Hit by ransomware?

We're here to fix that.

Use our free ransomware decryption tools to unlock your files without paying the ransom

Please note that these free tools are provided as-is and without warranty of any kind. The tools may only work with specific ransomware versions, and may not work with versions that were released after a tool was created. Technical support for the tools is available only to customers using a paid Emsisoft product.

[Nov, 29, 2016] - Version:

NMoreira decryptor

NMoreira, also known as XRatTeam or XPan, is a file encrypting ransomware. It uses a mix of RSA and AES-256 to encrypt your files. Encrypted files have either the extension *.maktub or *.__AiraCropEncrypted!. In addition, the ransomware will create one of the following ransom notes.

Portugese version used by the *.maktub variant using the file name "Recupere seus arquivos. Leia-me!.txt":

Olá, seus arquivos foram criptografados.

A única forma de tê-los de volta, é atraves de um software juntamente com sua chave privada.

Caso haja interesse em recuperar seus arquivos, entre em contato pelo seguinte email: [email protected]

No campo do email, me envie sua chave pública que está logo abaixo.

Te responderei o mais rápido possível e lhe darei a garantia de recuperação dos arquivos.


Chave pública: CC638AF6DE4D9B9998E74D00252862E512277575BA644D28D9320952F2C2193A

English version used by the *.__AiraCropEncrypted! variant using the file name "How to decrypt your files.txt":

Encrypted Files!

All your files are encrypted. Using encryption AES256-bit and RSA-2048-bit.
Making it impossible to recover the files without the correct private key.
If you are interested in getting is key, and retrieve your files

For information on how to reverse the file encryption
send email to:
[email protected]
enter your KEY in the subject or email body.

Remember your email is not answered within 24 hours,
visit one of the link below to get a new mail contact

Alternative link:


To access the alternate link is mandatory to use the TOR browser available on the link


Keep in mind that due to the complexity of the used encryption scheme, decrypting files can be very time-consuming. In addition, due to the fact that the ransomware doesn't leave anything behind, that would allow verification that the file was decrypted properly, the decrypter tries to guess whether or not the file has been decrypted properly. This guessing process can be prone to error and may not work correctly. It also means, that if the decrypter does not know the file format, it will also be unable to decrypt it reliably. At the moment the decrypter supports over 3000 different binary file formats, but especially text-based formats, that lack a unique identifier in the first 16 bytes of the file, will not be recognised.