Nuke ransomware removal instructions
What is Nuke?
Newly-discovered ransomware-type malware, Nuke (also known as Nuclear #55) is designed to encrypt most stored data using RSA cryptography. During encryption, Nuke renames files using random characters and appends a ".0x5bm" or .nuclear55 extension. Example of encrypted filenames: "bafd0lln90azb8g22.0x5bm" and "WdEf+adbcmWaEedc.nuclear55". Once the data is encrypted, Nuke generates two ransom-demand files: "!!_RECOVERY_instructions_!!.html" and "!!_RECOVERY_instructions_!!.txt" and changes the desktop wallpaper.
The message informs victims of the encryption and states that compromised files can only be decrypted using a unique key stored on remote servers controlled by cyber criminals. Unfortunately, this information is accurate. Files are encrypted using asymmetric cryptography and, thus, two keys (public [encryption] and private [decryption]) are generated during the encryption process. Decryption without the private key is impossible and the victim is encouraged to pay to receive it. Unlike other ransomware-type viruses, Nuke provides no payment instructions, however, it does include an email address (firstname.lastname@example.org) - users are encouraged to use this to contact cyber criminals. Victims can also attach one encrypted file. Cyber criminals decrypt the attached file and attach it to the reply containing payment instructions. It is also stated that the payment must be submitted within 96 hours, otherwise the private key is deleted permanently. The size of ransom is currently unknown, however, research shows that this usually fluctuates between .5 and 1.5 Bitcoin (at time of writing, 1 BTC was equivalent to ~$610). Be aware that cyber criminals commonly ignore victims, despite submitted payments. Therefore, paying often delivers no positive results - you will probably be scammed. Therefore, you should never attempt to contact these people or pay any ransom. There currently are no tools capable of restoring files encrypted by Nuke. You can only restore your data from a backup.
Screenshot of a message (wallpaper) encouraging users to contact the developers of Nuke ransomware (email@example.com) to decrypt their compromised data:
All ransomware-type viruses are virtually identical. As with Nuke, malware such as Cerber, Princess, Locky, etc. also encrypts files and demands ransom payments. Most ransomware uses asymmetric encryption algorithms. Therefore, the only major difference between them is the size of ransom. Viruses such as Nuke are often distributed via unofficial download sources (for example, peer-to-peer networks, freeware download websites, etc.), malicious files attached to spam emails, trojans, and fake software updaters. Therefore, you should be very cautious when downloading files from third party sources, and when opening files received from suspicious/unrecognized email addresses. Using a legitimate anti-virus/anti-spyware suite and keeping your installed software up-to-date is also paramount. The key to computer safety is caution.
Screenshot of Nuke ransomware text file (!!_RECOVERY_instructions_!!.txt):
Screenshot of Nuke ransomware HTML file (!!_RECOVERY_instructions_!!.html):
Screenshot of an updated variant of !!_RECOVERY_instructions_!!.html file:
Screenshot of files encrypted by nuke (nuclear) ransomware (.nuclear55 extension):
Text presented in Nuke HTML and txt files ("!!_RECOVERY_instructions_!!.html" and "!!_RECOVERY_instructions_!!.txt"):
!! Your files and documents on this computer have been encrypted !!
** What has happened to my files? **
Your important files on your computer; photos, documents, and videos have been encrypted. Your files were encrypted using AES and RSA encryption.
** What does this mean? **
File encryption was produced using a unique 256-bit key generated specifically for this machine. Encryption is a way of securing data and requires a special key to decipher.
Unforunate for you, this special key was encrypted using an additional layer of encryption; RSA. Your files were encrypted using the public RSA key. To truly reverse the unfortunate state of your files, you need the private RSA key which is only known by us.
** What should I do next? **
For your information your private key is a paid product. If you really value your data we suggest you start acting fast because you only short amount of time to recover your files before they are gone forever.
There are no solutions to this problem, and no anti-virus software can reverse the process of file encryption because we have also erased recent versions of your files which means you cannot use file recovery software.
Modifying your files in any way can damage your files permenantly and we will no longer be able to help you. Follow our terms assigned to you below, and we will have your files recovered.
You now have 72 hours to make payment before we destroy your encryption keys, leaving your files damaged for good
How do I recovering my files?
Without Bitcoins your files can never be recovered. Follow the steps below:
 => Create a Bitcoin wallet
In order to use Bitcoin you will need to setup your own Bitcoin wallet. We recommend blockchain.info. However, if you already own a Bitcoin wallet you can skip this step.
 => Purchase Bitcoins
There are a number of ways to purchase Bitcoins, whether you're paying by cash, credit/debit card, or direct from your bank account. A range of Bitcoin sellers make Bitcoins easy to obtain.
https://localbitcoins.com Buy bitcoins with bank transfer, cash, and Moneygram (best option - worldwide)
https://coinatmradar.com Buy bitcoins from local ATM machines
https://bittylicious.com Buy bitcoins with bank transfer or debit card (United Kingdom)
https://cex.io Buy bitcoins with credit/debit card or bank transfer)
https://btcdirect.eu Buy bitcoins in Europe
https://coincorner.com Buy bitcoins in Europe with credit or debit card
 => Send bitcoins to our address
You should send 2 BTC to our Bitcoin address: 1NLLrung1MaXucHpAzY5KjdK4y8woodJWt
 => Contact us and receive encryption keys, and file recovery software
- Send an email with the subject 'PAYMENT' along with 1 encrypted file attached [these end in .nuclear55], to firstname.lastname@example.org
- Wait for a response from us (up to 24-48 hours)
- Receive file decryption software to decrypt every encrypted file on the hard drive
- If you do not here from us after 3 days, register an account on mail.india.com and email us. Your mail provider may be blocking us
- We will not respond without proof of payment. If you waste our time, we will destroy your encryption key and waste the life of your files
Our service is not designed to harm his/her computer in any way, but to provide a full decryption service of the intended computer and allow the user to regain access to the specified files.
Nuke ransomware removal:
Instant automatic malware removal:
Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Malwarebytes is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
- What is Nuke?
- STEP 1. Nuke virus removal using safe mode with networking.
- STEP 2. Nuke ransomware removal using System Restore.
Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.
Video showing how to start Windows 7 in "Safe Mode with Networking":
Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.
Video showing how to start Windows 8 in "Safe Mode with Networking":
Log in to the account infected with the Nuke virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.
If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.
Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":
1. During your computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.
2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.
3. Next, type this line: rstrui.exe and press ENTER.
4. In the opened window, click "Next".
5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the Nuke ransomware virus infiltrating your PC).
6. In the opened window, click "Yes".
7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining Nuke ransomware files.
To restore individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of Nuke are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.
To restore a file, right-click over it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button.
If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.
To protect your computer from file encrypting ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and Malwarebytes Anti-Ransomware, which artificially implant group policy objects into the registry to block rogue programs such as Nuke ransomware.
HitmanPro.Alert CryptoGuard - detects encryption of files and neutralises any attempts without need for user intervention:
Malwarebytes Anti-Ransomware Beta uses advanced proactive technology that monitors ransomware activity and terminates it immediately - before reaching users' files:
- The best way to avoid damage from ransomware infections is to maintain regular up-to-date backups. More information on online backup solutions and data recovery software Here.
Other tools known to remove Nuke ransomware: