AVG just released six new ransomware decryption tools for our channel partners and their clients.  The free tools decrypt the recent ransomware strains Apocalypse, BadBlock, Crypt888, Legion, SZFlocker and TeslaCrypt.

With our new decryption tools, you should be able to recover your clients’ files and data without paying the ransom.

Using the AVG ransomware decryption tools

To use our AVG decryptor tools for the six recent ransomware strains, follow our simple five step process to unlock the encrypted files:

  • Run a full system scan on the infected PC and quarantine all the infected files.
  • Identify which infection strain encrypted the files. See the descriptions of each strain below. If the ransomware infection matches the strain details, download the appropriate tool and launch it.
  • The tool opens a wizard, which breaks the decryption process into several easy steps.
  • Follow the steps and you should again be able to reclaim your files in most cases.
  • After decryption, be sure to properly back up restored files.

The six ransomware strains and AVG decryptor tools include:

  • Apocalypse
    • Description: The Apocalypse ransomware appends “.encrypted,” “.locked,” or “.SecureCrypted” to names of encrypted files (e.g. example.docx.encrypteddocx.locked,example.docx.SecureCrypted). It also creates ransom messages in files with extensions “.How_To_Decrypt.txt”, “.README.Txt,” or “.Contact_Here_To_Recover_Your_Files.txt” (e.g. example.docx.How_To_Decrypt.txt,example.docx.README.Txt)
    • In those messages, you can find contact addresses such as decryptionservice@mail.ru, dr.compress@bk.ru, decryptdata@inbox.ru, or recoveryhelp@bk.ru.
    • For example:
    • Download the AVG decryptor tool: AVG offers one decryptor tool for the early versions of Apocalypse and one for the current version:
    • http://files-download.avg.com/util/avgrem/avg_decryptor_Apocalypse.exe
    • http://files-download.avg.com/util/avgrem/avg_decryptor_ApocalypseVM.exe
  • Crypt888
    • Description: Crypt888 (aka Mircop) creates encrypted files with the prepended name “Lock.” It also changes your desktop’s wallpaper to a message on a black background that begins with, “You’ve stolen 48.48BTC from the wrong people, please be so kind to return them and we will return your files.”
    • Unfortunately, Crypt888 is a badly written piece of code, which means some of the encrypted files or folders will stay that way, even if you pay the fine, as the cybercriminals’ “official decryptor” may not work.
    • Download the AVG decryptor tool:
    • http://files-download.avg.com/util/avgrem/avg_decryptor_Crypt888.exe
  • Legion