CryptoNar Ransomware - How to remove

CryptoNar Ransomware was discovered recently and it seems like it’s another very dangerous crypto infection. As most of the ransomware viruses nowadays, it employs specific cryptography to change the structure of personal files stored on the hard drive of the computer that is infected. As a result, you won’t be able to access your files and will receive a demand to pay a ransom in order to get a specific tool (decryptor), which allows to reverse encryption process and make those files usable once again.

The business model of infections like this is probably already clear to you, but you should know that there are other methods which can be employed to solve this problem. You don’t necessarily need to pay the ransom in order to remove CryptoNar and ’decrypt’ your files.

This article is dedicated to providing you with the instructions on how to effectively eliminate CryptoNar ransomware infection and then give the best shot at restoring personal files that were taken away from you.

CryptoNar Ransomware Specifications

This ransomware virus employs ’AES to put a lock on your files. Basically, it changes the structure of your files by encrypting them, so that’s why you are not able to open or use them in any other way anymore. Why they do that? Obviously, they want to lure some money out of you and that’s the easiest method for them to do it.

There are some ransomware infections that can’t actually encrypt files, they only lock the screen and say that files are encrypted. Also, there are the ones that can’t encrypt files and instead of that they simply remove them all. Those are called wiper viruses.

Regardless of what type of ransomware virus it is, they all have one goal in mind – to make money and force users into paying the ransom. In this case,  CryptoNar will demand you to pay $200 in Bitcoins. This information is disclosed in the message displayed on the desktop after the encryption process is over:

Your important files including photos, videos, documents, databases, etc. were encrypted with our CryptoNar ransomware. The only way to get your files back is to pay us. otherwise, your files will be lost forever. Important note: Removing CryptoNar will not restore access to your encrypted files. Encryption was made using a unique RSA-2048 public key generated for this computer. To decrypt files you need to acquire the private key (decryption key). The only copy of the private key, which will allow you to decrypt your files, is located on a secret server in the Internet; the server will eliminate the key after 72 hours since its generation (since the moment your computer was infected). once this has been done, nobody will ever be able to restore your files. In order to receive your decryption key, you will have to pay $200 in bitcoins to this bitcoin address: 1FeutvrveiF8odnnx9Rr3cyBfFiecFeKwRq when time comes to send the bitcoins to us, make sure to include your e-mail and your personal ID (you can see it below) in the extra information box (it may apper also as ‘Extra Note or ‘optional message’) in order to get your personal decryption key. It may take up to 6-8 hours to take your personal decryption key. After the payment was made, and you received your decryption key, just press the decryption button in the decryptor (located on the desktop). Enter your decryption key you received, and wait until the decryption process is done. Your ID: [redacted]

In exchange for those $200 you should receive a special decryption tool that can unlock files with .cryptonar extension. By the way, we have discovered that this extension can be set to .partially.cryptonar or .fully.cryptonar.

We do not recommend to trust cybercriminals and pay them for the decryption tool. Even if you really need your personal files back and $200 seems like not a lot, you can’t be sure that your files will be decrypted after you pay it. There are other alternatives that we recommend to go for instead of paying the ransom.

How CryptoNar Managed To Infect Your System

There are various methods to distribute malware, but specifically ransomware viruses most of the time come as an attachment to some kind of spammy email.

Nowadays email service providers are pretty good at sorting spam emails, so most of the unreliable letters end up in the spam folder. Unfortunately, there still are some reckless users that are willing to explore that folder and open emails from there. That is a major security threat and you should not do that unless you are expecting some letter and it was placed in the spam folder by mistake.

Cyber criminals employ social engineering techniques and craft very appealing letters that encourage users to open files that are attached to them. It is enough to get a computer infected. If the attached file is downloaded to the computer, all malicious files are automatically extracted and placed on the hard drive.

One of the most effective solutions against such ransomware attacks is anti-malware software with real-time protection feature. There are some free options, such as PlumBytes or Malware Fighter, so give them a try. They can save you a lot of money and time in a long run.

How To Decrypt Files Affected By CryptoNar

First of all, you have to completely remove CryptoNar virus from your computer, even though this won’t unlock your personal files. However, it has to be done, because if you simply restore your files without removing the virus first, it will be able to encrypt them once again.

To do that, you should run a scan with either Spyhunter. Either one of those programs is effective against ransomware infections, so all files related to CryptoNar ransomware should be detected and removed automatically.

When that’s done, you can try to recover your files. Unfortunately, a free decryptor for CryptoNar is not available yet, so you will have to go for alternative methods. One of them – restore your files from a backup file. However, there are some conditions that have to be met in order to complete this successfully:

• Backup file has to be created before the date of infection;
• It has to be stored on an external drive or cloud, otherwise, CryptoNar will be able to encrypt it too.

If you have such backup file, follow this system restore guide. In case you don’t have a backup, try to use free file recovery tool that is available online.

Automatic Malware removal tools

How to recover CryptoNar Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before CryptoNar Ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of CryptoNar Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to CryptoNar Ransomware. You can check other tools here.  

Step 3. Restore CryptoNar Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually CryptoNar Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover CryptoNar Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.