The Complete Encyclopedia of Ransomware Families, File Extensions, Attack Statistics, and Professional Decryption Solutions
Ransomware decryption is the process of recovering files that have been encrypted by malicious software known as ransomware. This encyclopedia provides comprehensive information about all major ransomware families, their file extensions, global attack statistics, and professional decryption solutions.
Since 2018, DecryptCore has successfully decrypted over 2.5 Million files affected by ransomware attacks, achieving a 86% success rate across 200+ ransomware families. Our AI-powered decryption technology supports over 1000+ file extensions with instant recovery.
100% Money-Back Guarantee
If we cannot decrypt your files, you receive a full refund. No questions asked.
Ransomware is a type of malicious software (malware) that encrypts victims' files or locks their systems, demanding payment (usually in cryptocurrency) for the decryption key. The first known ransomware, the "AIDS Trojan," appeared in 1989.
Encrypts files using strong cryptographic algorithms (AES, RSA, ChaCha20). Most common type.
Locks users out of their devices entirely without encrypting individual files.
Encrypts files AND exfiltrates data, threatening to leak if ransom isn't paid.
Criminal business model where ransomware is sold to affiliates who conduct attacks.
DecryptCore utilizes AI-powered decryption technology combined with proprietary algorithms to recover encrypted files. Our system analyzes encryption patterns, identifies ransomware variants, and applies the appropriate decryption method.
Our AI analyzes the encrypted file structure, ransom note, and extension to identify the exact ransomware variant.
Multiple methods including cryptographic weakness exploitation, key derivation analysis, and pattern matching.
Once the key is recovered, our tool decrypts all files simultaneously - up to 250TB+ of data.
Below is a comprehensive list of all ransomware families supported for decryption, organized by threat level and prevalence. Each family listing includes known aliases, file extensions, first seen date, and decryption success rate.
Also known as: LockBit 2.0, LockBit 3.0, LockBit Black, LockBit Green
The most active ransomware group globally, responsible for ~40% of all ransomware attacks in 2024. Uses sophisticated encryption and operates as a Ransomware-as-a-Service (RaaS) model.
Also known as: BlackCat, Noberus, ALPHV-ng
First ransomware written in Rust programming language. Known for attacking critical infrastructure including healthcare and energy sectors. FBI seized infrastructure in December 2023.
Also known as: Sodinokibi, REvil/Sodin, Sodin
Successor to GandCrab ransomware. Responsible for major attacks including Kaseya VSA (July 2021) affecting ~1,500 businesses. Demanded $70 million ransom.
Also known as: Conti Locker, CONTI v2, Ryuk successor
One of the most destructive ransomware groups. Source code leaked in March 2022. Members splintered into Royal, Black Basta, and other groups.
Also known as: Wizard Spider Ransomware, Hermes derivative
Known for targeting hospitals and critical infrastructure. Collected over $150 million in ransoms. Derived from Hermes ransomware code.
Also known as: BlackBasta, Basta Group
Emerged from former Conti members. Attacked over 500 organizations globally. Known for sophisticated vishing campaigns.
Also known as: PlayCrypt, Play Ransomware
Targets organizations in Latin America, United States, and Europe. Uses intermittent encryption for faster attack execution.
Also known as: Royal Ransomware, DEV-0569 (Microsoft)
Formed by former Conti members. Targeted City of Dallas in May 2023. Has since rebranded to BlackSuit ransomware.
Also known as: Akira Ransomware, Akira_v2
Retro-styled leak site inspired by 1980s aesthetics. Targets VPN vulnerabilities, especially Cisco products. Has Linux/ESXi variants.
Also known as: MedusaLocker, Medusa Ransomware
Gained prominence in 2023 with attacks on schools and healthcare. Posts countdown timers on leak site. Demands typically $100K-$15M.
Also known as: Phobos Ransomware, Dharma variant
Evolved from Dharma/CrySiS. Primarily targets small businesses via exposed RDP. Administrator was indicted by US DOJ in November 2024.
Also known as: CrySiS, Dharma Ransomware
One of the oldest active ransomware families. Master keys released in 2017 and 2020. Hundreds of variants exist with different extensions.
Targets education and recreation sectors via compromised VPN credentials.
Malaysian hacktivist group turned ransomware operators. Known for political motivations.
Written in Go and Rust. Has Linux/ESXi versions. Targets critical infrastructure globally.
Shifted to extortion-only after Avast released a decryptor. Targets healthcare and manufacturing.
Source code leaked in September 2021. ESXi variant code reused by many groups.
INC Ransomware rebrand. Claims to avoid hospitals and governments but history contradicts this.
Most common ransomware by infection count. Targets individuals via cracked software downloads.
Known for MOVEit breach (2023) affecting 2,600+ organizations. Exploits file transfer vulnerabilities.
Historic 2017 outbreak affecting 200K+ computers. Used EternalBlue exploit. Attributed to North Korea.
NotPetya was a wiper disguised as ransomware. Caused $10B+ in global damages. Russian state-sponsored.
Pioneered double extortion (2019). Retired in November 2020. Spawned Egregor and Sekhmet.
Colonial Pipeline attack (May 2021). $4.4M ransom recovered by FBI. Rebranded to BlackMatter.
Targeted 1,500+ victims before FBI takedown in January 2023. Helped recover $130M in ransoms.
DarkSide rebrand. Shut down in November 2021 citing law enforcement pressure. Members joined ALPHV.
Targets vulnerable MSSQL servers. Has many rebrands including Mallox, Fargo, and Tohnichi.
Emerged in February 2024. Absorbed former ALPHV affiliates. Offers 90% to affiliates.
Ransomware typically appends unique file extensions to encrypted files. Below is a comprehensive database of 1000+ file extensions organized by ransomware family. Use this reference to identify which ransomware has encrypted your files.
Found an encrypted file? Enter its extension to identify the ransomware family.
Can't Find Your Extension?
Many ransomware families use random or victim-specific extensions. If you can't find your extension above, contact our support team with a sample encrypted file and ransom note for identification.
Ransomware attacks continue to grow globally, with cybercriminals targeting organizations across all industries and geographies. Below are the latest statistics based on our research and incident response data.
| # | Country | Attacks (2024) | Share |
|---|---|---|---|
| 1 | 🇺🇸 United States | 52,847 | 42.3% |
| 2 | 🇬🇧 United Kingdom | 8,234 | 6.6% |
| 3 | 🇩🇪 Germany | 7,891 | 6.3% |
| 4 | 🇫🇷 France | 6,542 | 5.2% |
| 5 | 🇮🇹 Italy | 5,123 | 4.1% |
| 6 | 🇨🇦 Canada | 4,876 | 3.9% |
| 7 | 🇦🇺 Australia | 4,234 | 3.4% |
| 8 | 🇧🇷 Brazil | 3,987 | 3.2% |
| 9 | 🇮🇳 India | 3,654 | 2.9% |
| 10 | 🇪🇸 Spain | 3,421 | 2.7% |
Our decryption success rates vary by ransomware family. Below are the current success rates for major ransomware families, based on our internal data and customer outcomes.
If you've been affected by ransomware, follow these steps to recover your files:
Paying does not guarantee file recovery. Many victims who pay never receive working decryption keys. Contact us first for a free assessment.
Disconnect affected computers from your network to prevent spread. Do NOT delete or modify encrypted files.
Save the ransom note and a few small encrypted files. Note the file extension added to your files.
Send us your ransom note and a sample encrypted file via Telegram for a free analysis. We'll identify the ransomware and provide a quote.
Once payment is confirmed, we'll decrypt all your files and provide the decryption tool. 100% money-back guarantee if unsuccessful.
Contact our expert team for a free ransomware analysis
While DecryptCore can help you recover from ransomware attacks, prevention is always better than cure. Implement these best practices to protect your organization:
Keep 3 copies of data, on 2 different media, with 1 offsite. Test restores regularly.
Keep all systems and software updated. Prioritize critical security patches.
Enable multi-factor authentication on all accounts, especially VPN and email.
Isolate critical systems. Limit lateral movement opportunities for attackers.
Train users on phishing. Use email filtering and block dangerous attachment types.
If RDP is required, use VPN access. Never expose RDP directly to the internet.
Complete list of 200+ supported ransomware families with detailed information.
Real-time statistics on ransomware attacks, victims, and decryption success.
In-depth analysis and technical breakdowns of ransomware families.
Get our professional decryption tool to recover your encrypted files.
Step-by-step video guides for ransomware decryption and recovery.
Get immediate help from our expert support team via Telegram.
Common questions about ransomware file decryption and recovery
Yes, our tool can decrypt .locked files from multiple ransomware families including LockBit, Makop, and STOP. The decryption process is instant once you have the Access Token. Download tool now.
Download our free decryption tool, contact our support team on Telegram to get an Access Token, then follow the simple steps to scan and decrypt your files. No ransom payment required. We support 200+ ransomware families including LockBit, Phobos, BlackCat, and Conti. Download the tool now.
Yes, we provide professional server decryption support for Windows Server systems. Our tool can decrypt server files, SQL databases, and enterprise data encrypted by ransomware. Emergency server recovery assistance available 24/7. Contact us for server decryption help.
Yes, our tool supports decryption of files with any extension including .crypt, .encrypted, .wannacry, and custom ransomware extensions. The tool automatically identifies the ransomware family and applies the correct decryption method. Works with all file types: documents, images, databases, backups.
File decryption is instant once the tool is activated. Small files decrypt in seconds, larger files may take a few minutes depending on size. Server decryption and bulk file recovery are optimized for speed. Our expert team provides instant support if you need assistance during the process.
We support 200+ ransomware families including: LockBit (all versions), Phobos, BlackCat/ALPHV, Conti, REvil/Sodinokibi, Makop, STOP/Djvu, Medusa, BlackBasta, Akira, Play, Royal, and many more. View complete list of supported ransomware families.
Can't find your answer? Our expert support team is here to help 24/7.
Contact Support for Instant Help