This week, IT security professionals discovered a new ransomware. It is named ‘Nuksus file virus‘ and used malicious software to infect Microsoft Windows computers. It encrypts documents, photos and music, adding the .nuksus file extension to the names of all encrypted files, on all attached data storage a short time after the system has been infected.
Files encrypted by “nuksus virus”
Getting to the user’s PC, the Nuksus ransomware virus starts searching for files in all folders and recursively, and after their detection, encrypts each of them using a complex encryption algorithm. Nuksus ransomware locks up almost of files, including common as:
.icxs, .zip, .wp5, .odb, .fos, .txt, .zdc, .x3f, .wps, .xyp, .xlsm, .hvpl, .ppt, .ws, .svg, .bc6, .snx, .wmv, .dcr, .yal, .webdoc, .cas, .jpg, .docm, .wri, .odp, .wpg, .mcmeta, .itdb, .crw, .wbmp, .vdf, .zdb, .pem, .xlsx, .jpeg, .qdf, .rim, .odc, .xll, .webp, .lvl, .wp6, .bsa, .wma, .wp7, .2bp, .xlsm, .t13, .ysp, .esm, .wbm, .sql, .mdbackup, .hplg, .bay, .orf, .xls, .pst, .mpqge, .p7b, .layout, .slm, .dwg, .xf, .z3d, .xyw, .wm, .dxg, .mov, .sb, .indd, .xx, .vtf, .yml, .r3d, .7z, .pptx, .3ds, .ff, .ybk, .wpb, .wpa, .wsd, .docx, .wp, .rwl, .dmp, .xdb, .d3dbsp, .fsh, .rofl, .wn, .rb, .wbk, .gho, .csv, .ibank, .wsc, .pptm, .vpp_pc, .syncdb, .wgz, .ptx, .wpd, .srf, .tax, .dbf, .xpm, .wpw, .wpd, .wma, .png, .ncf, .dng, .pdd, .xbdoc, .rar, .zi, .wdp, .wp4, .doc, .pef, .css, .mlx, .desc, .xdl, .srw, .js, .bik, .bkp, .3fr, .vpk, .rw2, .sidd, .p7c, .xmind, .sis, .accdb, .wdb, .wbd, .wpt, .p12, .kdc, .eps, .zif, .xlsb, .z, .m3u, .nrw, .0, .raw, .wbc, wallet, .pdf, .mp4, .bar, .wotreplay, .odt, .x, .ztmp, .map, .cdr, .wcf, .flv, .ntl, .xmmap, .apk, .forge, .lbf, .das, .xml, .sie, .xxx, .arch00, .cfr, .wps, .big, .xlsx, .epk, .re4, .zw, .jpe, .crt, .wmf, .itm, .wmv, .zip, .sav, .erf, .arw, .xar, .iwi, .itl, .wmd, .lrf, .asset, .fpk, .w3x, .mrwref, .pfx, .vfs0, .wmo, .xlk, .wav, .hkdb, .wbz, .wire, .gdb, .zabw, .wb2, .3dm, .x3f, .mddata, .cer, .wsh, .y, .sum, .upk, .psd, .sr2, .iwd, .rgss3a, .m4a, .ai, .t12, .xbplate, .ods, .kdb, .dazip, .xld, .vcf, .der, .py, .pak, .mdf, .db0, .dba, .xlgc, .avi, .m2, .blob, .pkpass, .bkf, .wpl, .litemod, .x3d, .wpe, .xwp, .xls, .mdb, .wot, .menu, .psk, .ltx, .1st, .tor, .mef, .qic, .rtf, .xy3, .hkx, .1, .bc7, .odm, .sid, .cr2, .kf
Once on the computer, the Nuksus ransomware virus completely locks up the photos, documents and music so that the user can not open them. In this case, the only option to unlock the files is to pay a ransom to cyber frauds who are Nuksus creators and offer a key to decrypt all affected files.
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with the strongest encryption and unique key. The only method of recovering files is to purchase the decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted files from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look at the video overview decrypt tool: https://we.tl/t-Hy0BJyOtwx Price of private key and decrypt software is $ 980. 50% discount available if you contact us first 72 hours, that's the price for you is $ 490. Please note that you will never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need to write on our e-mail:
Threat Summary
| Name | Nuksus |
| Type | Crypto malware, File locker, Ransomware, Filecoder, Crypto virus |
| Encrypted files extension | .nuksus |
| Ransom note | _readme.txt |
| Contact | gorentos@bitmessage.ch |
| Ransom amount | $980 in Bitcoins |
| Symptoms | Encrypted files. All of your personal files have a new file extension appended to the filenames. Files named such as ‘_readme.txt’, or ‘_readme” in every folder with an encrypted file. Ransom note with cybercriminal’s ransom demand and instructions. |
| Distribution ways | Phishing Emails that is carefully developed to trick a victim into opening an attachment or clicking on a link that contains a malicious file. Drive-by downloading (when a user unknowingly visits an infected web page and then malware is installed without the user’s knowledge). Social media, like web-based instant messaging programs. Malvertising campaigns. |
| Removal | To remove Nuksus ransomware use the removal guide |
| Decryption | To decrypt Nuksus ransomware use the steps |
Quick links
- How to remove Nuksus file virus
- Use STOPDecrypter to decrypt .nuksus files
- How to restore .nuksus files
How to remove Nuksus file virus
Before you launch the procedure of restoring files that has been encrypted, make sure Nuksus crypto malware is not running. Firstly, you need to remove this ransomware virus permanently. Thankfully, there are several malicious software removal utilities which will effectively look for and remove Nuksus crypto malware and other crypto virus malicious software from your PC.
Run Zemana Free to uninstall Nuksus ransomware virus
Zemana Free is a program which is used for malware, crypto virus, trojans, worms, adware, spyware and other security threats removal. The program is one of the most efficient anti-malware utilities. It helps in crypto malware removal and and defends all other types of malware. One of the biggest advantages of using Zemana Anti Malware is that is easy to use and is free. Also, it constantly keeps updating its virus/malware signatures DB. Let’s see how to install and check your computer with Zemana Anti Malware (ZAM) in order to uninstall Nuksus ransomware virus from your system.
- Visit the page linked below to download Zemana Free. Save it to your Desktop.
Zemana AntiMalware
164032 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- When the download is finished, close all apps and windows on your computer. Open a file location. Double-click on the icon that’s named Zemana.AntiMalware.Setup.
- Further, press Next button and follow the prompts.
- Once install is done, click the “Scan” button . Zemana Anti Malware (ZAM) utility will begin scanning the whole machine to find out Nuksus crypto malware and other security threats. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your computer and the speed of your personal computer. While the utility is checking, you can see count of objects and files has already scanned.
- Once the checking is finished, Zemana Free will show a list of detected threats. Review the scan results and then click “Next”. Once disinfection is complete, you can be prompted to restart your machine.
Use MalwareBytes Anti-Malware to uninstall crypto malware
Manual Nuksus virus removal requires some computer skills. Some files and registry entries that created by the ransomware may be not completely removed. We recommend that run the MalwareBytes AntiMalware (MBAM) that are completely clean your computer of crypto malware. Moreover, this free program will allow you to uninstall malicious software, potentially unwanted software, adware software and toolbars that your computer may be infected too.
First, please go to the following link, then click the ‘Download’ button in order to download the latest version of MalwareBytes.
326384 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
When the downloading process is finished, close all programs and windows on your computer. Open a directory in which you saved it. Double-click on the icon that’s named mb3-setup as shown on the image below.
When the setup starts, you’ll see the “Setup wizard” that will help you install Malwarebytes on your PC.
Once installation is finished, you’ll see window like the one below.
Now click the “Scan Now” button to perform a system scan for the Nuksus crypto virus related folders,files and registry keys.
After the scan get completed, you can check all items found on your personal computer. When you’re ready, click “Quarantine Selected” button.
The Malwarebytes will now begin to delete Nuksus ransomware virus, other malware, worms and trojans. When finished, you may be prompted to reboot your computer.
The following video explains few simple steps on how to remove hijacker, adware and other malware with MalwareBytes AntiMalware (MBAM).
Run KVRT to delete Nuksus ransomware
KVRT is a free removal utility that can scan your PC for a wide range of security threats like the Nuksus ransomware, adware software, potentially unwanted software as well as other malware. It will perform a deep scan of your machine including hard drives and Microsoft Windows registry. After a malicious software is detected, it will help you to remove all found threats from your machine by a simple click.
Download Kaspersky virus removal tool (KVRT) by clicking on the link below. Save it on your MS Windows desktop or in any other place.
129056 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once downloading is done, double-click on the KVRT icon. Once initialization process is done, you will see the Kaspersky virus removal tool screen similar to the one below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button for checking your computer for the Nuksus crypto malware and other trojans and malicious software. Depending on your machine, the scan can take anywhere from a few minutes to close to an hour. While the KVRT is checking, you can see number of objects it has identified either as being malicious software.
After Kaspersky virus removal tool has finished scanning, KVRT will display a list of detected threats as displayed in the following example.
Review the results once the tool has complete the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click on Continue to begin a cleaning procedure.
Use STOPDecrypter to decrypt .nuksus files
With some variants of Nuksus file virus, it is possible to decrypt encrypted files using free tools listed below.
Michael Gillespie (@) released the Nuksus decryption tool named STOPDecrypter. It can decrypt .nuksus files if they were locked by one of the known OFFLINE KEY’s retrieved by Michael Gillespie. Please check the twitter post for more info.
Nuksus decryption tool
STOPDecrypter is a program that can be used for Nuksus files decryption. One of the biggest advantages of using STOPDecrypter is that is free and easy to use. Also, it constantly keeps updating its ‘OFFLINE KEYs’ DB. Let’s see how to install STOPDecrypter and decrypt .nuksus files using this free tool.
- Please go to the link below to download the latest version of STOPDecrypter for MS Windows. Save it directly to your Microsoft Windows Desktop.
download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip - Once the download is complete, close all software and windows on your computer. Open a file location.
- Right-click on the icon that’s named STOPDecrypter.zip. Further, select ‘Extract all’ and follow the prompts.
- Once the extraction process is complete, right click on STOPDecrypter, choose ‘Run as Admininstrator’. Select Directory and press Decrypt button.
If STOPDecrypter does not help you to decrypt .nuksus files, in some cases, you have a chance to restore your files, which were encrypted by crypto malware. This is possible due to the use of the utilities named ShadowExplorer and PhotoRec. An example of recovering encrypted documents, photos and music is given below.
How to restore .nuksus files
In some cases, you can recover files encrypted by Nuksus ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted personal files.
Recover .nuksus encrypted files using Shadow Explorer
If automated backup (System Restore) is enabled, then you can use it to restore all encrypted files to previous versions.
First, visit the following page, then click the ‘Download’ button in order to download the latest version of ShadowExplorer.
438668 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once the download is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown in the following example.
Start the ShadowExplorer tool and then choose the disk (1) and the date (2) that you want to restore the shadow copy of file(s) encrypted by the Nuksus crypto malware as on the image below.
Now navigate to the file or folder that you wish to restore. When ready right-click on it and click ‘Export’ button similar to the one below.
Restore .nuksus files with PhotoRec
Before a file is encrypted, the Nuksus ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your documents, photos and music using file restore programs such as PhotoRec.
Download PhotoRec on your personal computer by clicking on the following link.
When the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown on the image below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll open a screen as shown on the image below.
Choose a drive to recover as displayed in the figure below.
You will see a list of available partitions. Choose a partition that holds encrypted photos, documents and music as on the image below.
Click File Formats button and select file types to restore. You can to enable or disable the restore of certain file types. When this is complete, click OK button.
Next, click Browse button to select where recovered photos, documents and music should be written, then click Search.
Count of recovered files is updated in real time. All restored files are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is finished, click on Quit button. Next, open the directory where restored personal files are stored. You will see a contents as displayed in the figure below.
All recovered documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your computer from Nuksus ransomware virus?
Most antivirus applications already have built-in protection system against the crypto malware. Therefore, if your PC does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert.
Run HitmanPro.Alert to protect your personal computer from Nuksus ransomware
All-in-all, HitmanPro.Alert is a fantastic tool to protect your computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Windows operating system from Microsoft Windows XP to Windows 10.
Visit the following page to download HitmanPro.Alert. Save it to your Desktop so that you can access the file easily.
When the download is complete, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. When the tool is started, you’ll be displayed a window where you can select a level of protection, as shown in the figure below.
Now click the Install button to activate the protection.
To sum up
Now your computer should be clean of the Nuksus ransomware. Delete KVRT and MalwareBytes Anti-Malware (MBAM). We advise that you keep Zemana (to periodically scan your PC system for new malicious software). Probably you are running an older version of Java or Adobe Flash Player. This can be a security risk, so download and install the latest version right now.
If you are still having problems while trying to delete Nuksus crypto malware from your personal computer, then ask for help here.
