Which ransomware
encrypted your files?
Paste the strange file extension, the ransom note, or drop one encrypted sample. We match it against known ransomware families, tell you whether a free decryptor exists, and what to do next — all in your browser. Nothing is uploaded.
- Runs entirely in your browser
- Nothing is uploaded — no trackers
- Matched against a local family database
First response — do this now
A calm playbook for the first hour
- Disconnect the device from the network (Wi-Fi and cable) to stop it spreading.
- Leave it powered on but isolated — do not reboot.
- Keep the ransom note and a few encrypted samples for analysis.
- Photograph the ransom screen and note any deadlines.
- Check whether clean, offline backups exist.
- Don't pay before talking to a specialist — it rarely guarantees recovery and may be illegal for sanctioned groups.
- Don't reinstall the OS or wipe disks — that destroys evidence and recovery options.
- Don't run random "decryptors" from forums — many are scams or malware.
- Don't connect backups to the infected machine.
- Ransom note(s) and the on-screen message.
- A handful of encrypted files (and originals, if you have any).
- Relevant logs, suspicious emails and timestamps.
- This helps forensics, insurance and law-enforcement reports.
PWN-ALL ChainBreak — 24/7 ransomware incident response
Containment, decryption research and forensic recovery in four phases. A specialist picks up, not a ticket queue.
Isolate, scope the blast radius, stop the spread.
Identify the strain, entry vector and persistence.
Decryption research, backup and data recovery.
Forensics for insurance and law enforcement.
How it works
A ransomware identifier that never sees your data
Tools like ID-Ransomware require you to upload the ransom note and an encrypted file to a server. This one matches the same signals — entirely on your device — against a local database of families.
- Upload the ransom note to a third-party server.
- Upload an encrypted sample of your data.
- Your incident details leave your network.
- Match extension, note filename and text patterns locally.
- Compare known file markers against a local database.
- Get the family, decryptor outlook and a calm playbook.
FAQ
Common questions
Is my data uploaded?
No. The note text and any file you add are processed in your browser and never sent anywhere. There are no trackers.
How reliable is the match?
Identification is based on publicly known indicators — extension, note filename, text patterns and file markers. It may be wrong or incomplete, especially for new or generic variants. Always confirm on No More Ransom or with a specialist before acting.
Will I be able to decrypt for free?
Sometimes. Some families have free decryptors; many do not. The outlook here reflects what is publicly known and can change over time — always verify on No More Ransom.
Should I pay?
Talk to a specialist first. Paying rarely guarantees recovery and may be illegal if the group is sanctioned. Our ChainBreak team can advise.
What does the actor profile mean?
It reads how the attacker asks you to make contact. A Tor negotiation or leak portal points to a big-game, double-extortion group — assume data was stolen and treat it as a breach. Contact only by email, Tox or Jabber points to a commodity family (Phobos, Dharma, STOP, Mallox), which often break in via weak remote-desktop logins and are more likely to have a free decryptor.
Identification is based on publicly known indicators and may be incomplete, especially for new or generic variants. Decryptor availability changes over time — verify on No More Ransom and consult a qualified incident-response professional before taking action.