Naampa ransomware virus is a variation of Unlock92 and they both feature ransom notes that are written in the Russian language. To launch the process of file encryption, ransomware has assigned RSA-2048 cipher for the task. The payload of Naampa.exe extracts a bunch of files into the infected operating system, like key.res and !—-README—-!.jpg. The infection is also programmed to remove all Shadow Volume copies that could work in favor of the victim by releasing him/her from the obligation to pay a ransom.
Research about this crypto-virus
There are a lot of similarities that can be found between Naampa crypto-virus and Unlock92. They both generate ransom notes in a form of .jpg file, executables with RSA-2048 encryption codes are placed into victims’ OS, notes recommend people to download TOR and enter a specific website. Unlock92 had been generated more than a year ago, and Naampa infection is a newer sample to discuss.
In the .jpg executable which displays the hackers’ requirements, we notice that people are invited to send one of the encrypted files, together with the key.res file, to [email protected] Crooks promise to send back a recovered version. What is more, TOR browser is recommended to be downloaded by the victims so they would have access to n3r2kuzhw2h7x6j5.onion website.
When ransomware creators provide links to other domains, they usually include more detailed instructions, information how bitcoins should be purchased and indicate the exact amount that should be bought. However, in the latter TOR website, only the email address we have pointed out earlier is left.
Victims are clearly supposed to contact the email address for more information and for negotiations about the ransom. Hackers do not have a pre-set amount of bitcoins, this means that this could fluctuate for different victims, depending on the amount of files they have lost. Naampa crypto-virus also has another possible payload: mmspert.exe. The final result of file-encryption will leave digital data useless and featuring a .crptd extension.
Decryption of files and removal of the infection
At the time of writing this article, we did not find a technique to decrypt files completely free of charge. As long as security researchers do not produce an efficient tool, people will have to explore the limited alternatives. We have already indicated that Shadow Volume Copies are deleted by this variant. Therefore, there is no point in checking whether these spare copies remain. There are some universal files that could help you with the process of file-decryption.
The best thing to do is always have your valuable information stored in more than one location. This means that the original version in your hard drives should not be the only ones you have. In case these original files will become encoded, you will feel sorry about not being cautious enough to store them in a backup storage or at least in a USB flash drive. Having your data in multiple locations will save you from having to deal with massive inconveniences when a ransomware infection strikes.
File-decryption should be pursued only after a ransomware has been properly removed. This can be done manually if you wish, but we only advise this option for those that have experience in malware-removal option. For other users, Spyhunter (https://www.2-viruses.com/downloads/spyhunter2) or Hitman (https://www.2-viruses.com/downloads/hitman_pro.exe) are here to help. Look at the sections below to become more familiar with everything that we have discussed in this part of the article.
On the last note, we will take time to remind our users to properly secure their remote desktop protocol so hackers would have a chance to interfere. Additionally, spam campaigns are aggravating and very dangerous: do not open letters from sources that you do not recognize. Attachments inside could be hiding some malicious components.
Naampa Ransomware Virus quicklinks
- Research about this crypto-virus
- Decryption of files and removal of the infection
- Automatic Malware removal tools
- How to recover Naampa ransomware virus encrypted files and remove the virus
- Step 1. Restore system into last known good state using system restore
- 1. Reboot your computer to Safe Mode with Command Prompt:
- 2.Restore System files and settings.
- Step 4. Use Data Recovery programs to recover Naampa ransomware virus encrypted files
Automatic Malware removal tools
How to recover Naampa ransomware virus encrypted files and remove the virus
Step 1. Restore system into last known good state using system restore
1. Reboot your computer to Safe Mode with Command Prompt:
for Windows 7 / Vista/ XP
- Start → Shutdown → Restart → OK.
- Press F8 key repeatedly until Advanced Boot Options window appears.
- Choose Safe Mode with Command Prompt.
for Windows 8 / 10
- Press Power at Windows login screen. Then press and hold Shift key and click Restart.
- Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
- When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.
2.Restore System files and settings.
- When Command Prompt mode loads, enter cd restore and press Enter.
- Then enter rstrui.exe and press Enter again.
- Click “Next” in the windows that appeared.
- Select one of the Restore Points that are available before Naampa ransomware virus has infiltrated to your system and then click “Next”.
- To start System restore click “Yes”.
Step 2. Complete removal of Naampa ransomware virusAfter restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter (https://www.2-viruses.com/downloads/spyhunter2) and remove all malicious files related to Naampa ransomware virus. You can check other tools here.
Step 3. Restore Naampa ransomware virus affected files using Shadow Volume CopiesIf you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Naampa ransomware virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Step 4. Use Data Recovery programs to recover Naampa ransomware virus encrypted filesThere are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
- We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
- Download a data recovery program.
- Install and scan for recently deleted files.