Ransomware rescue kit released to combat criminal enterprise

A rescue kit designed for security professionals and system admins has been released to eradicate ransomware infections.
Written by Charlie Osborne, Contributing Writer

A ransomware removal and rescue kit has been released to give businesses an alternative to paying a fee to unlock encrypted files.

Ransomware is a particularly nasty malware family which has risen in popularity in recent times. Often infecting computers through phishing campaigns and malicious links, the malware locks systems and displays a message -- often masquerading as police or an intelligence agency -- and accuses the victim of illegal activities. The notice demands payment in a certain timeframe in order to provide a key to unlock a system and its files -- which may or may not work.

Often in a panic over the agency the malware pretends to be or the threat of losing their personal files, victims will pay up. However, in response to this threat, security companies and professionals have been fighting back with other alternatives.

In order to combat this kind of criminal enterprise, security professional Jada Cyrus has compiled a rescue kit which is available for free online. Designed to help "streamline the process of responding to ransomware infections," the ransomware response kit comes with instructions and decryption tools for different strains of ransomware.

"You should never pay the ransom. This will only reinforce this type of attack. According to most security intelligence reports, criminal enterprises are already making large profits from ransomware," Cyrus says.

CryptoLocker, for example -- and its more recent evolved strain TeslaCrypt which targets gamers -- often demands several hundred dollars in Bitcoin to unlock systems.

See also: The ransomware guide: protection and eradication

Instead of paying the ransom, system administrators and security professionals should first remove the infected system from a network to prevent the malware spreading. The user should then attempt to identify which type of ransomware the system is infected with -- often possible by checking the ransom notice against known strains.


Before removal, Cyrus suggests creating a copy if possible for later analysis, as it may be needed for file decryption. If the type of ransomware is identifiable, users have the option to try and decrypt files and remove the threat through the kit's removal tools. Within the kit are instructions and tools to combat a variety of malware strains:

  • CryptoLocker: CryptoLocker removal tools and threat mitigation
  • CryptoLockerDecrypt: FireEye Tool which attempts to decrypt files encrypted by the CryptoLocker ransomware
  • TrendMicro_Ransomware_RemovalTool: TrendMicro's general ransomware removal tool
  • FBIRansomWare: FBIRansomWare removal tools
  • CoinVault: CoinVault ransomware removal tools
  • TeslaCrypt: Tool for removing this variant of CryptoLocker ransomware

It is critical that the right tool is used to decrypt files. If not, there is a possibility that files will become corrupt or overwritten -- rendering them useless. If possible, restore points and backups should also be used to return systems to a safe state before the infection surfaced -- and after the threat is removed.

To prevent yourself becoming a victim of ransomware, remain wary of emails sent by unverified senders, keep systems up-to-date and fully patched, and consider using antivirus software to stop infection in its tracks.

See also:

Editorial standards