Skip to main content
ransomware-securityINFO

Decrypt ransomware without paying: complete 2026 guide

How to decrypt ransomware without paying the ransom: No More Ransom, ID Ransomware, free decryptors from Emsisoft, Avast, Bitdefender, and what to do when no key exists.

By Eric Gerard · Editor · Save My Disk14 min readPhoto via Unsplash

Ransomware just encrypted your files and the note demands bitcoin. Before any decision, know that paying is neither the only option nor the most reliable. For roughly one ransomware family in three, an official free decryptor exists - published by law enforcement, antivirus vendors, or independent researchers. This guide walks through the full procedure to identify your strain, check if a key is available, and attempt recovery without paying a cent.

The content relies on public resources from Europol, the No More Ransom project, MalwareHunterTeam, CISA / FBI / ANSSI recommendations, and the Emsisoft decryptor catalog - the spine of ransomware response in 2026.

How to decrypt ransomware files without paying the ransom

To decrypt ransomware without paying: (1) identify the strain via ID Ransomware (id-ransomware.malwarehunterteam.com - covers 1,300+ families); (2) check the No More Ransom portal (nomoreransom.org - 160+ official free decryptors for ~200 families including STOP/Djvu, GandCrab, Crysis/Dharma, Babuk); (3) download only from official vendor pages (Emsisoft, Avast, Bitdefender, Kaspersky); (4) test on a copy first, never on originals. For uncracked strains (LockBit 3.0, BlackCat), the only path is a pre-attack backup or shadow copy recovery.

How modern ransomware encryption works

Understanding the cryptography clarifies why some ransomware is decryptable and other strains are not.

Hybrid AES + RSA encryption

Current ransomware (LockBit, BlackCat, Akira, Royal, Play) uses a hybrid scheme:

  1. A AES-256 symmetric key (sometimes ChaCha20 or Salsa20) is randomly generated per file or per batch of files.
  2. This AES key encrypts the actual file content - fast, several gigabytes per minute.
  3. The AES key itself is encrypted with a RSA-2048 public key (or elliptic curves Curve25519) embedded in the malware.
  4. The matching RSA private key stays on the attacker's server: without it, the AES keys cannot be recovered and decryption is mathematically impossible.

This design makes brute-force decryption infeasible in 2026: breaking RSA-2048 requires resources beyond major public clouds. A Shor-style quantum attack would need a fault-tolerant quantum computer with around 20 million physical qubits, out of reach before 2035 at the earliest.

Why some strains are decryptable anyway

Free decryptors don't rely on brute force but on implementation errors, key leaks, or server seizures:

  • Flawed cryptographic implementation: predictable pseudo-random generator (case of STOP/Djvu offline ID, where the same key is reused when infection happens without C2 contact), nonce reuse, vulnerable cipher mode.
  • Master key leak: source-code publication, law enforcement infiltration, affiliate defection. See Babuk (June 2021), Conti (March 2022), LockBit (Operation Cronos 2024).
  • C2 server seizure: Europol/FBI operations that recover the private-key database. See GandCrab (2019), partial REvil (2021), Hive (January 2023), LockBit (February 2024).
  • Design bug: the key is stored locally in a log file, in the registry, or transmitted in cleartext. Several low-cost families made these mistakes.

For top-tier strains correctly implemented (LockBit 3.0/Black, BlackCat/ALPHV, post-2024 Akira), none of these flaws have been publicly found. They remain undecryptable without the operators' private key.

The No More Ransom project: an essential pivot

Launched in July 2016 by Europol EC3 (European Cybercrime Centre), the Dutch National Police, Kaspersky, and McAfee, the nomoreransom.org portal has become in ten years the global reference for free decryption.

Key 2026 figures

  • More than 160 official decryption tools available for download.
  • Coverage of roughly 200 ransomware families and sub-families.
  • More than 1.8 million victims helped since 2016 (Europol 2025 annual report).
  • 188 partners worldwide: law enforcement, CERTs, antivirus vendors, universities.
  • Available in 37 languages including English, French, Spanish, German, Japanese.

The Crypto Sheriff service

At the heart of the portal, Crypto Sheriff automatically identifies the strain from two encrypted files (under 1 MB each) and either the ransom note or a URL it contains. The tool compares extensions, file structures, header patterns, and payment addresses against an internal database. When a match is found, it redirects to the matching decryptor and its instructions.

If no tool exists for the strain, the service says so plainly and suggests checking back later - the database is updated weekly.

Limits to keep in mind

The portal does not decrypt online. It provides downloadable tools to run locally. No sensitive file is uploaded to their servers beyond what is needed for identification. The decryptors are signed by partner vendors: Avast, Bitdefender, Emsisoft, Kaspersky, Trend Micro, Tesorion, AVG.

ID Ransomware: the other identification building block

The id-ransomware.malwarehunterteam.com service, maintained since 2016 by Michael Gillespie (joined by MalwareHunterTeam), covers a broader base: over 1,300 families and variants in 2026, more than No More Ransom (which focuses on available decryptors).

How to use it

On the homepage:

  1. Upload an encrypted file (max size 100 MB, but 1-10 MB is plenty).
  2. And/or upload the ransom note (TXT, HTML, HTA).
  3. And/or paste an email address or Tor URL mentioned in the note.

The service compares the file header, the extension, the note content, and network indicators against the database. It returns:

  • The canonical family name (e.g., Phobos, STOP/Djvu, MedusaLocker).
  • The precise variant if identifiable.
  • A direct link to existing recovery resources.
  • A "DECRYPTABLE" or "NO DECRYPTOR AVAILABLE" flag.

For deeper accuracy on variants, see our guide on identifying ransomware with ID Ransomware, which details false-positive pitfalls and distinguishing markers between Phobos, Dharma, and Crysis.

Families decryptable for free in 2026

A laptop open on a desk
A laptop open on a desk

The table below summarizes the main strains with an official tool, the vendor, and the observed success rate.

FamilyTypical extensionDecryptorVendorSuccess rate
STOP/Djvu (offline ID).djvu, .stop, .promoradSTOPDecrypterEmsisoft70-90% (offline ID only)
Crysis / Dharma.crysis, .dharma, .walletCrysis DecryptorAvast / Kaspersky95%
GandCrab v1-v5.2.gdcb, .crab, .krabGandCrab DecryptorBitdefender99%
Shade / Troldesh.crypted, .breaking_badShade DecryptorKaspersky95%
Avaddon.avdnAvaddon DecryptorBitdefender99%
REvil pre-July 2021.revil, .sodinokibiREvil Universal DecryptorBitdefender90% (time-limited keys)
Babuk (leaked keys).babuk, .babykBabuk DecryptorAvast99%
LockBit (Cronos seizure).lockbitLockBit DecryptorNCA / FBI / EuropolPartial, variant-dependent
Conti (source leak).contiConti Decryptor (limited)Several researchersCase by case
Hive.hiveHive DecryptorFBI / EuropolPartial (2023 seizure)
AES_NI, Jaff, CrysisvariousDedicated toolsKaspersky90%+
TeslaCrypt.vvv, .ecc, .ezz, .exxTeslaDecoderBloodDolly100% (master key released)
WannaCry.wncry, .wcrywanakiwi / wannakeyAdrien Guinet / Benjamin DelpyDepends on preserved RAM

Spotlight on STOP/Djvu: the consumer strain

STOP/Djvu remains in 2025-2026 the most active family against home users (Emsisoft and MalwareHunterTeam reports). It spreads through software cracks, keygens, and trojanized installers downloaded from warez sites.

Two encryption modes:

  • Offline ID: no connection to the C2 server during infection. The same key is reused for all victims of the same build. Emsisoft holds that database and can decrypt 70-90% of offline cases.
  • Online ID: successful C2 connection, unique per-victim key. Undecryptable without the attackers' private key.

The Emsisoft STOPDecrypter automatically reports the ID type after uploading the personal.txt reference file the malware drops on disk.

Undecryptable families in 2026

Conversely, several active strains have no public decryptor. Don't waste time hunting: preserve the encrypted files and pivot to backup or shadow-copy recovery.

  • LockBit 3.0 / Black (post-2022, outside the Cronos-derived keys) - correct cryptography, dominant RaaS.
  • BlackCat / ALPHV - Rust-written, multi-OS, operated through mid-2024 then dispersed. No publicly usable seizure.
  • Akira - active since 2023, targets SMBs and hospitals, no published flaw.
  • Royal / BlackSuit - Conti successor, solid hybrid cryptography.
  • Play (PlayCrypt) - active since 2022.
  • Medusa, MedusaLocker - active, distinct from each other.
  • 8Base - active since 2022.
  • Cactus, Rhysida - recent, publicly undecryptable.

For these families, the only viable recovery path is clean backups, undestroyed shadow copies, or unencrypted residual files. See our pillar guide to ransomware file recovery for the full methodology.

Step-by-step: testing an official decryptor

Here is the recommended sequence once the strain is identified and a decryptor is found.

1. Prepare a test environment

  • Work on a copy of an encrypted file, never on the original. A decryptor error can irreversibly overwrite the file.
  • Create an isolated folder on a clean external drive and copy 5-10 encrypted files of different formats (DOCX, JPG, PDF, MP4, ZIP).
  • Pause cloud sync temporarily to avoid propagating partially corrupted decrypted files.

2. Verify decryptor authenticity

Download only from official pages:

  • Emsisoft: decrypter.emsisoft.com
  • Avast: avast.com/ransomware-decryption-tools
  • Bitdefender: bitdefender.com/blog/labs/
  • Kaspersky: noransom.kaspersky.com
  • No More Ransom: nomoreransom.org/en/decryption-tools.html

Check the executable's digital signature (right-click → Properties → Digital Signatures) and the SHA-256 hash if published. Several fake Bitdefender and Avast decryptors circulate on underground forums with a secondary payload.

3. Confirm the strain with an antivirus scan

Before running the decryptor, scan the machine with an up-to-date AV (ESET, Malwarebytes, Bitdefender free) in offline mode via a rescue USB. Confirm the family detected. If the scan reveals a different strain than the one identified by ID Ransomware, do not run the decryptor - it could damage the files.

4. Run on the copy

Launch the tool, point it to the test folder, and provide the required file pairs (one encrypted file plus one original unencrypted version of the same file, for tools that ask - typically Avast).

Always enable:

  • The preserve encrypted files option (in case decryption corrupts them).
  • Test mode or dry run if available.

5. Verify the decrypted files

Open each file in its native application:

  • DOCX / XLSX: Word/Excel must open it without a repair dialog.
  • JPG / PNG: photo viewer, check the full visual appearance.
  • PDF: Acrobat or browser, pagination intact.
  • ZIP / 7z: integrity test via the archiver's built-in check.

Compare the decrypted file sizes against expected ones (if you have duplicates on cloud storage). A few-byte difference is normal (encryption strips/adds padding and a marker header), but a significant gap signals a problem.

6. Launch full decryption

Once the procedure is validated on the 5-10 test files, target the full volumes and run. Expect several hours for a few hundred gigabytes. Monitor logs: some files may be flagged as partially corrupt (often because the ransomware was interrupted during encryption and left half-processed files).

Alternatives when no decryptor exists

If the strain is on the undecryptable list, don't waste time. Remaining recovery paths:

Restore from backup

This is the most reliable path, provided you have a backup predating the attack, disconnected at the time of encryption. Modern ransomware actively targets attached backup drives and network shares. See the 3-2-1-1-0 best practices in our recovery guide.

Windows shadow copies

Windows creates Volume Shadow Copies (VSS) in the background. Ransomware tries to delete them via vssadmin delete shadows /all, but many miss certain volumes or fail due to privilege issues. Our guide Windows shadow copies and recovery details ShadowExplorer, vssadmin, and the Previous Versions tab for recovery even when VSS appears empty.

File carving

Recovery tools like PhotoRec (free), R-Studio, or EaseUS Data Recovery Wizard scan free disk space for file signatures. When ransomware encrypts a file, it writes the encrypted version then deletes the original - the original is often recoverable as long as the blocks have not been overwritten.

Run the scan immediately after isolating the machine to maximize chances. The longer the disk runs after the attack, the more free blocks get overwritten.

Unencrypted residual files

Several file categories often escape encryption and contain usable data:

  • Office .tmp files in %APPDATA%\Microsoft\Word\ and equivalents for Excel/PowerPoint - auto-saved versions.
  • Windows thumbnails in thumbcache_*.db - viewable with ThumbCache Viewer for photo previews.
  • Browser history: Chrome/Firefox/Edge caches for recently viewed images.
  • Unsynced OneDrive files still in local cache, not yet encrypted depending on timing.

To quickly assess your recovery odds based on your scenario (strain, available backups, media type), use our free diagnostic.

Why you should NOT pay the ransom

Beyond the ethical argument, several technical and legal reasons back the official CISA / FBI / Europol / ANSSI position.

Payment does not guarantee recovery

Paying the ransom guarantees nothing:

  • Some paying victims receive no key at all after payment.
  • Others receive a faulty or incomplete decryptor (invalid key on some files, tool crashes, unacceptable performance).
  • Many recover their files but with partial losses (some files remain unrecoverable).
  • A meaningful share of paying victims never recover the entirety of their data.

Compared with a recovery you can verify yourself when an official decryptor exists, the risk/benefit ratio of payment is unfavorable.

Payment funds and encourages the ecosystem

Global ransomware revenue has been trending down as more victims refuse to pay - but every payment still reinforces the criminal business model. Paying also marks you as a profitable target and invites re-infection: a significant share of those who pay are attacked again within months.

In the U.S., the OFAC (Office of Foreign Assets Control) prohibits any transaction with sanctioned entities. Several ransomware groups are listed: Evil Corp (sanctions 2019), Conti / Trickbot operators (2023), individual LockBit operators (2024). Paying a ransomware linked to these groups is a violation exposing the paying entity or facilitator (including negotiation firms) to civil and criminal proceedings.

The EU and the UK are converging on similar rules. In France, Penal Code Article 421-2-2 on terrorism financing can apply if the group is tied to a hostile state (case for several North Korean and Russian groups).

Official CISA / FBI position

The FBI has issued the same message since 2016 through its IC3 advisories. CISA (Cybersecurity and Infrastructure Security Agency) coordinates StopRansomware.gov, which centralizes alerts and decryptors in the United States. The UK's NCSC publishes nearly identical guidance, as does Australia's ACSC.

Key reference points to remember

A few qualitative takeaways frame the 2025-2026 ransomware landscape:

  • Free decryption resources cover a large catalog of families - No More Ransom lists over 160 official decryptors for roughly 200 families, and ID Ransomware indexes 1,300+ families and variants.
  • The share of victims who pay has fallen markedly over the years, as more organizations rely on clean backups and free decryptors instead.
  • Global ransomware revenue has trended down in recent years, a sign that refusing to pay - when a backup or decryptor exists - is increasingly the norm.

To anticipate rather than absorb attacks, a modern antivirus with an anti-ransomware module (automatic rollback, behavioral detection) drastically reduces the risk. Our best anti-ransomware software 2026 comparison covers Bitdefender, Norton, Kaspersky, Malwarebytes, and Acronis with their blocking scores from independent AV-Test and AV-Comparatives tests.

Recap: your decision path

  1. Isolate the machine, photograph the ransom note, record the extension.
  2. Identify the strain via ID Ransomware (id-ransomware.malwarehunterteam.com).
  3. Check for a decryptor on No More Ransom (nomoreransom.org).
  4. If a decryptor exists: download from the official source, test on a copy, then run.
  5. If no decryptor: restore from clean backup, or attempt shadow copies and file carving on residual files. Our data recovery software guide lists the tools best suited for carving originals out of NTFS free space after encryption.
  6. Preserve the encrypted files on an external drive: a decryptor may surface months or years later.
  7. Do not pay: high risk of incomplete recovery, criminal funding, OFAC exposure, and a real chance of being attacked again.
  8. File a report with law enforcement (IC3 in the U.S., NCSC/Action Fraud in the U.K., cybermalveillance.gouv.fr in France) and notify your data-protection authority if third-party personal data is involved.

Free decryption truly works for hundreds of thousands of victims every year. The reflex must always be: identification, No More Ransom check, test on a copy, and only then decide on alternatives.

Editorial pick
4.5 / 5

Back up now so ransomware can't win → EaseUS Todo Backup

Automatic backups · disk clone · offline copy

Founded in 200430-day guaranteeFree 2 GB version
See the offer

Frequently asked questions

Do free ransomware decryptors actually work?

Yes. The No More Ransom portal (Europol EC3 + Dutch National Police + Kaspersky + McAfee partnership) catalogs over 160 official decryption tools covering roughly 200 ransomware strains. Since 2016 the project has helped 1.8 million+ victims and prevented hundreds of millions of euros in ransom payments. Emsisoft, Avast, Bitdefender, and Kaspersky publish their decryptors free of charge whenever a cryptographic flaw is found or a server seizure releases master keys.

What is the success rate when attempting free decryption?

It depends entirely on the strain. For families covered by an official decryptor (STOP/Djvu offline ID, Crysis/Dharma, GandCrab, Shade, Avaddon, early REvil, leaked Babuk keys), recovery exceeds 90% of encrypted files provided you have the right version. For active uncracked strains (LockBit 3.0, BlackCat/ALPHV, Akira, Royal, recent Conti), the rate is zero - no free tool works in 2026.

Can REvil, Conti, and LockBit be decrypted?

Partially and with conditions. REvil/Sodinokibi: a free Bitdefender decryptor (available via No More Ransom) exists for attacks before July 2021. Conti: no public tool, but the 2022 source-code leak made case-by-case recovery possible in some situations. LockBit: the NCA's Operation Cronos seizure in February 2024 yielded some keys now integrated into No More Ransom - but modern LockBit 3.0/Black remains undecryptable without the operators' private key.

Why do CISA and the FBI advise against paying?

CISA, FBI, Europol, and France's ANSSI all converge here. First, payment guarantees nothing: many victims who pay receive no key at all, or receive a faulty or incomplete decryptor, and never recover everything. Second, paying funds the criminal ecosystem and marks the victim as profitable, so a significant share of those who pay are attacked again. Third, some transactions fall under U.S. OFAC sanctions if the group is listed.

How long should I wait for a decryptor to be released for my strain?

It varies. Some decryptors appear within weeks of a server seizure (LockBit, Hive 2023 via FBI). Other strains remain undecryptable for years or even forever if the cryptography is correctly implemented. Pragmatic rule: keep the encrypted files on a clean external drive. Check No More Ransom every three to six months. Several 2018-2019 victims recovered their data after 2 to 4 years of waiting.

What should you do immediately after a ransomware attack?

Immediately: (1) isolate the infected machine - unplug Ethernet, disable Wi-Fi, disconnect external drives; (2) photograph the ransom note and encrypted file extension; (3) on a clean device, upload a sample to id-ransomware.malwarehunterteam.com to identify the strain; (4) check nomoreransom.org for a free decryptor; (5) do NOT pay - many victims who pay never recover all their files.