The Thirtyseven4 Threat Research Lab has developed a CrySiS/XTBL decryption tool (known as 374-Ransom-Decryptor).
The free decryption tool can be downloaded from here:
Added Support: As of May 22, 2017, the decryption tool will decrypt files affected by the following ransomware families.
Troldesh Ransomware [.onion]
Troldesh Ransomware [.wallet]
Added Support: As of March 7, 2017, the decryption tool will decrypt files affected by the following ransomware families.
Troldesh Ransomware [.dharma]
Globe3 Ransomware [.globe & .happydayzz]
Added Support: As of February 8, 2017, the decryption tool will decrypt files affected by the following ransomware families.
Globe1 Ransomware [.hnyear]
Globe2 Ransomware [.blt]
Globe3 Ransomware [.decrypt2017]
DeriaLock Ransomware [.deria]
Opentoyou Ransomware [.-firstname.lastname@example.org]
As of January 20th, 2017, the decryption tool will decrypt files affected by the following ransomware families.
Troldesh Ransomware [.xtbl]
Crysis Ransomware [.CrySiS]
Cryptxxx Ransomware [.crypt]
Ninja Ransomware [@_aol.com$.777]
Apocalypse Ransomware [.encrypted]
Nemucod Ransomware [.crypted]
ODC Ransomware [.odcodc]
LeChiffre Ransomware [.LeChiffre]
A Crysis/XTBL encryption can be identified by the pattern of encrypted file extension:
Below are the instructions to use the 374-Ransom-Decryptor:
1. Download the 374-Ransom_Decryptor_v1.0.zip from the link above and extract it to the system having the encrypted files.
2. Right click on the “374-Ransom_Decryptor_v1.0.exe” file and 'Run as Administrator’ to view the Decryption Window.
3. Press the key 'Y' to start the scan. The tool will automatically scan the entire system for those files affected by the ransomware threats listed above . When an encrypted file is found, the tool will decrypt the file in its respective folder while keeping a copy of the encrypted file at the same time.
After scanning is complete, the decryption tool will show the final status displaying the number of encrypted files found and how many were successfully decrypted. The detailed information about the decryption status of each file can be obtained from the ‘Decryption.log’ generated in the same folder as the tool.