Trellix logo
Trellix CEO
Our CEO on Living Security

Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.

Gartner Marketplace Guide (XDR)
Gartner® Report: Market Guide for XDR

As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."

Trellix Launches Advanced Threat Research Center
Trellix Launches Advanced Research Center

Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.

The Threat Report - Fall 2022
Latest Report

Trellix Advanced Research Center analyzes Q3 2022 threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.

Trellix CEO
Our CEO on Living Security

Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.

Ransomware Recover (Tr2)

 

How to use Ransomware Recover (Tr2)

Trellix Ransomware Recover (Tr2) will be regularly updated as the keys and decryption logic required to decrypt files held for ransom become available. This tool can unlock user files, applications, databases, applets, and other objects encrypted by ransomware.

This framework is freely available to allow anyone in the security community decryption keys and decryption logic to avoid the burden of developing a decryption framework.

Installer Details

The ransomware tool comes with two installers:

  1. x86 or 32-bit version for installing on 32-bit Windows OS.
  2. x64 or 64-bit version for installing on 64-bit Windows OS.

Use the appropriate installer for your operating system.

The installer includes a built-in Uninstaller. The same installer, when run again after installation, gives the user the option to uninstall the software. Users can also navigate through the Windows Uninstallation menu to remove this tool.

The Program Menu

Once the install process is complete, the tool can be found in the Windows program menu under as well as in the recently added program list:


ransomware-1

Running the Tool

This product is a command-line tool. To run, click on the filename in the Windows program menu under or the recently added list.

ransomware-2

Commands

The command line lets you download and run the decryption tool, and recover files encrypted by ransomware.

Supported commands:

Command Description
-help Show detailed help about all supported commands.
-list

Show list of all decryption tools, with versions, available within the framework’s cloud backend.

It will also mark decryption tool versions with (**) that are already downloaded and present on local machine.

-get

Download decryption tool for given name and version from the framework’s cloud backend.

This command may take some time to complete, depending on the size of the decryption tool and other related dependencies.

Options:

<name> Name of the decryption tool. This is a mandatory option.
-ver Version of the decryption tool to be downloaded. This is optional. If not specified, the latest version of decryption tool will be downloaded.
-run

Run the decryption tool for given name and version. The decryption tool must be downloaded by the “-get” command before using this command.

This command may take some time to complete, depending on the size of the decryption tool and other related dependencies.

Options:

<name> Name of the decryption tool. This is a mandatory option.
-ver Version of the decryption tool. This is optional. If not specified, the latest downloaded version of the tool will run.
-about

Show the help text of the decryption tool, for given name and version. The decryption tool must be downloaded by the “-get” command before using this command.

This command may take some time to complete, depending on the size of the decryption tool and other related dependencies.

Options:

<name> Name of the decryption tool. This is a mandatory option.
-ver Version of the decryption tool. This is optional. If not specified, the latest downloaded version of tool help will be shown.

 

Example

Assume your files are encrypted by Stampado ransomware. Below we see the affected system’s screen after the infection, with email ID to be contacted and text box to enter the unlocking code.

ransomware-3

Let’s download and run the “stampado” ransomware decryption tool to recover your files.

  1. Get the list of all ransomware decryption tools by running the MfeDecrypt -list command:
    ransomware-4

  2. From the list, pick “stampado” and Version “1.0.0” and run MfeDecrypt -get stampado -ver 1.0.0 to download the tool:
    ransomware-5

  3. [OPTIONAL] If you run the MfeDecrypt -list command again, you will see that “stampado” Version “1.0.0” is marked as “**”, which means that tool is present on your system.
    ransomware-6

  4. To understand command options for “stampado” version “1.0.0”, run MfeDecrypt -about stampado -ver 1.0.0:
    ransomware-7

  5. Get the email ID displayed in the Stampado ransomware dialog—for example, FileUnlocker64@mail2tor.com—and pass it to the stampado decryption tool as show in its help text, i.e. MfeDecrypt -run stampado -ver 1.0.0 -args “-e FileUnlocker64@mail2tor.com”.
    ransomware-8

  6. Take the code displayed and enter that in the Stampado window to decrypt and recover your files.

Supported Operating Systems

This tool is designed to run on Windows 7 and later versions.

Prerequisites

  1. Make sure your machine has network connectivity.
  2. Terminate and quarantine existing ransomware on your system by updating to the latest signature of your antimalware product, before running a specific decryption tool.
  3. On Windows 7, Windows Vista, and Windows Server 2008, make sure you have the https://support.microsoft.com/en-us/help/2533623/microsoft-security-advisory-insecure-library-loading-could-allow-remot patch or update installed on your system.

Disclaimer

  1. This tool does generate some network traffic. We do not gather any user or system-specific information.
  2. If a newer version of this framework is available, we recommend that you uninstall the previous version prior to installing any newer version.

This tool is provided as-is and is subject to the Software Royalty-Free License agreement.

Resources

Quick Links

Download Ransomware Recover (Tr2) for 32-bit systems Download Ransomware Recover (Tr2) for 64-bit systems

Building a Culture of Security

Businesses have too much to lose if they don't prioritize security at every entry level. With more date to protect and cyberthreats eveolving, everyone must play a part in creating a culture of security. Let our Free Tools help implement a 'security-first' mindset across your entire company

Need a little more protectionfor your business?

Explore the Trellix Platform