View All R&D Articles

Are Ransomware Decryption Tools Safe?

May 12, 2023

If you’re hit by ransomware, you’re certainly not alone. By one estimate, 2,708 ransomware attacks occurred from April 2022 to March 2023 — but since many attacks aren’t reported, the true number is much, much higher.

When a ransomware infection occurs, your first priority is to prevent the infection from spreading. We strongly recommend working with an experienced data recovery partner; by identifying the vector of the attack and the source of the initial infection, your partner can help you form a recovery strategy.

However, if you haven’t lost much important data, your first impulse is probably to look for decryption tools. You want to get your data back quickly — so you head online and look for a solution.

Here, there’s good news and bad news: Some ransomware variants have been cracked by white-hat hackers, and open-source decryption tools are generally safe to use. But if you’re considering paying for decryption, you need another approach.

Open-Source Ransomware Decryptors

Kaspersky’s No Ransom project houses ransomware removal tools, decryptors, and other resources for fighting ransomware. Of course, there are some caveats — many types of ransomware haven’t been cracked yet (and the chances of cracking certain variants are quite low). 

The tools on that website can remediate specific versions of major ransomware variants, including:

  • CoinVault
  • Wildfire
  • Rakhni
  • Shade
  • Wildfire
  • Xorist

While Kaspersky hosts the tools, the decryptors come from a variety of sources. The CoinVault decryptor, for example, was created in cooperation with Netherland authorities. 

These tools are safe to use. However, we recommend making a clone of the affected storage media to prevent accidental data loss. It’s also important to isolate the infection — don’t start decryption by plugging infected media into a machine with important data. Read the how-to guides and follow all of the steps to the letter.

Can I pay for ransomware decryption?

Unfortunately, paying for a decryption tool is a bad idea. Many paid decryptors use processes that strip out essential data, permanently corrupting files. 

If software “guarantees” ransomware data recovery, be wary; many ransomware variants use encryption that isn’t crackable. Standard antivirus tools will not decrypt ransomware, and commercial data recovery software generally isn’t designed for decryption.

Paying the attackers is an even worse approach: Depending on the case, paying for a ransom may be illegal. Additionally, there’s no guarantee that they’ll follow through — and by paying, you’re helping to make ransomware profitable. 

We’ve also seen cases where attacker-supplied decryption tools caused permanent data loss. Bad actors have a strong incentive to use strong encryption, but they don’t have much of an incentive to test their decryptors.

Related: LockBit Ransomware: Is Data Recovery Possible?

Getting Help with a Ransomware Infection

As a world leader in ransomware remediation, Datarecovery.com provides resources for analyzing infections, restoring key systems from backups/archival copies, and where possible, decrypting the infected files. 

All of our data recovery services are supported by a no data, no charge guarantee: If we’re unable to restore your files, you don’t pay for the attempt. To learn more, call 1-800-237-4200 to speak with a ransomware expert or submit a case online.