Avast now offers ransomware victims 14 free decryption tools to help them get their files back.
In 2016, ransomware once again demonstrated that it is the biggest security threat. In the past year more than 200 new strains of ransomware were discovered, it’s growth of in-the-wild samples were two-fold, but the good news is that hundreds of millions of Avast and AVG users were protected against this popular threat.
We are committed to fighting back against ransomware and one of the ways we are doing so is by providing free decryption tools to ransomware victims.
Today, we released another three ransomware decryption tools for the following strains: HiddenTear, Jigsaw, and Stampado/Philadelphia.
We would like to point out that there are free decryption tools already available for these strains. Security researchers Michael Gillespie and Fabian Wosar did a great job and provided their own decryption solutions for these strains. Kudos guys!
Now you may be wondering why we decided to release tools for these strains, if other tools are already available? Well, it’s always better to have multiple (free) options and to find the one which works best to you.
All three strains are quite active (and prevalent) and have been for the past few months. The used encryption keys, as well as the inner algorithms change, a lot. This means that we need to update our decryption tools too. Therefore, there is a fair chance that either our solution or existing ones will cover the latest versions of these strains.
Last but not least, we were able to significantly speed-up the decryption time, more precisely the password brute-force process, so e.g. some of the HiddenTear variants will be decrypted within minutes instead of days. The best results are achieved when decrypting files directly from the infected machine.
If you are infected by a version of HiddenTear/Jigsaw/Stampado that is not covered by our tools, please, let us know in the comment section below and we will try to update the tools.
HiddenTear is one of the first open-sourced ransomware codes hosted on GitHub and dates back to August 2015. Since then, hundreds of HiddenTear variants have been produced by crooks using the original source code. HiddenTear uses AES encryption.
File name changes: Encrypted files will have one of the following extensions (but not limited to): .locked, .34xxx, .bloccato, .BUGSECCCC, .Hollycrypt, .lock, .saeid, .unlockit, .razy, .mecpt, .monstro, .lok, .암호화됨, .8lock8, .fucked, .flyper, .kratos, .krypted, .CAZZO, .doomed.
Ransom message: After encrypting files, a text file (READ_IT.txt, MSG_FROM_SITULA.txt, DECRYPT_YOUR_FILES.HTML) appears on the user’s desktop. Various variants can also show a ransom message:
Some versions of the ransom message even scares victims into thinking Windows’ support team locked their computer.
Jigsaw is a ransomware strain that has been around since March 2016. It’s named after the movie character “The Jigsaw Killer”. Several variants of this ransomware use the Jigsaw Killer’s picture in the ransom screen.
File name changes: Encrypted files will have one of the following extensions: .kkk, .btc, .gws, .J, .encrypted, .porno, .payransom, .pornoransom, .epic, .xyz, .versiegelt, .encrypted, .payb, .pays, .payms, .paymds, .paymts, .paymst, .payrms, .payrmts, .paymrts, .paybtcs, .fun, .hush.
Ransom Message: After encrypting your files, one of the screens below will appear:
Stampado is a ransomware strain written using the AutoIt script tool. It has been around since August 2016. It is being sold on the dark web, and new variants keep appearing. One of its versions is also called Philadelphia.
File name changes: Stampado adds the “.locked” extension to the encrypted files. Some variants also encrypt the filename itself, so the encrypted file name may look like this “document.docx.locked” or 85451F3CCCE348256B549378804965CD8564065FC3F8.locked.
Ransom Message: After the encryption process is completed, the following screen will appear:
How to protect yourself from falling victim to ransomware
First and foremost, make sure you have antivirus, like Avast, installed on all of your devices (even smartphones can become infected with ransomware). Antivirus will act like a safety net and block ransomware before it can cause any damage, in case you accidentally try to download it.
The next thing you can do to protect yourself is to be smart and alert. Ransomware distributors often use social engineering tactics to trick people into downloading the ransomware. Be careful which links and attachments you open and what you download on the web. Make sure you verify the source of emails including links and attachments and only download software and visit trusted sites.
Backing up your data properly on a regular basis is also crucial. Be sure to not keep your backups connected to your devices all the time, otherwise, your backups could be held ransom as well.
If you are unlucky and do become infected with ransomware, make sure to check out our ransomware decryptor tools to see if we can help you get your files back!
I would like to once again thank my colleagues Ladislav Zezula and Piotr Szczepanski for preparing these decryptors.