Ransomware Research

Decr1pt Ransomware

Decr1pt is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on July 1, 2020, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Decr1pt, TinyCryptor, Anti-Russian, CorpVPM, OldGremlin.

Quick Facts

Ransomware Family
Decr1pt
First Seen
July 1, 2020
Known Aliases
Decr1ptTinyCryptorAnti-RussianCorpVPMOldGremlin

How Decr1pt Ransomware Works

Targeted Files

Chain -> LNK -> DOCX -> POWERSHELL e9b2d76f4a15a41b190fe444c3ef60bc2c320fa53ad1dd224e22ab06702ce86c -> POWERSHELL

Ransom Note and Payment Demands

After encrypting files, Decr1pt displays ransom notes demanding payment for file recovery:

file/^README_[a-z0-9]{12}\.txt$/

Ransom message:

notes/README_ma3byib38w8s.txt

Note locations:

DesktopRootDiscsTemp

Technical Indicators

Associated Executable Files

The following executable files are associated with Decr1pt ransomware:

  • N-388-30.06.2020.docx.lnk
  • AKT-FinAuditService.docx.lnk
  • АктСверки.zip
  • Запрос.zip

Elastio Can Help You

Don't let Decr1pt ransomware take over your data

Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.

About This Analysis

This Decr1pt ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like Decr1pt.

Last updated: July 30, 2025

Decr1pt Ransomware - Detectable by Elastio