Tool for decrypting files encrypted by the SynoLocker ransomware
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information. Initial commit Aug 22, 2014 is a tool for decrypting files encrypted by the SynoLocker family of ransomware.

The tool works by first looking in a file for the magic string "THE_REAL_PWNED_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX_1337" that is used by SynoLocker to identify files it has encrypted. Next, it will attempt to decrypt the file. During this process, it will also attempt to check that the encrypted file has not been corrupted. This is possible, because SynoLocker stores a HMAC of the encrypted data as part of the file. If all seems to have gone well, the tool will write the decrypted contents to a new file, with the name of the original file appended with ".dec". The tool will not remove or overwrite the original encrypted file.

More information here.


This tool will only work if the decryption key is already known. It will not bruteforce the decryption key and it will not break any encryption. The tool is only meant to be used, if the decryption key is already known. You should never pay online criminals. There is no guarantee it will help you in getting your files back. It will only encourages the criminals to continue their criminal activities.


This tool requires the pycrypto -package. It has been tested to work with Python 2.7.8 and pycrypto 2.6.1.


First, ensure you have Python 2.7.8 and pycrypto 2.6.1 installed. Then simply copy the -script to a directory of your choosing.


From the command line: <path to encrypted file> <path to private key file>


Apache License, Version 2.0