AVG just released six new ransomware decryption tools for our channel partners and their clients.  The free tools decrypt the recent ransomware strains Apocalypse, BadBlock, Crypt888, Legion, SZFlocker and TeslaCrypt.

While our AVG Business products help detect and block against all known ransomware strains –  including this recent six – our AVG partners now have helpful tools if a new client, or even a prospect, has a situation where files are already infected by ransomware.

With our new decryption tools, you should be able to recover your clients’ files and data without paying the ransom.

Using the AVG ransomware decryption tools

To use our AVG decryptor tools for the six recent ransomware strains, follow our simple five step process to unlock the encrypted files:

• Run a full system scan on the infected PC and quarantine all the infected files.
• Identify which infection strain encrypted the files. See the descriptions of each strain below. If the ransomware infection matches the strain details, download the appropriate tool and launch it.
• The tool opens a wizard, which breaks the decryption process into several easy steps.
• Follow the steps and you should again be able to reclaim your files in most cases.
• After decryption, be sure to properly back up restored files.

The six ransomware strains and AVG decryptor tools include:

• Apocalypse
  • Description: The Apocalypse ransomware appends “.encrypted,” “.locked,” or “.SecureCrypted” to names of encrypted files (e.g. example.docx.encrypted, docx.locked, example.docx.SecureCrypted). It also creates ransom messages in files with extensions “.How_To_Decrypt.txt”, “.README.Txt,” or “.Contact_Here_To_Recover_Your_Files.txt” (e.g. example.docx.How_To_Decrypt.txt, example.docx.README.Txt)
  • In those messages, you can find contact addresses such as [email protected], [email protected], [email protected], or [email protected].
  • For example:
  • Download the AVG decryptor tool: AVG offers one decryptor tool for the early versions of Apocalypse and one for the current version:
  • http://files-download.avg.com/util/avgrem/avg_decryptor_Apocalypse.exe
  • http://files-download.avg.com/util/avgrem/avg_decryptor_ApocalypseVM.exe

• BadBlock
  • Description: BadBlock does not rename encrypted files. You can identify BadBlock by the ransom message named “Help Decrypt.html” and by a red window with ransom messages that begin with “This machine was infected with ransomware BadBlock . . .”
  • Download the AVG decryptor tool (for 32-bit and 64-bit systems):
  • http://files-download.avg.com/util/avgrem/avg_decryptor_BadBlock32.exe
  • http://files-download.avg.com/util/avgrem/avg_decryptor_BadBlock64.exe

• Crypt888
  • Description: Crypt888 (aka Mircop) creates encrypted files with the prepended name “Lock.” It also changes your desktop’s wallpaper to a message on a black background that begins with, “You’ve stolen 48.48BTC from the wrong people, please be so kind to return them and we will return your files.”
  • Unfortunately, Crypt888 is a badly written piece of code, which means some of the encrypted files or folders will stay that way, even if you pay the fine, as the cybercriminals’ “official decryptor” may not work.
  • Download the AVG decryptor tool:
  • http://files-download.avg.com/util/avgrem/avg_decryptor_Crypt888.exe

• Legion
  • Description: Legion encrypts and renames files with names like “example.docx[email protected]$.legion.” It also changes the desktop wallpaper and displays a “Your data is encrypted!!” warning.
  • Download the AVG decryptor tool:
  • http://files-download.avg.com/util/avgrem/avg_decryptor_Legion.exe

• SZFLocker
  • Description: The name of the SZFlocker ransomware originates from a string that is appended to the names of encrypted files (e.g. example.docx.szf). The original files are rewritten with a Polish message.
  • Download the AVG decryptor tool:
  • http://files-download.avg.com/util/avgrem/avg_decryptor_SzfLocker.exe

• TeslaCrypt
  • Description: This tool supports decryption of files encrypted by TeslaCrypt v3 and v4. The encrypted files come with different extensions, such as .vvv, .micro, .mp3, or with the original name only.
  • Download the AVG decryptor tool:
  • http://files-download.avg.com/util/avgrem/avg_decryptor_TeslaCrypt3.exe

At AVG, we take ransomware threats very seriously. We encourage our partners to continue being proactive by using multilayered protection, such as AVG Business solutions, which detect and block ransomware. You can find additional examples of the six ransomware strains and detailed descriptions here.