Nuke Ransomware [Updated]

Also Known As: Nuke virus
Distribution: Low
Damage level: Severe

Nuke ransomware removal instructions

What is Nuke?

Newly-discovered ransomware-type malware, Nuke (also known as Nuclear #55) is designed to encrypt most stored data using RSA cryptography. During encryption, Nuke renames files using random characters and appends a ".0x5bm" or .nuclear55 extension. Example of encrypted filenames: "bafd0lln90azb8g22.0x5bm" and "WdEf+adbcmWaEedc.nuclear55". Once the data is encrypted, Nuke generates two ransom-demand files: "!!_RECOVERY_instructions_!!.html" and "!!_RECOVERY_instructions_!!.txt" and changes the desktop wallpaper.

The message informs victims of the encryption and states that compromised files can only be decrypted using a unique key stored on remote servers controlled by cyber criminals. Unfortunately, this information is accurate. Files are encrypted using asymmetric cryptography and, thus, two keys (public [encryption] and private [decryption]) are generated during the encryption process. Decryption without the private key is impossible and the victim is encouraged to pay to receive it. Unlike other ransomware-type viruses, Nuke provides no payment instructions, however, it does include an email address ( - users are encouraged to use this to contact cyber criminals. Victims can also attach one encrypted file. Cyber criminals decrypt the attached file and attach it to the reply containing payment instructions. It is also stated that the payment must be submitted within 96 hours, otherwise the private key is deleted permanently. The size of ransom is currently unknown, however, research shows that this usually fluctuates between .5 and 1.5 Bitcoin (at time of writing, 1 BTC was equivalent to ~$610). Be aware that cyber criminals commonly ignore victims, despite submitted payments. Therefore, paying often delivers no positive results - you will probably be scammed. Therefore, you should never attempt to contact these people or pay any ransom. There currently are no tools capable of restoring files encrypted by Nuke. You can only restore your data from a backup.

Screenshot of a message (wallpaper) encouraging users to contact the developers of Nuke ransomware ( to decrypt their compromised data:

nuclear55 ransomware updated wallpaper

All ransomware-type viruses are virtually identical. As with Nuke, malware such as Cerber, Princess, Locky, etc. also encrypts files and demands ransom payments. Most ransomware uses asymmetric encryption algorithms. Therefore, the only major difference between them is the size of ransom. Viruses such as Nuke are often distributed via unofficial download sources (for example, peer-to-peer networks, freeware download websites, etc.), malicious files attached to spam emails, trojans, and fake software updaters. Therefore, you should be very cautious when downloading files from third party sources, and when opening files received from suspicious/unrecognized email addresses. Using a legitimate anti-virus/anti-spyware suite and keeping your installed software up-to-date is also paramount. The key to computer safety is caution.

Screenshot of Nuke ransomware text file (!!_RECOVERY_instructions_!!.txt):

Nuke ransomware text file

Screenshot of Nuke ransomware HTML file (!!_RECOVERY_instructions_!!.html):

Nuke ransomware html file

Screenshot of an updated variant of !!_RECOVERY_instructions_!!.html file:

nuclear ransomware updated html ransom note

Screenshot of files encrypted by nuke (nuclear) ransomware (.nuclear55 extension):

nuclear ransomware .nuclear55 extension

Text presented in Nuke HTML and txt files ("!!_RECOVERY_instructions_!!.html" and "!!_RECOVERY_instructions_!!.txt"):

!! Your files and documents on this computer have been encrypted !!
** What has happened to my files? **
Your important files on your computer; photos, documents, and videos have been encrypted. Your files were encrypted using AES and RSA encryption.
** What does this mean? **
File encryption was produced using a unique 256-bit key generated specifically for this machine. Encryption is a way of securing data and requires a special key to decipher.
Unforunate for you, this special key was encrypted using an additional layer of encryption; RSA. Your files were encrypted using the public RSA key. To truly reverse the unfortunate state of your files, you need the private RSA key which is only known by us.
** What should I do next? **
For your information your private key is a paid product. If you really value your data we suggest you start acting fast because you only short amount of time to recover your files before they are gone forever.
There are no solutions to this problem, and no anti-virus software can reverse the process of file encryption because we have also erased recent versions of your files which means you cannot use file recovery software.
Modifying your files in any way can damage your files permenantly and we will no longer be able to help you. Follow our terms assigned to you below, and we will have your files recovered.
You now have 72 hours to make payment before we destroy your encryption keys, leaving your files damaged for good
How do I recovering my files?
Without Bitcoins your files can never be recovered. Follow the steps below:
[1] => Create a Bitcoin wallet
In order to use Bitcoin you will need to setup your own Bitcoin wallet. We recommend However, if you already own a Bitcoin wallet you can skip this step.
[2] => Purchase Bitcoins
There are a number of ways to purchase Bitcoins, whether you're paying by cash, credit/debit card, or direct from your bank account. A range of Bitcoin sellers make Bitcoins easy to obtain. Buy bitcoins with bank transfer, cash, and Moneygram (best option - worldwide) Buy bitcoins from local ATM machines Buy bitcoins with bank transfer or debit card (United Kingdom) Buy bitcoins with credit/debit card or bank transfer) Buy bitcoins in Europe Buy bitcoins in Europe with credit or debit card
[3] => Send bitcoins to our address
You should send 2 BTC to our Bitcoin address: 1NLLrung1MaXucHpAzY5KjdK4y8woodJWt
[4] => Contact us and receive encryption keys, and file recovery software
- Send an email with the subject 'PAYMENT' along with 1 encrypted file attached [these end in .nuclear55], to
- Wait for a response from us (up to 24-48 hours)
- Receive file decryption software to decrypt every encrypted file on the hard drive
- If you do not here from us after 3 days, register an account on and email us. Your mail provider may be blocking us
- We will not respond without proof of payment. If you waste our time, we will destroy your encryption key and waste the life of your files
Our service is not designed to harm his/her computer in any way, but to provide a full decryption service of the intended computer and allow the user to regain access to the specified files.

Nuke ransomware removal:

Instant automatic malware removal: Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Malwarebytes is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
▼ DOWNLOAD Malwarebytes By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Malwarebytes. 14 days free trial available.

Quick menu:

Step 1

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Step 2

Log in to the account infected with the Nuke virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.

Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":

1. During your computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.

Boot your computer in Safe Mode with Command Prompt

2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.

system restore using command prompt type cd restore

3. Next, type this line: rstrui.exe and press ENTER.

system restore using command prompt rstrui.exe

4. In the opened window, click "Next".

restore system files and settings

5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the Nuke ransomware virus infiltrating your PC).

select a restore point

6. In the opened window, click "Yes".

run system restore

7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining Nuke ransomware files.

To restore individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of Nuke are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.

To restore a file, right-click over it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button.

Restoring files encrypted by CryptoDefense

If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.

To regain control of the files encrypted by Nuke, you can also try using a program called Shadow Explorer. More information on how to use this program is available here.

shadow explorer screenshot

To protect your computer from file encrypting ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and Malwarebytes Anti-Ransomware, which artificially implant group policy objects into the registry to block rogue programs such as Nuke ransomware.

HitmanPro.Alert CryptoGuard - detects encryption of files and neutralises any attempts without need for user intervention:

hitmanproalert ransomware prevention application

Malwarebytes Anti-Ransomware Beta uses advanced proactive technology that monitors ransomware activity and terminates it immediately - before reaching users' files:

malwarebytes anti-ransomware

  • The best way to avoid damage from ransomware infections is to maintain regular up-to-date backups. More information on online backup solutions and data recovery software Here.

Other tools known to remove Nuke ransomware:

About the author:

Tomas Meskauskas

Tomas Meskauskas - expert security researcher, professional malware analyst.

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

Removal Instructions in other languages
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

QR Code
Nuke virus QR code
A QR code (Quick Response Code) is a machine-readable code which stores URLs and other information. This code can be read using a camera on a smartphone or a tablet. Scan this QR code to have an easy access removal guide of Nuke virus on your mobile device.
We Recommend:

Get rid of Windows malware infections today:

Download Malwarebytes

Platform: Windows

Editors' Rating for Malwarebytes:
Editors ratingOutstanding!

[Back to Top]

To use full-featured product, you have to purchase a license for Malwarebytes. 14 days free trial available.