Cyber security researchers has received multiple reports of Ndarod file virus infection. It is a new variant of ransomware that infects a computer, restricts user access to photos, documents and music, by encrypting them, until a ransom is paid to unlock (decrypt) them. This post will provide you with all the things you need to know about ransomware virus, how to remove Ndarod file virus from your computer and how to recover (decrypt) encrypted documents, photos and music for free.
Files encrypted by Ndarod virus
Getting to the user’s computer, the Ndarod file virus starts searching for files in all folders and recursively, and after their detection, locks up each of them using a hybrid encryption mode that completely blocks them and leads to their dysfunction. This ransomware virus is capable of encrypting various files like drawings, archives, video materials, photos, web application-related files, documents and database, as well as its destructive effects can be subjected to backups. Ndarod virus locks up almost of files, including common as:
.wpw, .wcf, .syncdb, .odc, .ppt, .pak, .x3f, .mddata, .hkx, .erf, .sid, .wbd, .upk, .xlsm, .webp, .wbk, .flv, .mdb, .xmind, .bsa, .rar, .py, .ff, .z3d, .pst, .pptx, .litemod, .crw, .1st, .xpm, .wmv, .x, .mov, .itdb, .xwp, .sav, .psk, .js, .xlsb, .cr2, .xml, .m3u, .dcr, .pef, .ntl, .vdf, .dbf, .bar, .xls, .ltx, .rtf, .hplg, .wire, .das, .lbf, .icxs, .nrw, .wb2, .x3d, .doc, .ncf, .kf, .kdb, .sidn, wallet, .wma, .dazip, .esm, .ztmp, .pem, .wps, .png, .bc6, .wmf, .xf, .r3d, .vtf, .7z, .wot, .xyp, .xyw, .xmmap, .xy3, .itm, .raf, .3fr, .3ds, .docm, .m2, .avi, .dba, .wdb, .hkdb, .wp7, .vpp_pc, .wdp, .arw, .jpeg, .qic, .zip, .jpg, .xdl, .snx, .t12, .p7c, .xar, .desc, .wpl, .mlx, .xx, .pdd, .epk, .asset, .blob, .wpg, .bay, .forge, .iwi, .wsh, .wbz, .xlsm, .gdb, .rim, .z, .wp5, .der, .wbm, .itl, .zip, .xll, .mrwref, .mdf, .srf, .gho, .big, .dng, .crt, .yal, .wpa, .rb, .pkpass, .vpk, .odp, .ai, .fos, .zabw, .lvl, .wotreplay, .vfs0, .psd, .xbplate, .rw2, .raw, .layout, .map, .0, .fpk, .menu, .wbc, .d3dbsp, .wpt, .arch00, .wsd, .xls, .ods, .eps, .xlk, .zw, .1, .zdc, .rofl, .m4a, .odm, .webdoc, .ws, .tax, .iwd, .bc7, .wri, .hvpl, .zif, .dmp, .ysp, .cfr, .zdb, .fsh, .sum, .accdb, .cas
Ndarod file virus encrypts users’ files using a complex encryption algorithm, overwrites most of the content of the original files with the encrypted data and adds the .ndarod extension to every encrypted file. The victim who sees the files with .ndarod extension understands that they are encrypted and will remain so until he pays the attackers the required amount of money for obtaining a special key that will recover the files. Usually, the creators of the Ndarod virus leave a ransom message called ‘_readme.txt’ to users who have infected their computer with this ransomware virus, indicating the required amount of ransom.
Ndarod file virus ransomnote
Threat Summary
| Name | Ndarod file virus |
| Type | Ransomware, Crypto malware, File locker, Filecoder, Crypto virus |
| Encrypted files extension | .ndarod |
| Ransom note | _readme.txt |
| Contact | gorentos@bitmessage.ch, @datarestore (telegram) |
| Ransom amount | $980 in Bitcoins |
| Symptoms | When you try to open your file, you get an error message like ‘Windows can’t open this file’, ‘How do you want to open this file’. Files called like ‘_readme.txt’, or ‘_readme’ in each folder with at least one encrypted file. |
| Distribution ways | Spam or phishing emails that are developed to get people to open an attachment or click on a link. Malicious downloads that happen without a user’s knowledge when they visit a compromised web site. Social media, like web-based instant messaging applications. Remote desktop protocol (RDP) hacking. |
| Removal | Ndarod file virus removal guide |
| Decryption | Ndarod decryption tool |
The few simple steps that is shown below for those who are looking for a method to completely delete Ndarod virus from the system, and for those who want to learn as much as possible about how restore files. We hope you will find answers to all your questions in this blog post.
Quick links
- How to remove Ndarod file virus
- How to decrypt .ndarod files
- Ndarod decryption tool
- How to restore .ndarod files
- How to protect your personal computer from Ndarod virus
How to remove Ndarod file virus
There are a few methods which can be used to delete Ndarod virus. But, not all ransomware such as this crypto malware can be completely deleted using only manual solutions. Most often you are not able to delete any ransomware virus utilizing standard MS Windows options. In order to remove Ndarod file virus you need use reliable removal utilities. Most IT security experts states that Zemana Anti-malware, Malwarebytes or KVRT utilities are a right choice. These free applications are able to search for and delete Ndarod crypto malware from your computer for free.
Run Zemana Anti-Malware to remove Ndarod virus
Zemana Free is a complete package of anti malware tools that can help you delete Ndarod file virus. Despite so many features, it does not reduce the performance of your computer. Zemana can delete almost all the forms of ransomware viruses as well as trojans, worms, adware software, browser hijackers, potentially unwanted apps and other malicious software. Zemana Anti Malware (ZAM) has real-time protection that can defeat most malware and crypto malware. You can use Zemana with any other anti-virus without any conflicts.
Visit the following page to download the latest version of Zemana Free for Microsoft Windows. Save it to your Desktop.
164032 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When the downloading process is complete, close all apps and windows on your machine. Open a directory in which you saved it. Double-click on the icon that’s named Zemana.AntiMalware.Setup as displayed in the following example.
When the installation begins, you will see the “Setup wizard” which will allow you install Zemana Anti Malware on your PC.
Once installation is done, you will see window similar to the one below.
Now click the “Scan” button to perform a system scan for the Ndarod virus, other malware, worms and trojans. A system scan can take anywhere from 5 to 30 minutes, depending on your machine. During the scan Zemana will scan for threats exist on your machine.
Once finished, you will be shown the list of all found threats on your computer. Make sure to check mark the threats which are unsafe and then click “Next” button.
The Zemana Anti-Malware will delete Ndarod virus related files, folders and registry keys.
How to automatically remove Ndarod file virus with MalwareBytes Free
Manual Ndarod removal requires some computer skills. Some files and registry entries that created by the ransomware can be not fully removed. We suggest that run the MalwareBytes that are completely free your PC of ransomware virus. Moreover, this free program will help you to uninstall malware, potentially unwanted software, adware and spyware that your personal computer can be infected too.
MalwareBytes can be downloaded from the following link. Save it directly to your Windows Desktop.
326385 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
When the download is done, close all software and windows on your PC system. Open a directory in which you saved it. Double-click on the icon that’s named mb3-setup as shown on the screen below.
When the install starts, you’ll see the “Setup wizard” which will help you install Malwarebytes on your system.
Once installation is done, you will see window as displayed in the figure below.
Now click the “Scan Now” button . MalwareBytes Anti Malware utility will start scanning the whole personal computer to find out Ndarod virus, other kinds of potential threats like malware and trojans. A system scan can take anywhere from 5 to 30 minutes, depending on your machine. While the utility is scanning, you can see how many objects and files has already scanned.
After the scanning is complete, the results are displayed in the scan report. Once you’ve selected what you wish to remove from your personal computer click “Quarantine Selected” button.
The Malwarebytes will now delete Ndarod virus, other malware, worms and trojans. Once that process is finished, you may be prompted to reboot your machine.
The following video explains instructions on how to delete browser hijacker, adware software and other malicious software with MalwareBytes Anti Malware.
Remove Ndarod file virus with KVRT
KVRT is a free removal utility that can scan your PC for a wide range of security threats like the Ndarod virus, adware, potentially unwanted programs as well as other malicious software. It will perform a deep scan of your computer including hard drives and Windows registry. When a malware is found, it will help you to delete all found threats from your PC system with a simple click.
Download Kaspersky virus removal tool (KVRT) on your Windows Desktop from the link below.
129056 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the download is done, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is finished, you will see the Kaspersky virus removal tool screen as shown on the screen below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button . KVRT tool will start scanning the whole PC to find out Ndarod virus and other known infections. A system scan can take anywhere from 5 to 30 minutes, depending on your computer.
When finished, Kaspersky virus removal tool will create a list of unwanted applications and ransomware as displayed below.
All found items will be marked. You can delete them all by simply click on Continue to start a cleaning process.
How to decrypt .ndarod files
You can damage files encrypted by Ndarod file virus, or make them useless forever if you try to find the special code key on your own, which is almost impossible in view of its cryptographic complexity. It is very important to know and understand the level of importance of constantly backing up important files to various media, like an USB stick, so that in case of damage to your machine by crypto malware you can always extract a copy of locked files.
Never pay the ransom! Some users, wishing to decrypt encrypted personal files, pay the ransom amount of money to cybercriminals. However, it is important to remember before performing this action that you are interacting with unscrupulous and dishonest people, and the probability that after transferring money they will not provide you with a special code key and Ndarod decryption tool to unlock .ndarod files or increase the amount of ransom is high enough.
Files encrypted by Ndarod virus
There is no such solution to this problem, which is suitable for everyone. However, paying for the decryption key is not an obvious answer. If you pay for it, remember that no one gives you a guarantee that you will receive it. There is also a possibility that even the scammers themselves do not have this key. Most probably, they are just trying to defraud you and use you in order to get money. You should try the steps in this post. The tutorial will help you completely delete Ndarod virus and you will be able to unlock some of the encrypted data without paying any money. Given the fact that fighting crypto malware is incredibly difficult, we cannot promise you that you will defuse it. Nevertheless, it is still worth a try.
Ndarod decryption tool
With some variants of Ndarod virus, it is possible to decrypt encrypted files using free tools listed below.
Michael Gillespie (@) released the Ntuseg decryption tool named STOPDecrypter. It can decrypt .Ndarod files if they were locked by one of the known OFFLINE KEY’s retrieved by Michael Gillespie. Please check the twitter post for more info.
Ndarod decryption tool
STOPDecrypter is a program that can be used for Ndarod files decryption. One of the biggest advantages of using STOPDecrypter is that is free and easy to use. Also, it constantly keeps updating its ‘OFFLINE KEYs’ DB. Let’s see how to install STOPDecrypter and decrypt .Ndarod files using this free tool.
- Installing the STOPDecrypter is simple. First you will need to download STOPDecrypter on your Windows Desktop from the following link.
download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip - After the downloading process is done, close all applications and windows on your machine. Open a file location. Right-click on the icon that’s named STOPDecrypter.zip.
- Further, select ‘Extract all’ and follow the prompts.
- Once the extraction process is finished, run STOPDecrypter. Select Directory and press Decrypt button.
If STOPDecrypter does not help you to decrypt .Ndarod files, in some cases, you have a chance to restore your files, which were encrypted by ransomware. This is possible due to the use of the tools named ShadowExplorer and PhotoRec. An example of recovering encrypted files is given below.
How to restore .ndarod files
In some cases, you can restore files encrypted by Ndarod file virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted personal files.
Run ShadowExplorer to recover .ndarod files
The Windows has a feature named ‘Shadow Volume Copies’ that can help you to restore .ndarod files encrypted by the Ndarod virus. The method described below is only to recover encrypted files to previous versions from the Shadow Volume Copies using a free tool named the ShadowExplorer.
Download ShadowExplorer from the link below. Save it directly to your Microsoft Windows Desktop.
438669 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When the download is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown below.
Start the ShadowExplorer tool and then choose the disk (1) and the date (2) that you want to recover the shadow copy of file(s) encrypted by the Ndarod crypto virus like the one below.
Now navigate to the file or folder that you want to recover. When ready right-click on it and press ‘Export’ button as shown on the screen below.
Use PhotoRec to restore .ndarod files
Before a file is encrypted, the Ndarod file virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your photos, documents and music using file recover software such as PhotoRec.
Download PhotoRec on your Microsoft Windows Desktop by clicking on the following link.
After the downloading process is done, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as on the image below.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll show a screen as displayed in the following example.
Select a drive to recover as on the image below.
You will see a list of available partitions. Choose a partition that holds encrypted files as displayed in the figure below.
Press File Formats button and specify file types to restore. You can to enable or disable the recovery of certain file types. When this is done, press OK button.
Next, click Browse button to select where recovered photos, documents and music should be written, then press Search.
Count of restored files is updated in real time. All restored photos, documents and music are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is done, press on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as on the image below.
All recovered documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your personal computer from Ndarod virus?
Most antivirus software already have built-in protection system against the crypto virus. Therefore, if your PC system does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert.
Run HitmanPro.Alert to protect your personal computer from Ndarod file virus
HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Installing the HitmanPro Alert is simple. First you’ll need to download HitmanPro.Alert from the following link.
After downloading is done, open the file location. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. Once the utility is started, you’ll be shown a window where you can select a level of protection, like below.
Now click the Install button to activate the protection.
