Avast Releases Three New Decryption Tools to Fight Ransomware


Community Manager
Staff member
Oct 23, 2012
With the threat now posed by ransomware, cyber security firm Avast has released three more decryption tools to help victims, reaching a total of 14 such tools.

“In the past year more than 200 new strains of ransomware were discovered, it’s growth of in-the-wild samples two-folded, but the good news is that hundreds of millions of Avast and AVG users were protected against this popular threat,” reads a blog post signed by Jakub Kroustek, reverse engineer and malware analyst at Avast.

The three new decryption tools address three different ransomware strains - HiddenTear, Jigsaw, and Stampado/Philadelphia. Some solutions for these particular strains are already available, coming from other security researchers. Avast decided, however, that it is always best to have multiple options.

That’s because these three strains are particularly active and frequently encountered, especially in the past few months. Since the used encryption keys update often, so must the decryption tools. In the end, whether it’s Avast’s tools or those made by other security researchers that work against the ransomware, it’s all for the same purpose.

“Last but not least, we were able to significantly speed-up the decryption time, more precisely the password brute-force process, so e.g. some of the HiddenTear variants will be decrypted within minutes instead of days. The best results are achieved when decrypting files directly from the infected machine,” Kroustek writes.

Decrypting HiddenTear
HiddenTear has been around for a while and the code is actually hosted on GitHub. Given the fact that it is so present, many hackers have gone and tweaked the code and started using it. Encrypted files have a wide range of extensions: .locked, .34xxx, .bloccato, .BUGSECCCC, .Hollycrypt, .lock, .saeid, .unlockit, .razy, .mecpt, .monstro, .lok, .암호화됨, .8lock8, .ed, .flyper, .kratos, .krypted, .CAZZO, .doomed, and more.

After all the files are encrypted, a text file will appear on the user’s desktop.

Decrypting Jigsaw
Jigsaw was first spotted in the wild in March 2016, and many of its strains use the picture of the Jigsaw Killer from the same-name movie in the ransom screen.

Encrypted files will have one of the following extensions: .kkk, .btc, .gws, .J, .encrypted, .porno, .payransom, .pornoransom, .epic, .xyz, .versiegelt, .encrypted, .payb, .pays, .payms, .paymds, .paymts, .paymst, .payrms, .payrmts, .paymrts, .paybtcs, .fun, .hush.

Keeping up with the movie script, the malware will delete a file per hour if you don’t pay up.

Decrypting Stampado
This particular ransomware has been around since August 2016, and it’s being sold on the dark web. Multiple versions have been circulating on the Internet, one of them is called Philadelphia. Most often than not, Stampado adds the .locked extension to the encrypted files.

Stampado will delete a new file every 6 hours unless you pay the ransom.

Check out Avast’s list of anti-ransomware tools and see if you can find one to help you out.

amir 957

Level 5
Malware Hunter
Jan 9, 2017
I really like avast to join the nomoreransom.com project
Why avast doesn't join them?