The first encryption ransomware appeared in


Since January 2009, the number of ransomware versions has increased by about


Currently, Trojan.Encoder programs (Cryptolockers) are one of the most dangerous threats for users. This Trojan family includes several thousand modifications.

Since mid-April 2013, Doctor Web's virus laboratory has received more than 40 000 decryption requests to restore files affected by Trojan encoders.

Doctor Web's anti-virus laboratory receives over 40 decryption requests daily.

Trojan.Encoder programs (Cryptolockers) use dozens of different encryption algorithms of users’ files.

For example, it will take

107902838054224993544152335601 years

to simple search a key to restore files compromised by Trojan.Encoder.741.

Dr.Web statistics show that the probability of restoring files compromised by encryption ransomware doesn't exceed 10%.

That means that most of user data has been lost for good!

Here are some examples of decryption certainty value estimation by Doctor Web's security experts.

TrojanAlternative namesCertainty value of decryption
Trojan.Encoder.686CTB-LockerDecryption is impossible
at the moment
Trojan.Encoder 395380%
Linux.Encoder.1, Linux.Encoder.2, Linux.Encoder.3100%

* - if the Trojan program file is available

User feedback on forums indicates that files compromised by some Trojan versions can be decrypted only by Doctor Web's security experts.

Since May 2014, Doctor Web’s experts have carried out a major research work to design routines for recovery of data affected by Trojan.Encoder.398.

Currently Doctor Web is the only company whose experts are able to recover compromised files with a probability of 90%.

News about this event was published in November, 2014.

Today criminals demand up to 20 bit coins for decryption.

1bit coin is equal to 6459,54 euros or 7167 dollars.

A demanded ransom can reach 143 340 dollars.

Even if you pay your attacker a ransom, there is no guarantee that you’ll get your data back.

Things can even get rather peculiar. In one situation, a user paid a ransom to their attackers, but their attackers could not decipher the files encrypted by their own Trojan.Encoder (Cryptolocker), and advised the user to seek help… from Doctor Web's technical support service!

Decryption is available free of charge for users of commercial Dr.Web licenses.

In over 90%
of the incidents users launch encryption Trojans on their own computers themselves.

Dr.Web Security Space (versions 9 and 10) comes with a simple solution to the problem of data security—the “Data Loss Prevention” feature.

And, even if a Trojan gets to your files, you will be able to restore them on your own without having to request support from Doctor Web.

Unlike common backup programs, Dr.Web creates and protects backup storage from intruders.

If you are out of luck and your files have been encrypted by the Trojan, contact Doctor Web’s technical support service to decrypt them :

  • Do not use the infected computer until you receive instructions from Doctor Web's technicians, even if you need it for your business.
  • Do not attempt to reinstall the operating system!
  • Do not attempt to remove any files or programs from the disk!
  • If you have started a virus scan, do not take any irreversible actions including curing/removing the malware. Consult Doctor Web's specialists before you do anything with the found viruses/Trojans, or at least keep back-up copies of all the discovered malware; they may be necessary to determine the key to decrypting the data.

Visit Legal sеction to learn how to submit a request to Doctor Web’s support service

We strongly recommend that you file a report with the police in case of infection.

Thank you for taking the time to familiarise yourself with these materials.