Nacro Virus - How to remove

Nacro ransomware is a computer virus that uses cryptography to deny people access to their own data. The virus is part of an extortion scheme and it even leaves a ransom note on the infected computer, asking for money. Nacro is a part of the STOP/Djvu family and while its ransom demand is smaller than of a lot of other ransomware, it’s still a significant amount of money.

Not only is money unfairly demanded from you for restoring your own data, but Nacro also can install spyware on your machine that will steal your credentials if you attempt to do banking on the infected machine. And if you do pay, the cyber extortionists can never be trusted to keep their promises and restore your data.

To raise the probability that they’re sent money, the criminals responsible for Nacro rush the victims by promising a “discount” if you’re quick to cave. However, it is worth looking around for other solutions to the Nacro problem.

If you know some about how Nacro works, you know that there is a possibility for some victims to get their files back, as well as what the cause of the infection was — and that it’s possible to avoid ransomware. STOP/Djvu isn’t the only cryptovirus (GILLETTE, JCry, Help) and repeat infections are common with victims who don’t tighten their security.

How Nacro works

Encryption is actually a legitimate way to keep information private. If you encrypt your own file and set a password, then nobody else can read your file, even if they have it — not because they can’t open the file, but rather, the contents of the file are turned to nonsensical mush. In the case of Nacro, your data is encrypted, but the password — the decryption key — is only known to the criminals who developed and are spreading the Nacro virus.

The encrypted files are marked with “.nacro”, a ransom note called “_readme.txt” is put in the affected folders, and it tells you to write to [email protected] or [email protected] and pay the hundreds of dollars that the criminals want from each of their victims.

Here is something important: Nacro is probably distributed and together with AZORult. That’s a dangerous credential stealer, so, if you use your infected computer for private business, that spyware might just record and send to criminals some of your most important data, such as your crypto wallet login information. So, make sure that 2-step verification is turned on everywhere important.

In the future, make sure that backups are set up and saved somewhere that a virus can’t get to, such as a separate disk that’s disconnected. If you do have backups, you do still need to remove the virus, but no need to worry about how to recover your data.

Most victims of Nacro and other STOP/Djvu get infected by running software activators and key generators or cracked software. If you insist on being a software pirate, be more careful in the future — or just use free or open-source equivalents of expensive programs. Non-genuine software is full of malware and downloading it is risky. Pirating websites of all kinds are quite dangerous and harmful.

How to remove Nacro and restore the files

Firstly, it’s important to make sure that Nacro is gone and that any other malware can’t hurt your computer. You can remove the malware manually, or maybe quarantine it using automatic anti-malware tools like Spyhunter. And you will also need to update your antivirus tools that were previously installed because Nacro can delete updates, making the program ineffective. Also, check your hosts file for unwanted modifications and think about changing your passwords that might have been compromised by the spyware.

As for restoring the files encrypted by Nacro, there is a list of possibilities:

• Restore from backups.
• Decrypt the files for free (low chance of success).
• Use alternative data recovery options (shadow copies, data recovery).
• Pay the ransom (not advised).

Backups have to be set up from before the infection, so if you don’t have them, some other way to get the files back is needed.

Free decryption that’s not affiliated with Nacro’s developers might become available for some of the victims: the creator of the decryption tool for various STOP/Djvu viruses has posted an explanation for how his software works and about its limitations.

The other ways to try to restore your data, for example, you can try to recover your deleted files — it wouldn’t hurt to try.

Paying the ransom is sure to cost you money and to help the extortionists, but whether they will restore your files is never certain.

Automatic Malware removal tools

How to recover Nacro Virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Nacro Virus has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Nacro Virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Nacro Virus. You can check other tools here.  

Step 3. Restore Nacro Virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Nacro Virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Nacro Virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.