Malware analysis

How to remove ransomware: Best free decryption tools and resources

Lester Obbayi
April 6, 2022 by
Lester Obbayi

Ransomware refers to malicious software that encrypts all of the data in your computer’s operating system and then proceeds to demand a ransom to decrypt the encrypted data. The commonly known ways in which these attacks infect victims include malicious downloads from torrent sites, browser add-ons that attach to your browser once you visit a malicious website and computer viruses that are dropped into victims’ computers via phishing links or even infected Microsoft Office files or USB drives.

This article will look at this topic in detail, discussing the various ransomware examples that have affected both individuals and big organizations. We’ll also discuss how you can identify a potential ransomware attack and how you can use freely available tools to disinfect your infected computers from such attacks. 

For more insights, download "The ransomware paper: Real-life insights and predictions from the trenches" by Infosec Principal Security Researcher Keatron Evans.


Get Your Copy


How to remove ransomware


Before you can remove your ransomware infection, you’ll first need to be able to detect that you are infected. Several red flags can directly lead you to suspect a ransomware infection. These red flags include:

  1. Your antivirus software alerts you: when you are using your computer and all of a sudden you receive an alert from your antivirus that potential ransomware has been found, this can most certainly mean that you have just accessed some infected data that attempted to spread the infection to your computer. 
  2. You notice suspicious file extensions: you might notice that there are unusual file extensions within certain directories of your computer. For instance, instead of having the normal “.jpg” extension for your images, you have random letters or characters. This might indicate that you are currently under a ransomware attack. 
  3. You notice file name changes you never made: another common red flag is the sudden change in filenames to reflect those you never made. This could mean that a ransomware infection is in progress.
  4. You notice increased CPU and disk storage usage: the process of ransomware infection can be resource-intensive. This may lead to a spike in system resources such as RAM and disk usage. This could be another indication that you are most likely infected by ransomware.
  5. You detect unusual network communication: if you discover large amounts of data transferred outbound, that could be another sign of a ransomware infection. 
  6. You notice completely encrypted files that you cannot access: this is the final stage of a complete ransomware attack. Once this stage is done, all your files are encrypted, and a pop-up message asking you to pay a ransom is displayed. 

Now that we have seen how to get rid of ransomware infection, how to decrypt data encrypted by ransomware is something that we need to know how to do. At this point, there are three main things that you can do to remove this infection. 

  1. You could pay the demanded ransom. This is not advisable since there is no guarantee that your files will actually be decrypted. 
  2. You could use freely available decryption tools to decrypt the encryption applied by the ransomware infection.
  3. You could format your computer. This will delete all the present data and restore the computer to default settings. This is especially a great option if you have backups to your data. 

Of course, you cannot always have a backup of all your data; it might not always be possible. Here are some steps that you can follow to ensure that you remove the ransomware infection:


1. Switch off the internet connection


Unplugging from the internet allows you to break off any communication between the malware and any remote servers. These servers can sometimes act as Command and Control, meaning they can issue extra commands to the ransomware to further lock down your computer. This first step buys you time to inspect the extent of damage that has been done so far.


2. Explore the extent of damage


You can now analyze the computer to determine the extent of damage that has been done so far. This allows you to determine the files that have been encrypted and determine what files have not been encrypted and thus can be saved.


3. Search for a ransomware decryption tool


There are many ransomware decryption tools online that you can use to recover your files from an infection. Not all infections have decryption tools, though. You can use the Crypto Sheriff function of no more ransom service. This option allows you to upload an infected file; then, it automatically checks to see whether it has a decryption tool within its database that you can use. You could also upload the ransom file to ID Ransomware


How to find out what ransomware you have


Even though the initial method of identifying the type of ransomware that has infected you remains to be checking the file extension of encrypted files, you can be unsuccessful in your attempts to decrypt your files by downloading the wrong decryption tool, and this is because there are very many variants of the same ransomware sample. Because of this, some free resources have been provided to help you identify your variant. We explore these below:

  1. ID Ransomware: this service allows you to upload an encrypted sample file or a ransom note. It then uses these samples to identify the ransomware variant. For analysis, you can also submit information within the ransom note, such as the BTC address or email address.
  2. No More Ransom: this service allows you to upload encrypted samples for analysis and identification. This resource has one of the most comprehensive lists of decryption tools available for download.
  3. Bitdefender Ransomware Recognition Tool: Bitdefender has an EXE executable tool that you would download on the infected computer. It allows you to specify the ransom note and directory with encrypted files. This tool then uses its database to identify the ransomware variant by analyzing the encrypted directory. It also uploads the ransom note for analysis.
  4. Trend Micro Screen Unlocker Removal tool: trend Micro has developed a tool specializing in identifying and removing ransomware types that perform screen locking. These types of malware prevent the screen from being used completely. 

It is important to note that various ransomware variants are similar in their mode of execution. They have similar extensions or even infection methods. This is important to note, especially since the services above might produce multiple results or predictions instead of pointing out with complete certainty the exact variant. 

The services above then point you in the right direction, where you can download the right decryption tool for your infection.


Free ransomware decryption tools


There are tools that can be used to decrypt the ransomware variants identified above. It is important to note here that not all ransomware variants have publicly available tools that you can download to decrypt your files. It is very likely that you look for a decryption tool in the worst-case scenario and fail to find one that works. That said, let us explore some of the best free ransomware removal software.


1. Free ransomware decryptors by Kaspersky


Kaspersky does a good job of accumulating tools that you can use for decryption. These tools are classified according to variant families. You can download these decryptors directly from Kaspersky


2. Free ransomware decryptors by No More Ransom


You can find a good number of decryptors that No More Ransom has gathered. This is one of the most comprehensive lists of decryptors that you will be able to find. You can access the list of decryptors by visiting the link above.


3. Heimdal Security decryptor list


Heimdal Security has done a good job compiling a list of the top 199 decryptor tools as of September 2021. The list assumes you already know the exact variant for which you need a decryptor. 


4. Free ransomware decryptors by Avast


Avast also has a list of free decryptors that you can download.


5. Free ransomware decryptor by Enigma


Enigma offers a free decryptor for Cryptolocker and LeChiffre ransomware variants. 


6. Trend Micro ransomware decryptor 


Trend Micro has developed a tool that allows you to decrypt various ransomware variants

Numerous other solutions are freely available for you to use to decrypt your ransomware-encrypted files. You can use the link to access even more tools.


Recovering lost files due to ransomware


Ransomware continues to be a serious threat not only to individuals but also to big organizations. However, many companies are making it possible for affected parties to recover their lost files. The best solution, especially for ransomware infections, is effective preventive measures. Always ensure that you use antivirus solutions with the most recent database signatures. Also, ensure that you keep backups of your data in separate drives. This is the only sure proof way of recovering your data, as not all ransomware variants have publicly available decryption tools.




Lester Obbayi
Lester Obbayi

Lester Obbayi is a Cyber Security Consultant with one of the largest Cyber Security Companies in East and Central Africa. He has a deep interest in Cyber Security and spends most of his free time doing freelance Penetration Tests and Vulnerability Assessments for numerous organizations.