7ev3n is yet another ransomware about which I wrote some time ago (for Malwarebytes – you can read more here). It uses custom cryptography and I managed to decrypt several variants. In this thread you can find my decryptors (and all the updates about them).
WARNING: 7ev3n ransomware has many variants. Check your ransom note and compare with the examples given below, in order to find what is your variant. Then, download appropriate decryptor. In case of any problems, feel free to contact me.
A. For sample: 52517f419e78041f8e211428b8820dfb
This variant comes with NO ransom note.
In order to use this decryptor need to know the original path, where the file was stored when it got attacked by the 7ev3n ransomware. Example:
B. For sample: 08a53eb5d54c6829cf6ea29bd61ea161
In order to use this decryptor you need to copy your unique ID from the ransom note – FILES_BACK.txt
Ransom note example:
hello, If you have Standart locker interface (green window) on desktop for decryption follow the instructions. If you delete it, and want to decrypt your files you need decryptor, you can buy it by contact through email contact email : JessMalibu@protonmail.com reserve email : email@example.com your unique id : 73118178525283953643921210931031 6. If you want try to decrypt your files with software from anti-malware websites please make copies of this files once you understand that it's not working, you will still have clear copies of the files that be decrypted after payment
And paste it in the appropriate place in the GUI:
see it in action: https://www.youtube.com/watch?v=RNZvsEMBfJs
C. For samples: 7e6af09baf19bc03c4a3b9078546a7c1, 5cce8bbe88dd6e95b8a89dd78a6b082e
This variant requires knowing the original path AND the Unique ID.
Ransom note example (FILES_BACK.txt):
hello, if standart cryptolocker interface was blocked or deleted by Antivirus or Firewall and you want back your files, contact : firstname.lastname@example.org your unique id : 49b517551928275244272ca5da1f
see it in action: https://www.youtube.com/watch?v=RDNbH5HDO1E