Security specialists discovered a new variant of ransomware which named ‘Novasof file virus‘. It appends the .novasof file extension to encrypted file names. Here’s everything you need to know about this ransomware, how to remove ‘Novasof virus’ and how to restore (decrypt) encrypted personal files for free.
Files encrypted by Novasof ransomware virus
Novasof ransomware was made by scammers to lock various files on the user’s PC, using very strong hybrid encryption with a large key, that makes it impossible for the user to independently unlock the locked files that have received .novasof extension. Novasof can encrypt almost all types of files, including common as:
.iwi, .xlsm, .icxs, .sql, .mdb, .zi, .vpk, .layout, .dng, .xlgc, .pfx, .3dm, .sr2, wallet, .xlsx, .crw, .wbz, .ai, .wotreplay, .webdoc, .lvl, .webp, .ncf, .das, .pptx, .w3x, .odc, .yal, .t12, .sum, .apk, .docx, .syncdb, .xml, .xyp, .xlk, .odm, .xdb, .xlsb, .xlsm, .wp4, .wire, .zabw, .rw2, .vdf, .jpg, .qic, .odb, .x, .jpe, .zdc, .bik, .sidd, .bay, .xls, .mlx, .wp7, .lrf, .cr2, .xdl, .wsc, .sid, .pptm, .hplg, .wb2, .bsa, .kdb, .x3d, .wri, .zif, .sis, .png, .tax, .odp, .1, .mov, .wdp, .arw, .py, .ltx, .wp, .wgz, .mp4, .js, .qdf, .wn, .rgss3a, .xmmap, .2bp, .raf, .menu, .cfr, .arch00, .css, .pef, .yml, .dcr, .psk, .rofl, .sb, .7z, .p7b, .forge, .ff, .gho, .wm, .sav, .wpt, .t13, .vfs0, .epk, .p12, .cas, .mef, .hkx, .p7c, .fos, .zip, .wpl, .x3f, .pem, .xy3, .hvpl, .cdr, .fpk, .3ds, .xwp, .eps, .pak, .cer, .pdd, .ws, .wpe, .xbplate, .zdb, .dxg, .svg, .ppt, .m3u, .dba, .lbf, .wma, .rim, .z, .ybk, .vtf, .doc, .xpm, .rtf, .big, .crt, .blob, .accdb, .erf, .mpqge, .dbf, .y, .wbm, .ibank, .xls, .wbd, .xll, .vpp_pc, .kf, .rwl, .xx, .litemod, .upk, .wp5, .xar, .gdb, .bc6, .wpd, .jpeg, .docm, .raw, .wmv, .xyw, .xmind, .txt, .zw, .mdbackup, .wav, .kdc, .orf, .vcf, .mdf, .ysp, .der, .xbdoc, .m2, .wot, .wps, .z3d, .bkf, .rar, .csv, .mrwref, .dazip, .tor, .r3d, .ztmp, .desc, .d3dbsp, .wma, .wpa, .hkdb, .itl, .pst, .wpb, .indd, .ntl, .bkp, .xlsx, .dmp, .map, .iwd, .mcmeta, .wmv, .3fr, .wps, .xld, .wbmp, .wsh, .sidn, .wbk, .wbc, .wdb, .sie, .zip, .wmd, .snx, .srw, .xf, .wpd, .rb, .mddata, .nrw, .esm, .bc7, .ods, .wpw, .srf, .1st
Once on the PC, the Novasof virus completely encrypts the files so that the victim can not open them. In this case, the only option to restore the files is to pay a ransom to scammers who are Novasof developers and offer a key to decrypt all affected files. The developers of crypto virus have done everything possible to be sure that the user will immediately determine what exactly is affected with its crypto malware, as the locked files will have the .novasof extension. Also, online criminals leave a ransom note called ‘_readme.txt’ indicating the amount of money which user need to make to decrypt the files.
Novasof virus – ransom note
Threat Summary
| Name | Novasof |
| Type | Ransomware, File locker, Crypto virus, Filecoder, Crypto malware |
| Encrypted files extension | .novasof |
| Ransom note | _readme.txt |
| Contact | @datarestore (telegram), gorentos@bitmessage.ch |
| Ransom amount | $980/$490 in Bitcoins |
| Symptoms | Encrypted personal files. All of your photos, documents and music have a different file extension appended to the filenames. Your file directories contain a ‘ransom note’ file that is usually a .html, .jpg or .txt file. You have received instructions for paying the ransom. |
| Distribution methods | Malicious e-mail spam. Drive-by downloads (crypto virus is able to infect the system simply by visiting a webpage that is running malicious code). Social media posts (they can be used to force users to download malicious software with a built-in ransomware downloader or click a malicious link). Malvertising campaigns. |
| Removal | To remove Novasof ransomware use the removal guide |
| Decryption | To decrypt Novasof ransomware use the steps |
After reading this post, you will know how to deal with the Novasof ransomware virus. It is important for you to remember that we also cannot guarantee you an absolute solution to all your Novasof ransomware virus problems. We can offer you a method that might help. Nevertheless, this method is worth your attention because there is still a possibility that it will allow you remove Novasof virus and recover files that have been locked with crypto virus.
Quick links
- How to remove Novasof file virus
- How to decrypt .novasof files
- Novasof decryption tool
- How to restore .novasof files
- How to protect your computer from Novasof crypto virus?
- Finish words
How to remove Novasof file virus
The following instructions will help you to delete Novasof file virus and other malware. Before doing it, you need to know that starting to uninstall the ransomware virus, you may block the ability to decrypt photos, documents and music by paying makers of the crypto malware requested ransom. Zemana Anti-malware, Kaspersky virus removal tool and Malwarebytes Anti-malware can detect different types of active ransomware viruses and easily uninstall it from your PC, but they can not recover encrypted documents, photos and music.
Run Zemana AntiMalware (ZAM) to remove Novasof ransomware
Thinking about remove Novasof crypto virus from your computer? Then pay attention to Zemana Anti Malware. This is a well-known utility, originally created just to look for and delete malicious software, trojans and worms. But by now it has seriously changed and can not only rid you of malicious software, but also protect your system from crypto malware, malware and worms, as well as find and remove common viruses and trojans.
Click the following link to download Zemana AntiMalware (ZAM). Save it on your Desktop.
164032 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Once the download is done, close all apps and windows on your computer. Open a directory in which you saved it. Double-click on the icon that’s named Zemana.AntiMalware.Setup as shown in the figure below.
When the setup starts, you will see the “Setup wizard” which will help you install Zemana on your machine.
Once install is done, you will see window as displayed in the figure below.
Now press the “Scan” button to look for Novasof crypto malware, other malicious software, worms and trojans. A system scan can take anywhere from 5 to 30 minutes, depending on your system. When a malicious software, adware or PUPs are detected, the count of the security threats will change accordingly.
After Zemana Free has completed scanning your system, the results are displayed in the scan report. Review the report and then click “Next” button.
The Zemana Free will remove Novasof ransomware related files, folders and registry keys and add threats to the Quarantine.
Remove Novasof virus with MalwareBytes AntiMalware
Manual Novasof ransomware removal requires some computer skills. Some files and registry entries that created by the crypto virus may be not completely removed. We recommend that use the MalwareBytes AntiMalware (MBAM) that are fully clean your system of crypto virus. Moreover, this free application will help you to uninstall malware, PUPs, adware software and trojans that your system may be infected too.
Installing the MalwareBytes is simple. First you will need to download MalwareBytes Free by clicking on the link below. Save it on your Desktop.
326385 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
When downloading is finished, close all windows on your system. Further, open the file called mb3-setup. If the “User Account Control” prompt pops up like below, click the “Yes” button.
It will show the “Setup wizard” that will help you install MalwareBytes on the system. Follow the prompts and don’t make any changes to default settings.
Once setup is complete successfully, click Finish button. Then MalwareBytes AntiMalware (MBAM) will automatically launch and you can see its main window like the one below.
Next, click the “Scan Now” button to perform a system scan with this tool for the Novasof ransomware, other malware, worms and trojans. Depending on your PC system, the scan may take anywhere from a few minutes to close to an hour. While the MalwareBytes Anti Malware is scanning, you may see number of objects it has identified either as being malware.
When mbam} is done scanning your machine, you’ll be shown the list of all found items on your machine. When you’re ready, click “Quarantine Selected” button.
The MalwareBytes Free will remove Novasof crypto malware, other kinds of potential threats such as malicious software and trojans and add items to the Quarantine. After the procedure is complete, you may be prompted to restart your personal computer. We advise you look at the following video, which completely explains the procedure of using the MalwareBytes to remove browser hijackers, adware and other malicious software.
If the problem with Novasof ransomware is still remained
KVRT is a free portable program that scans your PC system for adware, potentially unwanted software and crypto malwares like Novasof and helps delete them easily. Moreover, it will also help you uninstall any malicious browser extensions and add-ons.
Download Kaspersky virus removal tool (KVRT) on your machine by clicking on the link below.
129056 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After downloading is done, double-click on the Kaspersky virus removal tool icon. Once initialization process is complete, you will see the KVRT screen as displayed on the screen below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button . KVRT program will scan through the whole computer for the Novasof ransomware . A scan can take anywhere from 10 to 30 minutes, depending on the count of files on your computer and the speed of your personal computer. During the scan Kaspersky virus removal tool will find threats exist on your machine.
When Kaspersky virus removal tool has finished scanning your personal computer, Kaspersky virus removal tool will show you the results as displayed below.
Make sure all threats have ‘checkmark’ and press on Continue to begin a cleaning task.
How to decrypt .novasof files
You can damage photos, documents and music locked by Novasof ransomware, or make them useless forever if you try to find the special code key on your own, which is almost impossible in view of its cryptographic complexity. It is very important to know and understand the level of importance of constantly backing up important files to various media, such as an USB flash drive, so that in case of damage to your machine by crypto virus you can always extract a copy of encrypted files.
Never pay the ransom! Some victims, wishing to decrypt encrypted files, pay the ransom amount of money to cybercriminals. However, it is important to remember before performing this action that you are interacting with unscrupulous and dishonest people, and the probability that after transferring money they will not provide you with a special code key and Novasof decryption utility to unlock .novasof files or increase the amount of ransom is high enough.
Files encrypted by Novasof ransomware virus
There is no such solution to this problem, which is suitable for everyone. However, paying for the private key is not an obvious answer. If you pay for it, remember that no one gives you a guarantee that you will receive it. There is also a possibility that even the attackers themselves do not have this key. Most probably, they are just trying to defraud you and use you in order to get money. You should try the steps in this article. The steps will allow you completely delete Novasof ransomware virus and you will be able to restore some of the encrypted files without paying any ransom. Given the fact that fighting ransomware is incredibly difficult, we cannot promise you that you will defuse it. Nevertheless, it is still worth a try.
Novasof decryption tool
With some variants of Novasof file virus, it is possible to decrypt encrypted files using free tools listed below.
Michael Gillespie (@) released the Novasof decryption tool named STOPDecrypter. It can decrypt .Novasof files if they were locked by one of the known OFFLINE KEY’s retrieved by Michael Gillespie. Please check the twitter post for more info.
Novasof decryption tool
STOPDecrypter is a program that can be used for Novasof files decryption. One of the biggest advantages of using STOPDecrypter is that is free and easy to use. Also, it constantly keeps updating its ‘OFFLINE KEYs’ DB. Let’s see how to install STOPDecrypter and decrypt .Novasof files using this free tool.
- Installing the STOPDecrypter is simple. First you will need to download STOPDecrypter on your Windows Desktop from the following link.
download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip - After the downloading process is done, close all applications and windows on your machine. Open a file location. Right-click on the icon that’s named STOPDecrypter.zip.
- Further, select ‘Extract all’ and follow the prompts.
- Once the extraction process is finished, run STOPDecrypter. Select Directory and press Decrypt button.
If STOPDecrypter does not help you to decrypt .Novasof files, in some cases, you have a chance to restore your files, which were encrypted by ransomware. This is possible due to the use of the tools named ShadowExplorer and PhotoRec. An example of recovering encrypted files is given below.
How to restore .novasof files
In some cases, you can restore files encrypted by Novasof ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted files.
Restore .novasof files with ShadowExplorer
An alternative is to restore .novasof photos, documents and music from their Shadow Copies. The Shadow Volume Copies are copies of files and folders that Microsoft Windows 10 (8, 7 and Vista) automatically saved as part of system protection. This feature is fantastic at rescuing documents, photos and music that were damaged by Novasof ransomware virus. The guidance below will give you all the details.
Visit the page linked below to download the latest version of ShadowExplorer for Microsoft Windows. Save it on your Desktop.
438669 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once the downloading process is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed in the figure below.
Double click ShadowExplorerPortable to launch it. You will see the a window like below.
In top left corner, choose a Drive where encrypted personal files are stored and a latest restore point as displayed on the image below (1 – drive, 2 – restore point).
On right panel look for a file that you want to restore, right click to it and select Export as shown on the screen below.
Restore .novasof files with PhotoRec
Before a file is encrypted, the Novasof ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your files using file recover apps such as PhotoRec.
Download PhotoRec on your machine by clicking on the following link.
Once the downloading process is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder similar to the one below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It’ll show a screen as displayed below.
Choose a drive to recover as shown on the image below.
You will see a list of available partitions. Select a partition that holds encrypted documents, photos and music like below.
Press File Formats button and specify file types to restore. You can to enable or disable the restore of certain file types. When this is done, click OK button.
Next, press Browse button to choose where restored photos, documents and music should be written, then press Search.
Count of restored files is updated in real time. All restored files are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the restore is done, click on Quit button. Next, open the directory where recovered files are stored. You will see a contents as on the image below.
All recovered photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your computer from Novasof crypto virus?
Most antivirus apps already have built-in protection system against the ransomware virus. Therefore, if your personal computer does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Use HitmanPro.Alert to protect your computer from Novasof ransomware virus
HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
First, visit the following page, then click the ‘Download’ button in order to download the latest version of HitmanPro.Alert.
After the downloading process is finished, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. After the tool is started, you’ll be displayed a window where you can select a level of protection, as displayed on the screen below.
Now press the Install button to activate the protection.
Finish words
Now your personal computer should be free of the Novasof ransomware virus. Delete MalwareBytes Free and Kaspersky virus removal tool. We recommend that you keep Zemana Anti Malware (to periodically scan your PC for new malware). Moreover, to prevent crypto malware, please stay clear of unknown and third party software, make sure that your antivirus program, turn on the option to block or scan for ransomware.
If you need more help with Novasof crypto malware related issues, go to here.
