#Decoder for 7even-HONE$T ransomware
- recovers original file name
- recovers content of R4A files
- if possible, recovers content of R5A files (needs additional parameters that are described further)
For R4A:
in this case you can easily get your full file back:
./seven_decoder.py --file 7ev3n/data/1.R4A R4A [+] Original name: annotated.html [+] Decoded to: 7ev3n/data/annotated.html
For R5A:
Depending on the variant that attacked you, you must prepare additional parameters (A or B):
- A. Path to the directory where the file was located during encryption
- B. Unique ID, given in your ransom note
Example for the variant A:
./seven_decoder1.py --file 7.R5A --path 'C:\Users\tester\Pictures' R5A [+] Original name: sam.jpg [+] Using R5A key length: 268 C:\Users\tester\Pictures\sam.jpg [+] Decoded to: sam.jpg
Example for the variant B:
./seven_decoder2.py --file A0.R5A --unique_id 311868324126211989212411351151112524 R5A [+] Original name: MyFile.pdf [+] Using R5A key length: 151 [+] Decoded to: MyFile.pdf
Example for the variant C:
/data/code/malware_analysis/7ev3n/seven_decoder3.py --file A1.R5A --path "C:\lock_me_bmp" --unique_id 49b517551928275244272ca5da1f R5A [+] Original name: square1.bmp [+] Using R5A key length: 268 [+] Unique ID: 49b517551928275244272ca5da1f C:\lock_me_bmp\square1.bmp [+] Decoded to: square1.bmp