. Now click on Select and from the list choose the ransomware that has encrypted your files.
  3. After that, click on Select and Decrypt. Choose the file or folder that you’d like to have decrypted and click on OK. Know that different ransomware encryptions take different time to be unlocked, so be patient.
  4. If your files have been locked by CryptXXX, then you may need to provide a pair of an encrypted and normal file. Therefore, it is a good idea to keep a backup of important files, in case anything like this happens.

Jigsaw – file extensions: .fun; .kkk; .gws; .btc; .PAYSM


Click here for how to obtain the decryptor for Jigsaw
This particular ransomware program, once inside your PC, will not only lock your files but will also gradually delete them if you don’t pay the demanded ransom.  This is a direct link for downloading the decryptor and its courtesy to the Bleeping Computers forum.

  1. After you download the decryptor, double-click on it and then click on Select Directory. Find the folder/es containing the encrypted files, select it and click on OK. Tip: to make it easier for both you and the decryptor, you may want to first gather all your encrypted files into a single folder.
    5      7
  2. Now, all you need to do is click on Decrypt my files. You can check the option Delete Encrypted Files if you so desire.


CryptXXX – file extensions: .crypz and .crypt1 ONLY

Click here for how to obtain the decryptor for CrypXXX

This one is not actually a decrypter, but rather a bug with the decryptor system itself. It appears that victims of the ransomware with the .crypz and .crypt1 ransomware can follow the instructions as outlined by the ransomware itself and decrypt their files without paying for it! Hurry before the hackers realize their mistake and fix this issue!

The ODCODC ransomware

Click here for how to obtain the decryptor for ODCODC

Download link is here

Breaking Bad themed ransomware with the following file extensions:

.xtbl, .ytbl, .breaking_bad, .heisenberg.

Click here for how to obtain the decryptor for the Breaking Bad themed ransomware

Download link is here.

The decryptor is provided by Kaspersky Labs and is fairly simple to use – download, run it and select the appropriate locations to scan. It will do the rest on its own.

Cerber ransomware with the following file extensions:

.cerber and .cerber2

Click here for how to obtain the decryptor for the Cerber ransomware

Link is here.

WARNING! Site appears to be temporarily down at the moment. We are waiting for the owner to restore functionality while looking for an alternative soltion. Please make a backup of the encrypted files and patiently wait for a resolution.

The decryption is a two-step process as described on the site.

  1. Download a ceber-encrypted file to receive your private key in the form of a PK file
  2. Download the decryptor, create a directory and put the Private key file and the decryptor inside, then run it


Shadow Clone Restoration

If your version of ransomware was not listed in the list of known ransomware decryptors then you have a problem, though not all hope is lost. What you can do is try to recover your original files, before they got encryted. Your original files were erased by the ransomware as soon as the encrypted copies were created, but it may be possible to recover them – much in the same way you would try to recover an accidentally deleted file. There are multiple programs that can get the job done and in this guide we’ll mention Recuva, as well as Puran File Recovery as two effective and easy-to-use free solution.

How to use Recuva to recover deleted files – get it from here

The program’s interface is simple and intuitive, there is just one important checkbox to tick in just before you hit start – Enable Deep Scan.


Depending on your CPU and HDD size the scan can take from several minutes to several hours. Once it is done you’ll get a list of all possible files you can recover. Try to find the files you want to recover and tick them in the list, then hit Recover and hope for the best.

How to use Puran File Recovery to recover deleted files – get it from here

Puran File Recovery is even simpler to use. Install it on your computer, run it, select a partition to scan.

You’ll get the results in the field below. Scroll though the list and find your files (or use search), select them, then hit Recover and pray for the best.


Hopefully by now you were able to recover your files – one way or another. Unfortunately, especially with newer Ransomware threats this may not be the case. Short of paying the ransomware there is only one more thing for you to do…


Waiting for a solution

Neither ransomware viruses nor their creators are perfect or infallible and the above list of decryptors is proof of that. Unfortunately, it usually takes time for security researchers to break into the ransomware code and find the solution we so desperately need. Even if there is no decryptor tool available now this doesn’t mean one won’t be created in the future. Feel free to bookmark this page and check here for newly available ransomware solutions. We’ll add them to the list as we spot them on the Net.


  • HowToRemove.Guide Team

    Hi again jay,
    if there isn’t a decryptor right now, there is going to be in the future. Crypmic is a new kind of ransomware and researchers need time to bypass the code of the encryption. If you read the article you can find some solutions involving downloading a software that might help you.

  • HowToRemove.Guide Team

    Hi again jay,
    i don’t know how much time it will take to create a decryptor. I would suggest you not to pay them. That way you may show them that you are willing to pay every time and they might lock your files again.

  • HowToRemove.Guide Team

    Hi alfred,
    these are the methods we know so far. Zepto is new ransomware and now researchers are finding ways how to decrypt the files. You can bookmark this page and check it now or then.

  • Shahzade

    Actually my documents,images files are encrypted by CERBER3 (cerber ransomware).
    Is there any solution to decrypt my files.
    please help.

    • HowToRemove.Guide Team

      Hi Shahzade,
      these are the solutions we have at the moment. CERBER3 is a new ransomware and researchers haven’t find a way to decrypt the files yet. You can bookmark this page and check now and then. We will update the page as soon as we find a solution on how to decrypt any upcoming ransomware.

  • HowToRemove.Guide Team

    Hi pardeep,
    these are the solutions we have at the moment. CERBER3 is new ransomware and researchers are trying to find a way to decrypt the files. We update this page often when we find a solution. So you can check now or then.

  • HowToRemove.Guide Team

    Hi Sanket,
    these are the solutions we have at the moment. CERBER3 is new ransomware and researchers are trying to find a way to decrypt the files. We update this page often when we find a solution. So you can check now or then.

  • HowToRemove.Guide Team

    Hi itservicedmw,
    here is a link on how to remove .odin. Follow it and comment there if you have any issues.

    • fernandes lim


      all of my files were corrupted and change to .odin, how can i recovery that file?

      i already re-install my windows, and backup all the data (eventhough in odin file).

      Thank you for your helping

      • HowToRemove.Guide Team

        Hi fernandes lim,
        the Odin ransomware i still new and researchers are still trying to figure out how to decrypt the files. We have mentioned some ways you can recover your files and you can try them. If someone release a decryptor for these kind of files we will put it in this guide so toy can check now and then.

  • HowToRemove.Guide Team

    Hi Afaq,
    as soon as your files get encrypted even if you change the extension they stay encrypted. So what ever you do you cant decrypt them by yourself. You can try the decryptors we provided.

  • HowToRemove.Guide Team

    Hi Afaq,
    we are sure that there is going to be a decryptor, just not right away. Researchers are trying to find a solution on how to decrypt the files. You can check this page now and then if there is a decryptor for cerber3.

  • HowToRemove.Guide Team

    Hi ahmad,
    The site providing the decryption for .cerber and .cerber2 is having some technical difficulties and we don’t know if they are going to come back soon. If the link is not working, check the software solutions that we have provided.

  • HowToRemove.Guide Team

    Hi Vacas,
    did you try the software we provided in the end of the guide ?

  • Luigi

    Hello just Yesterday my laptop was infected by Cerber last version I suppose. All the files are encrypted with extension *.bee0 except the files on my desktop .. probably to avoid that I could regognize the danger. I undertsand I need to wait for an appropriate decryptor. Thanks.

    • HowToRemove.Guide Team

      Hi Luigi,
      yes you can wait and visit this page now and then to check or you can try the other software we have provided.