Neitrino Ransomware - How To Remove?

 

Security researchers have discovered another ransomware virus on the loose. This specific infection can be referred to as Neitrino. It takes advantage of the commonly spread strategy to infects users, encrypt files and demand a ransom for them. Somehow, hackers mainly target Russian-speaking countries: in this case, the left ransom note is also written in Russian.

About Neitrino Ransomware

After getting infected with Neitrino virus, people might not notice any significant changes or red flags. At first, a couple of requirements have to be matched for this ransomware to download its payload: this executable file usually carries a .RAR extension. However, the Neitrino virus can place a number of its files on your PC. It can also modify Windows Registry Keys for the ransomware to automatically run every time you launch your PC. But before doing this, there is a scenario in which Neitrino virus terminates itself soon after it had been downloaded. If the infected PC is functioning on a virtual drive and not a real Windows environment, the virus will automatically delete itself. Furthermore, for a more successful infection, Neitrino ransomware transfers the following data to its creators: running executables, software, IP addresses, Internet connection information, the details of Windows Registry Editor.

Neitrino virus can encrypt a multitude of files, but somehow, it chose to pay an increased amount of attention to the data, created using Microsoft Office program. Of course, not only these documents are jeopardized. Your precious photographies, video and audio files, database files, Adobe Reader files or Virtual Machines are also on the edge of a disaster. After getting encrypted with AES algorithm, an extension will be appended to the corrupted data: .neitrino. Furthermore, Neitrino virus might also have incorporated the CBC (Cipher Block Chaining) into its scheme. What does that mean? Basically, if you attempt to decrypt data on your own, the files can be permanently corrupted and damaged. The ransom letter, translated to English, looks like this:

“It is possible to know about the value of the decryptor on the e-mail address: {Cyber-crooks’ e-mail address).
In this letter, type your ID:{VICTIM ID HERE}
A convincing request not to try and decrypt files with decryptors.
You can permanently damage them and even the original decryptor will not help you.
We accept messages until {Deadline date here}
After {Deadline date here} we will ignore every message.
It is possible for replies to be slower.”

How to Decrypt the Files Encrypted by Neitrino Ransomware?

The size of ransom is not indicated into the letter called MESSAGE.txt. That means the fee for your data might differ, depending on the amount of data encrypted. Even if the demanded price is small and you must get back your files safe, do not choose to voluntarily pay the ransom. Crooks might dissappear after you do it or provide you with a decryption key that does not even work. However, before attempting to decrypt files, make copies. Then, from a safe PC, try to revive them with file-recovery tools, like the ones from Kaspersky. You can also trick hackers into helping you to decrypt the data yourself. Demand that crooks would decrypt one selected file and send it back to you. Having this decrypted file might help to find a solution for the others.

How is Neitrino Ransomware Distributed?

Infectious spam letters might be the cause of Neitrino virus. Seemingly legitimate messages try to lure people into open this red-handed content and download attachments it provides. The suggested file might be an update for your software or basically any other type of data. Futhermore, Neitrino ransomware might be spreading via third-party domains that have malicious executables uploaded in them. Pay close attention to where the Internet points you: it might not always be a safe direction.

To eliminate this Neitrino virus for good, utilize professional anti-virus tools like Reimage, SpyHunter or Malwarebytes. These three knights in shinning armor will dedicate their activity to protect your PC from viruses and potentially unwanted programs (PUPs).

How to recover Neitrino ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again. CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Neitrino virus has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of Neitrino ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Reimage and remove all malicious files related to Neitrino virus. You can check other tools here.


Step 3. Restore Neitrino ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Neitrino virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.

Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.

a) Native Windows Previous Versions

Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.


Previous version
b) Shadow Explorer

It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Neitrino ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download Data Recovery Pro (commercial)
  • Install and scan for recently deleted files. Data Recovery Pro

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

       
 

About the author

 - Main Editor
I have started 2-viruses.com in 2007 after wanting to be more or less independent from single security program maker. Since then, we kept working on this site to make internet better and safer place to use.
 
July 11, 2016 04:38, January 3, 2017 10:20
   
 

Leave a Reply

Your email address will not be published. Required fields are marked *