Naampa ransomware virus - How to remove

Naampa ransomware virus is a variation of Unlock92 and they both feature ransom notes that are written in the Russian language. To launch the process of file encryption, ransomware has assigned RSA-2048 cipher for the task. The payload of Naampa.exe extracts a bunch of files into the infected operating system, like key.res and !—-README—-!.jpg. The infection is also programmed to remove all Shadow Volume copies that could work in favor of the victim by releasing him/her from the obligation to pay a ransom.

Research about this crypto-virus

There are a lot of similarities that can be found between Naampa crypto-virus and Unlock92. They both generate ransom notes in a form of .jpg file, executables with RSA-2048 encryption codes are placed into victims’ OS, notes recommend people to download TOR and enter a specific website. Unlock92 had been generated more than a year ago, and Naampa infection is a newer sample to discuss.

Naampa ransomware

In the .jpg executable which displays the hackers’ requirements, we notice that people are invited to send one of the encrypted files, together with the key.res file, to [email protected]. Crooks promise to send back a recovered version. What is more, TOR browser is recommended to be downloaded by the victims so they would have access to n3r2kuzhw2h7x6j5.onion website.

When ransomware creators provide links to other domains, they usually include more detailed instructions, information how bitcoins should be purchased and indicate the exact amount that should be bought. However, in the latter TOR website, only the email address we have pointed out earlier is left.

Naampa virus

Victims are clearly supposed to contact the email address for more information and for negotiations about the ransom. Hackers do not have a pre-set amount of bitcoins, this means that this could fluctuate for different victims, depending on the amount of files they have lost. Naampa crypto-virus also has another possible payload: mmspert.exe. The final result of file-encryption will leave digital data useless and featuring a .crptd extension.

Decryption of files and removal of the infection

At the time of writing this article, we did not find a technique to decrypt files completely free of charge. As long as security researchers do not produce an efficient tool, people will have to explore the limited alternatives. We have already indicated that Shadow Volume Copies are deleted by this variant. Therefore, there is no point in checking whether these spare copies remain. There are some universal files that could help you with the process of file-decryption.

The best thing to do is always have your valuable information stored in more than one location. This means that the original version in your hard drives should not be the only ones you have. In case these original files will become encoded, you will feel sorry about not being cautious enough to store them in a backup storage or at least in a USB flash drive. Having your data in multiple locations will save you from having to deal with massive inconveniences when a ransomware infection strikes.

File-decryption should be pursued only after a ransomware has been properly removed. This can be done manually if you wish, but we only advise this option for those that have experience in malware-removal option. For other users, Spyhunter ( or Hitman ( are here to help. Look at the sections below to become more familiar with everything that we have discussed in this part of the article.

On the last note, we will take time to remind our users to properly secure their remote desktop protocol so hackers would have a chance to interfere. Additionally, spam campaigns are aggravating and very dangerous: do not open letters from sources that you do not recognize. Attachments inside could be hiding some malicious components.

How to recover Naampa ransomware virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Naampa ransomware virus has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of Naampa ransomware virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter ( and remove all malicious files related to Naampa ransomware virus. You can check other tools here.  

Step 3. Restore Naampa ransomware virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Naampa ransomware virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Naampa ransomware virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *