"nRansom" virus removal guide
What is "nRansom"?
nRansom is a ransomware-type virus that stealthily infiltrates computers and blocks access to the system. Today, this behavior is quite uncommon to ransomware-type viruses - most encrypt files. Furthermore, there are two variants of nRansom virus: the first discovered by MalwareHunterTeam; and, the second, by Karsten Hahn. After blocking access to the system, nRansom displays a lock screen with a ransom-demand message.
The message states that the system has been blocked and that victims must "pay a ransom" to regain access. Depending on the nRansom variant, the "ransom" demand varies. In all variants, however, the type of ransom is strange: cyber criminals demand nude pictures of victims. Other similar viruses simply demand money (these ransoms usually fluctuate between $500 and $1500). Private information (especially private photos) is often more valuable than these amounts of money. The first nRansom variant demands 10 nude pictures. The second, demands 20 pictures and, in addition, asks victims to "kill 10 innocent people" whilst filming the murders. Victims are asked to email these pictures and videos to cyber criminals via an email address provided. As usual, these cyber criminals cannot be trusted. Asking users to carry out murders in exchange for computer access is clearly absurd, however, we can safely assume that the actual purpose of this software is to trick victims into sending nude pictures. After receiving the data, cyber criminals will most likely attempt to blackmail victims (by demanding payment for non-disclosure of these photos) or sell them on the dark web. No matter what type of ransom is presented (money, personal data, etc.), never pay or attempt to contact cyber criminals. These people often ignore victims once payments are submitted. There is a high probability that paying will not deliver any positive result and you will be scammed.
Although nRansom does not encrypt files, it shares similarities with Wyvern, SharkMix, ZONEware, and dozens of other ransomware-type viruses. They are developed by different cyber criminals, and yet, all have an identical purpose: to make ransom demands in exchange for access to files and the system. Most ransomware-type viruses employ symmetric/asymmetric algorithms (e.g., AES, RSA, etc.) that generate unique decryption keys. Therefore, unless the malware is not fully developed (contains bugs/flaws), decrypting files without developers' interference is impossible. Ransomware-type viruses present a strong case for maintaining regular system/data backups.
How did potentially unwanted programs install on my computer?
How to avoid installation of potentially unwanted applications?
To prevent ransomware-type infections, be extremely cautious when browsing the Internet and especially when downloading/installing software. Keep installed applications up-to-date and use a legitimate anti-virus/anti-spyware suite. Bear in mind, however, that criminals proliferate malware via fake updaters. Therefore, using third party update tools is very risky. In addition, download your software from trusted sources only and use a direct download URL, rather than third party downloaders. As with fake updaters, third party download tools might also include malicious programs. They should never be used. Never open files received from suspicious email addresses. In fact, these email messages should be deleted without reading. The main reasons for computer infections are careless behavior and lack of knowledge. The key to computer safety is caution.
Text presented within first variant of nRansom malware:
Your computer has been locked. You can only unlock it with the special unlock code. go to protonmail.com and create an account. Send as email to email@example.com We will not respond immediately. After we reply, you must send at least 10 nude pictures of you. After that we will have to verify that the nudes belong to you. Once you are verified, we will give you unlock code and sell your nudes on the deep web.
Screenshot of second nRansom variant:
Text presented within second variant of nRansom malware:
Your computer has been locked and your files will be encrypted if you do not follow the instructions to get the code to unlock the machine. There is only one way to receive the unlock code. You must go to www.mail.india.com and create an account. Send an email to firstname.lastname@example.org We will not reply immediately. When we reply. Send at least 20 nude pictures of you. After that, I want you to record a video of you murdering 10 innocent people. Send that to me. Once we verify you, we will give you your numerical unlock code. IF YOU DO NOT UNLOCK THE MACHINE IN 5 HOURS WE WILL ENCRYPT YOUR FILES AND THEY WILL BE UNLOCKABLE FOREVER. THE VERIFICATION WILL ONLY WORK IF YOU OPEN BOOBS AND VAGENE !!!
- What is "nRansom"?
- STEP 1. "nRansom" virus removal using safe mode with networking.
- STEP 2. "nRansom" virus removal using System Restore.
"nRansom" virus removal:
Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer starting process press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, then select Safe Mode with Networking from the list.
Video showing how to start Windows 7 in "Safe Mode with Networking":
Windows 8 users: Go to the Windows 8 Start Screen, type Advanced, in the search results select Settings. Click on Advanced Startup options, in the opened "General PC Settings" window select Advanced Startup. Click on the "Restart now" button. Your computer will now restart into "Advanced Startup options menu". Click on the "Troubleshoot" button, then click on "Advanced options" button. In the advanced option screen click on "Startup settings". Click on the "Restart" button. Your PC will restart into the Startup Settings screen. Press "5" to boot in Safe Mode with Networking Prompt.
Video showing how to start Windows 8 in "Safe Mode with Networking":
Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.
Video showing how to start Windows 10 in "Safe Mode with Networking":
Log in to the account infected with the "nRansom" virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.
Download remover for nRansom virus
1) Download and install 2) Run system scan 3) Enjoy your clean computer!
If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.
Video showing how to remove viruses using "Safe Mode with Command Prompt" and "System Restore":
1. During your computer starting process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.
2. When Command Prompt Mode loads, enter the following line: cd restore and press ENTER.
3. Next, type this line: rstrui.exe and press ENTER.
4. In the opened window, click "Next".
5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the "nRansom" virus infiltrating your PC).
6. In the opened window, click "Yes".
7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remnants of the "nRansom" virus.
If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some viruses disable Safe Mode making it's removal complicated. For this step, you require access to another computer. After removing "nRansom" virus from your PC, restart your computer and scan it with legitimate anti-spyware software to remove any possible remnants of this security infection.
Other tools known to remove this scam: