Hit by ransomware? Don’t pay the ransom!
Our free ransomware decryption tools can help decrypt files encrypted by the following forms of ransomware. Just click a name to see the signs of infection and get our free fix.
Want to help prevent future ransomware infections?
Download a FREE trial of AVG Internet Security or AVG Internet Security Business Edition. Learn more about our business security solutions.
Learn more in our Ultimate Guide to Ransomware.
Apocalypse is a form of ransomware first spotted in June 2016. Here are the signs of infection:
Filename changes: |
Apocalypse adds .encrypted, .FuckYourData, .locked, .Encryptedfile, or .SecureCrypted to the end of filenames. (e.g., Thesis.doc = Thesis.doc.locked) |
Ransom message: |
Opening a file with the extension .How_To_Decrypt.txt, .README.Txt, .Contact_Here_To_Recover_Your_Files.txt, .How_to_Recover_Data.txt, or .Where_my_files.txt (e.g., Thesis.doc.How_To_Decrypt.txt) will display a variant of this message: |
BadBlock is a form of ransomware first spotted in May 2016. Here are the signs of infection:
Filename changes: |
BadBlock does not rename your files. |
Ransom message: |
After encrypting your files, BadBlock displays one of these messages (from a file named Help Decrypt.html): |
If BadBlock has encrypted your files, click here to download our free fix:
Bart is a form of ransomware first spotted at the end of June 2016. Here are the signs of infection:
Filename changes: |
Bart adds .bart.zip to the end of filenames. (e.g., Thesis.doc = Thesis.docx.bart.zip) These are encrypted ZIP archives containing the original files. |
Ransom message: |
After encrypting your files, Bart changes your desktop wallpaper to an image like the one below. The text on this image can also be used to help identify Bart, and is stored on the desktop in files named recover.bmp and recover.txt. |
If Bart has encrypted your files, click here to download our free fix:
Acknowledgement: We'd like to thank Peter Conrad, author of PkCrack, who granted us permission to use his library in our Bart decryption tool.
Crypt888 (also known as Mircop) is a form of ransomware first spotted in June 2016. Here are the signs of infection:
Filename changes: |
Crypt888 adds Lock. to the beginning of filenames. (e.g., Thesis.doc = Lock.Thesis.doc) |
Ransom message: |
After encrypting your files, Crypt888 changes your desktop wallpaper to one of the following: |
If Crypt888 has encrypted your files, click here to download our free fix:
Legion is a form of ransomware first spotted in June 2016. Here are the signs of infection:
Filename changes: |
Legion adds a variant of ._23-06-2016-20-27-23_$f_tactics@aol.com$.legion or .$centurion_legion@aol.com$.cbf to the end of filenames. (e.g., Thesis.doc = Thesis.doc._23-06-2016-20-27-23_$f_tactics@aol.com$.legion) |
Ransom message: |
After encrypting your files, Legion changes your desktop wallpaper and displays a popup, like this: |
If Legion has encrypted your files, click here to download our free fix:
SZFLocker is a form of ransomware first spotted in May 2016. Here are the signs of infection:
Filename changes: |
SZFLocker adds .szf to the end of filenames. (e.g., Thesis.doc = Thesis.doc.szf) |
Ransom message: |
When you try to open an encrypted file, SZFLocker displays the following message (in Polish): |
If SZFLocker has encrypted your files, click here to download our free fix:
TeslaCrypt is a form of ransomware first spotted in February 2015. Here are the signs of infection:
Filename changes: |
The latest version of TeslaCrypt does not rename your files. |
Ransom message: |
After encrypting your files, TeslaCrypt displays a variant of the following message: |
If TeslaCrypt has encrypted your files, click here to download our free fix: