What is the ransomware decryption tool by McAfee?

Ransomware is a form of malware that encrypts files on a device and demands payment in order to decrypt them. It has become a major cyber threat in recent years. According to research, the number of ransomware attacks increased globally from around 40 million in 2020 to over 154 million in 2022.

Ransomware can cause significant financial damage and disruptions for businesses and organizations. Recent statistics show that ransomware payments reached nearly $2 billion in 2021, a 300% increase from 2020. Healthcare, education, and government are frequently targeted sectors.

Due to the rising threat, security firms like McAfee have developed decryption tools to help victims recover encrypted files without paying the ransom.

What is the McAfee Decryption Tool?

The McAfee Decryption Tool is a free software created by cybersecurity company McAfee to help victims decrypt files encrypted by ransomware. It contains decryption algorithms that can decrypt files encrypted by certain ransomware families and recover files without paying the ransom.

According to McAfee, “The tool may decrypt files encrypted by the supported ransomware families after the ransomware infection has been removed using McAfee Anti-Malware and it has been confirmed that the threat is gone. Make sure you remove the ransomware from your PC first, or the ransomware may repeatedly encrypt your files.”1

The McAfee Decryption Tool is available for free download from McAfee’s website. It supports decryption of files encrypted by around 20 ransomware families as of November 2022, including Dharma, Shade, Ryuk, Maze, Sodinokibi, Phobos, and others.

How Does it Work?

The McAfee Decryption Tool works by analyzing the encryption algorithms used by different ransomware variants. Ransomware typically uses strong encryption like AES (Advanced Encryption Standard) or RSA (Rivest–Shamir–Adleman) to lock files on an infected device (Provendata.com). These encryption algorithms rely on the use of cryptographic keys to encrypt and decrypt data. The decryption tool is able to look for flaws or weaknesses in how specific ransomware implementations utilize these encryption algorithms.

For example, some ransomware variants use poor key generation or key storage practices that the tool can exploit to recover the encryption keys needed to unlock files. By studying the encryption code of many ransomware families, McAfee has been able to create decryptors tailored to exploit weaknesses in the encryption methods of individual strains (Trellix.com). As new ransomware variants emerge, McAfee works to analyze their encryption techniques and develop new decryption capabilities.

Overall, the decryption tool serves as a repository of exploits against ransomware encryption schemes. By leveraging cryptographic weaknesses and programming errors made by ransomware developers, the tool provides victims their best chance at getting their data back without paying the ransom.

What Ransomware Variants can it Decrypt?

The McAfee Decryption Tool can decrypt files encrypted by many major ransomware variants. According to McAfee, some of the notable ransomware families decrypted include:

  • Babuk
  • CrySiS
  • Dharma
  • GlobeImposter
  • Jigsaw
  • Phobos
  • RansomEXX
  • Scarab
  • Snatch

In addition, the tool can decrypt some variants of Cerber, Locky, TeslaCrypt and Shade ransomwares. The full list contains over 100 variants across dozens of ransomware families (https://www.mcafee.com/blogs/other-blogs/mcafee-labs/wildfire-ransomware-extinguished-tool-nomoreransom-unlock-files-free/).

However, it should be noted that the tool cannot decrypt all variants, especially new ransomware strains. Ransomware developers frequently modify their code to evade decryption. So the tool’s capabilities are limited against the newest threats.


The McAfee Decryption Tool provides several key benefits for anyone affected by ransomware. First and foremost, it is completely free to download and use, unlike many other decryption tools or services that charge a fee. This makes it accessible for both individuals and organizations who may not have the budget for expensive recovery solutions after a ransomware attack.

In addition, the tool is designed for easy use even for those without advanced technical skills. The interface allows users to simply point to the encrypted files to have the tool scan and attempt to decrypt them. There is no complicated setup or configuration required.

Another major advantage is that McAfee constantly updates the tool’s decryption capabilities as new ransomware variants emerge. Their dedicated researchers work around the clock to ensure the latest threats can be decrypted. According to Avast, the tool can currently unlock files encrypted by over 140 different forms of ransomware. This broad coverage is invaluable in providing the best chance of getting data back.

With its free access, ease of use, and regular updating for new ransomware strains, the McAfee Decryption Tool offers critical benefits for recovering from such attacks without paying the demanded ransom.


While the McAfee decryption tool can decrypt files encrypted by some ransomware variants, it does have some limitations:

The tool cannot decrypt files encrypted by all ransomware variants. It only works for certain strains that McAfee has developed decryptors for like GandCrab, HiddenTear, Shade, Dharma, Crysis, Globe, and a few others 1. For many other ransomware variants, there are no decryption tools available.

The tool is also limited in that it only decrypts files that were already encrypted. It does not prevent future ransomware attacks or encryptions. Users still need to take precautions to avoid malware infections that could lead to ransomware.

Additionally, the tool needs to be updated constantly as new ransomware strains emerge. There is often a lag between when a new variant appears and when a decryptor is developed, leaving victims without recourse in the meantime 2.

So while the McAfee decryption tool can be very helpful for recovering files encrypted by some ransomware versions, it should not be viewed as a comprehensive solution. Preventing ransomware attacks in the first place remains imperative.

How to Use the McAfee Decryption Tool

Using the McAfee Decryption Tool to try to decrypt files encrypted by ransomware is a straightforward process. Here are the steps to follow:

  1. Download the latest version of the McAfee Decryption Tool from the official website.

  2. Install the tool on the infected Windows machine that has encrypted files. Be sure to close out any other applications before running the installer.

  3. Open the Decryption Tool and click the “Add File” button to browse your system and select an encrypted file to scan.

  4. The tool will analyze the file and attempt to determine what ransomware variant was used to encrypt it. This may take some time.

  5. If the variant is supported, the Decryption Tool will prompt you to select a location to save the decrypted files. Choose carefully, as originals may be overwritten.

  6. Click the “Decrypt” button to begin the automated decryption process. Let it run to completion.

  7. Verify that files were properly decrypted by opening them. If not, try another encrypted file.

Following these instructions carefully can potentially help recover files encrypted by supported ransomware variants. However, decryption is not guaranteed to be successful in all cases.

Tips for Avoiding Ransomware

The best defense against ransomware is prevention. Here are some best practices organizations and individuals can follow to avoid becoming victims:

  • Keep all software, including operating systems, updated and patched. According to CISA, ransomware often exploits vulnerabilities in outdated software.
  • Be wary of suspicious links and attachments, especially in emails. Attackers frequently use phishing emails to spread ransomware.
  • Back up data regularly and keep backups offline and secured. Backups allow you to restore data without paying the ransom.
  • Enable multi-factor authentication wherever possible. This provides an extra layer of protection for accounts.
  • Restrict user permissions to only what is required. Limiting access helps contain malware if it gets into your system.
  • Use security tools like antivirus and firewalls to help detect and block threats.

With vigilance and the proper security controls in place, organizations can significantly lower their risk of falling victim to a costly ransomware attack.

What to Do If Infected

If you discover that your system has been infected with ransomware, there are several important steps to take right away:

  1. Disconnect the infected device from any networks, including Wi-Fi, ethernet, VPNs, cloud storage services, etc. This helps prevent the ransomware from spreading.

  2. Disconnect any external storage devices like USB drives that may also be infected. Ransomware can easily spread via external media.

  3. Report the infection to your organization’s IT security team if applicable. They can help with the response and prevent other systems from being impacted.

  4. Do not pay the ransom. This rewards and enables cybercriminals while providing no guarantee you’ll get your data back.

  5. Determine the scope of the infection by checking for encrypted files and running security scans. Document what systems and data were impacted.

  6. Restore data from clean backups if available. Backups provide the best way to recover encrypted or deleted files after an attack.

  7. Consult decryption tools like the McAfee decryption tool to try recovering some files.

  8. Report the attack to law enforcement authorities who investigate cybercrime.

Taking quick, careful action is crucial for containing the damage from ransomware. Disconnecting systems, avoiding payment, restoring backups, and reporting the incident are key steps in the response process.


The McAfee Decryption Tool is an important resource in the fight against ransomware. By providing the ability to decrypt certain ransomware variants, it can save individuals and organizations substantial time, money, and frustration. However, the tool does have limitations – it cannot decrypt all strains of ransomware and does not eliminate the need for comprehensive security precautions. Ransomware will likely continue evolving, requiring constant vigilance and updating of decryption capabilities. If infected, act quickly but cautiously, using decryption tools when possible and consulting experts on handling ransom payment demands. There are no perfect solutions, but decryption tools like McAfee’s represent meaningful progress. With proper precautions and the aid of these tools, the impact of ransomware can be reduced. But constant innovation and improvement is still needed to fully counter the ransomware epidemic.