A new ransomware called Apocalypse was released that encrypts your data and then appends the .encrypted extension to them.  It then requires you to email decryptionservice@mail.ru in order to get instructions on how to pay the ransom. Thankfully, for those who have been affected by Apocalypse, Fabian Wosar of Emisoft has released a free decryptor to get your files back for free.

How to Decrypt Apocalypse Ransomware .ENCRYPTED Files

As Apocalypse shows a lock screen when in normal mode, you will need to reboot your computer into Safe Mode with Networking. Once you are in safe mode, we will need to disable the ransomware from starting by running the MSConfig program and unchecking the entry labeled Windows Update Svc.

Now you can download decrypt_apocalypse.exe from the following link and save it on your desktop:

img
Apocalypse Decryptor

Once downloaded, double-click on decrypt_apocalypse.exe, allow the program to run, and agree to the license agreement.  You will now see the main decryptor screen with the C: drive set to be decrypted.

Apocalypse Decryptor
The Apocalypse Decryptor

If there are other drives or folders, please add them using the Add Folder button. When ready, click on the Decrypt button to decrypt all of the encrypted files and display the decryption status in a results screen like the one below.

Files Decrypted
Files Decrypted

When the program is finished, all of your should now be decrypted.

For those who wish to discuss this ransomware or need support using this decryptor, you can ask in our Apocalypse Support Topic: 

How Apocalypse Ransomware encrypts your Files

When Apocalypse is installed, it will store itself in C:\Program Files (x86)\windowsupdate.exe and create an autorun called Windows Update Svc that starts the program when a user logs into Windows. When the program starts, it will encrypt every file except those located in the Windows folder and those that have the following extension:

.dat, .bat, .bin, .encrypted, .ini, .tmp, .lnk, .com, .msi, .sys, .dll, .exe

When the ransomware encrypts a file it will append the .encrypted extension to the file name and generate a new ransom note using the template [filename].How_To_Decrypt.txt. This means if a file a called test.jpg is encrypted, the ransomware will create a test.jpg.encrypted file and a test.jpg.How_To_Decrypt.txt ransom note.

When the ransomware has finished encrypting your files, it will display a lock screen that prevents you from  accessing your Windows desktop. You can bypass this lock screen by rebooting into Safe Mode With Networking. The lock screen and ransom notes contain the following message:

IF YOU ARE READING THIS MESSAGE, ALL THE FILES IN THIS COMPUTER HAVE BEEN CRYPTED!!
documents, pictures, videos, audio, backups, etc
IF YOU WANT TO RECOVER YOUR DATA, CONTACT THE EMAIL BELOW.
EMAIL: decryptionservice@mail.ru
WE WILL PROVIDE DECRYPTION SOFTWARE TO RECOVER YOUR FILES.
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
IF YOU DONT CONTACT BEFORE 72 HOURS, ALL DATA WILL BE LOST FOREVER
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


Files associated with the Apocalypse Ransomware

C:\Program Files (x86)\windowsupdate.exe

Registry entries associated with the Apocalypse Ransomware

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update Svc	C:\Program Files (x86)\windowsupdate.exe