How to Decrypt Ransomware Files – And What to Do When That Fails

For any organization struck by ransomware, business leaders always ask “how do we decrypt the data ASAP, so we can get back in business?”

The good news is that ransomware files can be decrypted. The bad news is it doesn’t work most of the time:

  • Paid ransom decryption tools and keys don’t always work.
  • Free decryption tools don’t always work.
  • Paid decryption tools don’t always work.

The best defense and the best option for recovery will always be the availability of sufficient, isolated data backups and a practiced restoration process. However, even with the best planning, organizations can find a few users, machines, or systems that were overlooked or whose backup may be corrupted or encrypted.

What can be done to recover from ransomware attacks when backups are not available?

Also read:

The First Calls After an Attack

First, call the cyber insurance company that issued the organization’s cybersecurity policy. Most insurance companies require specific incident response vendors, procedures, and reporting that must be met to meet the standards to be insured.

Insured companies often will not have options. Instead, the cybersecurity insurance company will take full control, and the insured company will need to follow instructions.

If the organization does not have insurance, then the fastest way to recover is to call an MSSP, incident response specialist, or ransomware recovery specialist. Executives, legal counsel, and law enforcement such as the local office for the FBI or police should also be on the incident response phone list for early contact.

Before Decryption, Block the Attacks

Whether handing off recovery to the insurance company, paid incident response professionals, or attempting recovery in-house, the next steps will generally be the same:

  1. Stop the spread of the ransomware.
  2. Eliminate attacker access.
  3. Begin work on recovery.

Note that decryption is not a consideration until at least step three because the IT team cannot safely attempt any decryption without stopping the spread of ransomware or blocking access that attackers might use to interfere with recovery. These steps are covered in more depth in How to Recover From a Ransomware Attack, so for now, we’ll simply presume the attackers and malware are under control.

How Does Ransomware Encryption Work?

Ransomware encryption works like any other encryption. The encrypting software will take the bits of the file and scramble them using a cipher, or code. The code can then be used as a key to decode the encryption and restore the file’s usability.

Some ransomwares use standard encryption or compression tools, like 7zip and Winrar, and others create their own encryption tools that might only encrypt part of files to speed up the process.

In either case, the encryption tool generates a random key and sends it to the ransomware gang. If the victim pays the ransom, that random key will be used in the decryption tool to restore the files.

Ransomware Decryption Tool Options

Once the systems have been isolated and the ransomware removed, we can examine the encrypted files and attempt decryption. Decryption tools fall into the following general categories:

  • Paid ransom decryptor
  • Free rools
  • For-pay ransomware recovery tool

Each type of tool will have pros, cons, likelihood of success, and cautions. However, before we can even debate an option, we first must determine the type of ransomware infecting the system.

Identifying the infecting ransomware type

To know what options are available for a specific infection, the ransomware recovery team will need to inspect the encrypted files and the ransomware messages.

Most ransomware attackers will be obvious and provide a ransom note that provides the ransomware strain and instructions for how to contact the ransomware group. However, recently some companies have suffered attacks from multiple ransomware gangs simultaneously, so incident recovery teams will need to check each machine separately and verify the infections.

The file extensions of the encrypted files will also provide a clue. Incident response teams can use a search engine to look up the file extension and ransomware name to see what decryptors might be available. For example, files with the following extensions are signs of attack from BTCWare, which has a free decryptor: btcware, cryptobyte, cryptowin, theva, .onyon.

Note that some ransomware attacks lock the screen of the machine, which would require a completely different method of recovery.

Paid ransomware decryptor

The ransomware attackers will always encourage paying the ransom to obtain their decryption tool. However law enforcement will always discourage paying ransoms and supporting criminal activity.

Ultimately, each organization will need to decide for themselves the morality of paying for a ransomware decryptor. However, there are also practical reasons to be extremely cautious.

First, ransomware decryptors don’t always work. IT teams need to search for the reputation of the ransomware attackers to understand how likely the tool is going to work.

For example:

  • The Power Worm ransomware contained a bug that failed to generate a decryption key when encrypting data — no data can be recovered.
  • The FBI warned that the ProLock (AKA: ProLocker, PwndLocker) ransomware gang’s decryptor might corrupt files larger than 64MB, and the decryptor averages 1 byte of integrity loss per 1KB for files larger than 100MB.

Additionally, keep in mind that these criminal gangs do not have the best interest of their victims in mind when they create these software packages. Ransomware decryptors can potentially load other malware, drop back doors, or add new users to systems as they process the decryption.

Even if the malware decryptor works, IT recovery teams will need to perform thorough scans of the systems to ensure no additional vulnerabilities were introduced to the system. To do it correctly, this process will be extremely time-consuming and possibly very expensive.

Free decryption tools

It is always tempting to try and solve our problems for free, but sometimes the value of the software is worth the amount we paid — or worse. When considering a free tool, it is worth investigating the reputation of the person or organization that developed the free tool and considering the reputation of the source providing information on the tool.

Some tools will be generated by reputable security researchers or anti-malware companies and be promoted on reputable security news websites. Other tools might have mystery creators, so it can’t be ruled out that the tool has been created by ransomware gangs or other malware creators.

Even if the tool is 100% legitimate, it still may only work on certain versions of the ransomware or have other limitations. Lastly, free tools will probably have limited support available to help users with their issues.

Some representative examples of free tools:

  • The Czech antivirus and patch management software creator Avast is a large public company. Their strong reputation makes their array of ransomware decryption tools quite credible as potential options.
  • Ransomware researcher Michael Gillespie creates ransomware decryption tools that are distributed for free on antivirus tool websites; he can also be found on GitHub and Twitter.
  • The Zorab ransomware gang released a fake STOP Djvu ransomware decryptor that instead encrypts a victim’s files with a second ransomware.
  • The Emsisoft antimalware company offers a free STOP Djvu Decryption Tool created by Michael Gillespie; however, it notes that the decryptor requires:
    • The malware to be an older version, which is unlikely to work after August 2019
    • To generate a decryptor, the tool requires unencrypted and encrypted pairs of files larger than 150KB and of the same file type (PNG, PDF, etc.)
  • The European Union Police agency, Europol, offers a repository of ransomware decryption tools.

It may be useful to note that company policy may prevent the use of some free tools. For example, the reputable Kaspersky anti-malware company might offer legitimate anti-ransomware tools suitable for many organizations, but their Russian headquarters may cause hesitation over concerns related to the invasion of Ukraine or concerns of spyware.

For-pay ransomware recovery tool

Many companies offer software that companies can buy to recover from ransomware attacks. As with free software, the reputation of the company producing the software will be a huge consideration prior to the purchase.

However, even the best ransomware removal tools cannot guarantee they will be able to decrypt ransomware files, and often, they work primarily as a preventative method. IT recovery teams should check with the software vendor to see if their tool can decrypt the specific ransomware used in the attack before investing in decryption tools.

However, for-pay ransomware tools usually have the advantage of support personnel that can more actively help incident response teams when they encounter difficulty.

Ransomware Decryption: Setting Expectations

When asked to perform decryption, incident recovery teams need to set expectations with company executives. Executives and incident response teams need to prepare alternative solutions during the decryption process in case the decryption is unsuccessful.

In addition to expectations for recovery, incident response teams need to prepare executives for other issues that may complicate, slow, or prevent recovery of encrypted data such as: safe mode infections, hands-on recovery requirements, slow decryption, or corrupted files.

Can ransomware-encrypted files be recovered?

The honest answer is “probably not.” Many people have a poor understanding of statistics and feel that even a “25% chance” of recovery means that a competent person will be able to execute decryption. Unfortunately, even the most skilled incident recovery specialist may be unable to decrypt ransomware files under a broad range of circumstances.

Additionally, multiple attacks are possible, so even the successful decryption of one ransomware attack might reveal files encrypted from a prior attack that now require a completely different decryption tool. Finally, decryption of local files does not solve the problem of possible extortion related to data leaks of exfiltrated files from the attack.

Safe-mode infections

To avoid malware attacks that load during a normal startup, incident response may want to start the operating system in Safe Mode. This often helps incident response teams to clean the machine safely.

However, advanced ransomware attacks understand this process and may take alternative measures to maintain persistence. For example:

  • Snatch ransomware actually forces a reboot into Safe mode to execute the ransomware encryption without interference from antivirus programs.
  • While not yet seen for ransomware, other malware has been detected infecting the firmware bootkit in the flash memory of the hardware itself. This type of infection may require a replacement of the hardware to remove.

Full disconnect recommendation

In our remote-access world, it may be tempting to attempt to recover from the ransomware attack using remote-access tools. However, this also keeps the computer available for remote access for attackers.

It is better to fully isolate the device from networks and the internet to ensure no access was overlooked. Of course, this also means the tech needs to physically be present to access the device, which will add costs and time to the process, but ultimately, it may be required under most circumstances.

Decryptor purgatory

Decryption takes a long time to execute, and even the official decryption solution from the ransomware gang may not work efficiently. In two notable attacks, the victims started trying to use the ransomware gang’s tool but ultimately needed to switch to an alternative because the process was so slow:

Of course, even after investing significant time in the decryption process, a successful decryption may discover files have been corrupted in the encryption process.

Data corruption attacks

Researchers found that some ransomware creators have developed new options for attackers to corrupt data instead of encrypting it. Encryption takes significant time and newer endpoint detection tools can send alerts on encryption activity.

The new option still exfiltrates the data but then begins to copy blocks of data from the middle of exfiltrated files over other randomly selected files. File-write processes do not trigger alerts, and the exfiltration and corruption process allows the attacker to become the sole owner of the uncorrupted data.

Should this option become activated, companies will lose the option for decryption and will only have the option to buy back their data from attackers or restore from backups.

The Best Ransomware Defense is Proactive, Not Reactive

It would be irresponsible to suggest that ransomware-encrypted files can be regularly or easily decrypted. While difficult, an organization can look for potential solutions to decrypt their ransomware-affected files with professional decryption tools, freeware tools, or as a last resort, paying the ransomware gang for the decrypting software. The success rate for decryption tends to be low, but an organization can get lucky.

Organizations also need to keep in mind that some sophisticated ransomware attackers pose an even larger risk than simple ransomware encryption. Incident response professionals should be deployed to ensure the attacker’s access to company systems have been found and eliminated to prevent future attacks.

Organizations that do not want to rely on luck need to prepare in advance for potential ransomware attacks with appropriate security tools, security monitoring, and robust backup procedures. Fortunately, there are many security tools and service providers ready and able to help prepare and minimize the impact of a successful attack.

Chad Kime
Chad Kime
Chad Kime combines his Electrical Engineering and MBA degrees to translate between technical language and common English. After managing over 200 foreign language eDiscovery projects, Chad values practicality over idealism. He has written on cybersecurity, risk, compliance, network security hardware, endpoint monitoring software, anime DVDs, industrial hard drive equipment, and legal forensic services.

Top Products

Related articles