View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 10, 2024

What is a ransomware decryptor?

Ransomware decryptors allow victims of attacks to reverse the damage without paying a ransom. The question is which one to use – and how.

By Livia Giannotti

The number of ransomware attacks is rising every year. Since 2018, these have only been more prominent, with over 72% of businesses worldwide reporting a ransomware attack in 2023 according to a recent report from the Cyber Edge Group.

An infected computer and a phone
More and more businesses are victims of ransomware attacks. (Photo by Tero Vesalainen/Shutterstock)

A ransomware attack occurs when a criminal group illegally gains access to another computer’s data or entire network, prevents users from entering the system or retrieving files and demands a ransom in exchange for restoring access. To block access to the hacked computers’, the attackers usually encrypt all files. After receiving the ransom, they would send a decryption key or tool that allows data to be retrieved and the system to be accessed.

However, paying the ransom – often demanded in the form of cryptocurrency – is strongly discouraged by cybersecurity professionals and government organisations. In fact, not only there is no guarantee that attackers will provide the decryption key, but the attacked computer will remain infected (thus more likely to be re-attacked in the future), and money would be fuelling criminal activity. While the best solution is to prevent such malware by regularly backing up data and detecting attacks on systems, ransomware decryptors are tools that can offer victims a chance to retrieve encrypted files without paying ransom.

How to use a ransomware decryptor

A ransomware decryptor is software designed to inspect encrypted files, identify the corresponding decryption key and decrypt the affected data using the ransomware family’s algorithm. This is a way for ransomware victims to reverse the damage without giving in to cyber attackers. 

Such tools are the only option to effectively restore access and retrieve files after an attack, according to Bogdan Botezatu, director of threat research at Bitdefender. He told Tech Monitor that “unlike most malware, ransomware damage does not go away with the removal of the ransomware itself.” Botezatu explains that complex algorithms used to encrypt files have to be countered by taking the files to the same process “but in reverse and with the right key”. Without the decryption key, “restoring the files is impossible,” Botezatu says.

But just like ransomware differentiates between families – shared patterns of style, code signatures, and malicious payloads – so do decryptors. For this reason, the first step to decrypting hacked files is finding the corresponding tool. This step is all the more important because using an inaccurate decryptor can cause further damage and infection. Botezatu explains that “many times, hackers put fake decryption tools for download that are nothing more than malware in disguise.” 

To identify appropriate decryption tools, victims can use services that identify what they have been hit with, including the No More Ransom CryptoSheriff web app or the Bitdefender Ransomware Recognition tool. By uploading an encrypted file or ransom note, those tools can identify which ransomware family is causing the attack, allowing the victim to choose a suitable decryptor.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

What are the best ransomware decryptors?

No single tool can decrypt all ransomware, which makes it essential to have appropriate decryptors for every ransomware family. But as decryptors are often publicly available online, attackers can use them to update their viruses and build resistance to new software. While decryption tools exploit vulnerabilities in the encryption algorithm, both parties work with ever-evolving algorithms. Considering this, Tech Monitor gathered some of the best ransomware decryptors available:

No More Ransom 

No More Ransom is an initiative led by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and IT security companies. In addition to its recognition web tool, No More Ransom provides one of the most successful decryption tools, which can generate decryption keys for over 100 ransomware families.

Bitdefender’s decryptor tool

As one of the most established cybersecurity companies in the world, Bitdefender offers particularly advanced decryption tools, that defend from present and future variants of a ransomware family. At the time of writing, the company has 32 decryptors and told Tech Monitor it has saved companies and individuals “upwards of $1.6 billion in ransom fees”.

Kaspersky’s No Ransom

Kaspersky provides specific and tailored decryptors for victims of ransomware. The No Ransom tool is efficient with files encrypted by specific ransomware families and their numerous variants, including Rannho, Rakhni and CoinVault. By specialising in specific families, Kasperky is one of the most efficient tools for file decryption, although its database is limited.

Trend Micro

Trend Micro offers decryption of some of the most infamous ransomware families. From WannaCry to Petya, TeslaCrypt and Jigsaw, the Trend Micro tool is one of the most widely used for ransomware decryption.

How much does a ransomware decryptor cost?

According to Sophos research on the state of ransomware in 2023, the price of ransomware attacks has grown considerably in the past years, reaching an average of $1.82m in recovering costs, excluding ransom payments.

However, decryptors remain easily accessible and widely available. Most decryption tools are available for free online, with some companies, such as Bitdefender, also offering individual tech support for the decryption process.

What to do if ransomware decryptors don’t work

As the arms race between malware developers and cybersecurity experts escalates relentlessly, some ransomware families don’t have matching decryptors available online. 

The National Cyber Security Centre (NCSC) has published guidance on actions to take after a computer has been infected with malware. These include disconnecting infected computers from network connections, resetting system accounts’ credentials, wiping the computer and reinstalling the operating system using a clean network. 

Once these steps have been completed, it is possible to run antivirus software, reconnect to the network – once cleaned – and ensure all the infections have been wiped.

While these solutions help mitigate the risks and attenuate the impact of ransomware attacks, the most effective way to protect devices remains regular backups and a good awareness of ransomware.

Read more: Decryptor for Babuk Tortilla ransomware variant released after police sting

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU