Free Decryption Tools Available for PowerWare & Bart Ransomware

Victims of PowerWare and Bart ransomware will be happy to know that there free decryption tools available to restore their files.

Computer MalwareRestoring Files Encrypted by Bart Ransomware

Antivirus firm AVG was able to decrypt files encrypted by Bart ransomware upon discovering that it encrypts the victim’s files by compressing them into a password-protected zip archive.  The password used to secure the zip file is long; however, it is not invulnerable to brute force attacks, which is exactly how AVG unlocks the file.

How to Decrypt Your Files After a Bart Ransomware Infection

All you need to restore your files is:

  1. AVG’s Bart decryption tool
  2. An original (unencrypted) copy of a file that was encrypted (zipped) by the Bart infection. (Having trouble finding a file to use? Check for a file you downloaded to your machine that was later encrypted, like an image or doc.)

Note: Files encrypted by Bart ransomware will have “bart.zip” appended to the file name, i.e. paper.docx => paper.docx.bart.zip.

How to Restore Files Encrypted by PowerWare

Credit for the PowerWare (aka PoshCoder) file decryption tool goes to Unit 42, the Palo Alto Networks threat intelligence team.  They were able to create the decryption tool after realizing that the PowerWare ransomware uses a hard-coded key to encrypt the files using the AES-128 encryption algorithm.

How to Decrypt Your Files Following a PowerWare Infection

All you need to restore your files is:

  1. Unit 42’s decryption script

Note: The decryption tool is a Python script that you have to run on your machine, and may not be something that the average PC user is comfortable doing. If you need help, give us a call at (858) 268-4774 – we provide IT services, including malware removal services, to all of San Diego County.

Like this post? Follow us online by liking us on Facebook, following us on Twitter (@thechipmerchant), or circling us on Google+.