Switch branches/tags
Nothing to show
Find file History


#Decoder for 7even-HONE$T ransomware

  • recovers original file name
  • recovers content of R4A files
  • if possible, recovers content of R5A files (needs additional parameters that are described further)

How to use (examples):

For R4A:
in this case you can easily get your full file back:

./seven_decoder.py --file 7ev3n/data/1.R4A 
[+] Original name: annotated.html
[+] Decoded to: 7ev3n/data/annotated.html

For R5A:

Depending on the variant that attacked you, you must prepare additional parameters (A or B):

  • A. Path to the directory where the file was located during encryption
  • B. Unique ID, given in your ransom note

Example for the variant A:

./seven_decoder1.py --file 7.R5A --path 'C:\Users\tester\Pictures'
[+] Original name: sam.jpg
[+] Using R5A key length: 268
[+] Decoded to: sam.jpg

Example for the variant B:

./seven_decoder2.py --file A0.R5A --unique_id 311868324126211989212411351151112524
[+] Original name: MyFile.pdf
[+] Using R5A key length: 151
[+] Decoded to: MyFile.pdf

Example for the variant C:

/data/code/malware_analysis/7ev3n/seven_decoder3.py --file A1.R5A --path "C:\lock_me_bmp" --unique_id 49b517551928275244272ca5da1f 
[+] Original name: square1.bmp
[+] Using R5A key length: 268
[+] Unique ID: 49b517551928275244272ca5da1f
[+] Decoded to: square1.bmp