HD Doctor Logo

Public Decryptor: How to Find and Validate

Direct answer

Public decryptors released by FBI, NCA, Avast, Kaspersky and partners can decrypt ransomware without payment. But misusing destroys still-recoverable files. This guide shows where to find, how to identify variant, and how to safely test.

Where public decryptors come from

Four main sources: (1) No More Ransom Project (nomoreransom.org), European police initiative with 170+ decryptors; (2) Police operations — Operation Cronos released ~7,000 LockBit keys in Feb 2024; (3) Antivirus companies — Avast, Kaspersky, Bitdefender publish decryptors for specific variants; (4) Independent researchers via GitHub. Each decryptor is family AND version specific. Using a LockBit decryptor on a BlackCat file doesn't work and may damage.

Mistakes that destroy data

  1. 1.
    Run decryptor directly on production. Wrong decryptor may corrupt encrypted files, making them unrecoverable even by payment. Always test on copy.
  2. 2.
    Download decryptor from non-official source. Fake decryptors circulate in forums. Some have additional payload. Use ONLY official sites (FBI, NCA, Avast, Kaspersky, No More Ransom).
  3. 3.
    Delete encrypted files before trying decryptor. Keep originals until you confirm 100% that decryptor worked. Irreversible operation.
  4. 4.
    Ignore variant mismatch by proximity. Classic Akira decryptor does NOT work on Akira v2 or Megazord. Exact version matters.

How to safely find and validate

  1. 1

    Identify exact variant

    Note filename (CONTI_README.txt, akira_readme.txt, [ID].README.txt), appended extension, message in note, .onion site mentioned. Submit sample to ID Ransomware (id-ransomware.malwarehunterteam.com) — automatically identifies family.

  2. 2

    Consult No More Ransom Project

    nomoreransom.org → 'Crypto Sheriff' allows upload of encrypted file + note for automatic match. If decryptor exists, link appears with specific instructions.

  3. 3

    Consult CISA + Operation Cronos base

    For LockBit 2.0/3.0/Black: NCA/FBI published key base in Feb 2024. Eligible variants have individual key identifiable by victim ID.

  4. 4

    Download ONLY from official source

    Fake decryptors circulate in forums. Avast: avast.com/ransomware-decryption-tools. Kaspersky: noransom.kaspersky.com. Don't download from torrents, forums, telegrams.

  5. 5

    Create isolated test environment

    Copy 5-10 representative encrypted files to network-isolated machine. Run decryptor ONLY on copy. NEVER on production.

  6. 6

    Validate multiple file types

    Test decryptor on PDF, DOCX, image, database. If all decrypt correctly and open in original applications, proceed in production. If any fails, DO NOT use in production.

FAQ

Which variants have decryptor in 2026?

Partial: LockBit 2.0/3.0 (Operation Cronos), pre-June 2023 Akira (Avast), Conti V3 (Avast/Kaspersky), Dec 2023 BlackCat samples (FBI). No public decryptor: BlackCat post-Mar 2024, Akira v2/Megazord, Play, recent Cl0p, ESXi-Args.

How to know which variant version I caught?

Professional: static binary analysis. Home: submit sample to ID Ransomware or Avast Threat Lab — return complete identification within hours.

How long does decryptor take to run?

Variant-dependent. LockBit/Conti: 5-30 minutes per medium-size machine. ESXi with decryptor: 1-4h per VM. CPU-intensive — don't run 10 simultaneous VMs.

What if decryptor decrypts only part?

Happens in variants using per-file unique key. Decryptor with Operation Cronos key only works for files encrypted on that specific infrastructure. Post-takedown files may not have key.

Can I trust the result 100%?

Not blindly. Validate with hash before/after on critical files. Compare with backup version when available. Official decryptors are well tested, but isolated cases of partial corruption exist.

Need help identifying variant and testing decryptor?

Updated public decryptor base. Validation in isolated environment before production.

Next reads