Nemesis Virus - How to remove

Nemesis virus belongs to the category of ransomware. Origins of this infection were discovered back in May 2017, however, the active spread of it began only now. Actually, it is a typical ransomware – first of all, it encrypts files that are stored on your computer (except system files, so your operating system is still working) and then it demands a ransom to be paid. Even though it is not official, victims of Nemesis virus have reported that initial ransom is $500 and it can be doubled if the payment criteria (time) is not met. That’s a common scare technique used by cyber criminals all over the world.

If this lethal infection hit your system, you have two options – pay the ransom and decrypt locked files, or remove the virus using anti-malware software and then recover encrypted files using alternative methods. The first option is not recommended because cyber criminals can fool you and simply steal the money without providing you with a decryptor. Also, it’s not a good thing to support those crooks by paying a ransom. Eventually, you have to go for a second option. If you don’t have a clue how to remove Nemesis infection and recover your files, you have come to the right place. We will try to provide you with detailed information about this ransomware as well as removal instructions.

Nemesis Virus Description

First of all, in order to operate malicious activities on your system, Nemesis ransomware must upload certain files on your computer. To do that, they employ social engineering techniques and attach those files to emails. Usually, they are well crafted and tell about something really important. In order to access further information, the user is asked to open the attached Word file. This text turns out to be not a text document at all – once you open it, all malicious files needed to run Nemesis ransomware are automatically uploaded to your computer. That’s the most common way to distribute malware like this.

Now, when the files are already on your system, Nemesis starts scanning your personal documents, trying to find information that can be encrypted. Unfortunately, this infection is really dangerous and capable of locking most of the files regular users use – audio and video files, text documents, pictures, and so on. Encryption process itself is really complicated, but it doesn’t take much time. In several minutes AES encryption algorithm will be applied to your personal files and a unique [email protected] extension will be added to the end of every encrypted file. This extension is rather odd, but it’s the same as the email address they are using for communication with victims.

Also, after the encryption you should notice a new, automatically generated HTML file called “HOWTODECRYPTFILES.html” placed on your desktop. It is a ransom note and it goes like this:

ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED
Nemesis Ransomware
To decrypt your files you need to buy the special software – «Nemesis decryptor»
To recover data, follow the instructions!
You can find out the details/ask questions in the chat:
hxxps://qg6m5wo7h3id55ym.onion.to (not need Tor)
If the resource is not available for a long time, install and use the Tor-browser:
1. Run your Internet-browser
2. Enter or copy the address hxxps://www.torproject.org/download/download-easy.html in the address bar of your browser and press key ENTER
3. On the site will be offered to download the Tor-browser, download and install it. Run.
4. Connect with the button “Connect” (if you use the English version)
5. After connection, the usual Tor-browser window will open
6. Enter or copy the address hxxp://qg6m5wo7h3id55ym.onion in the address bar of Tor-browser and press key ENTER
7. Wait for the site to load
// If you have any problems installing or using, please visit the video tutorial hxxps://www.youtube.com/watch?v=gOgh3ABju6Q

They suggest you to use Tor browser to reach their chat, where you can get information about the ransom and ask questions. Tor is a software designed to reach the ’deep and we highly recommend not to do that. You should not contact cyber criminals or try to pay the ransom, even if you are keen to retrieve your personal files.

We have analyzed a lot of ransomware viruses that are really similar to this one – EnybenyCrypt, HiddenBeer, SOLO ransomware and so on. They all share similar qualities and it’s never a good idea to trust cyber criminals that have developed them and pay the ransom.

How To Solve Nemesis Ransomware Problem

If you have found yourself in this inconvenient situation and it seems like there is no easy way out, here’s what you should do. Obviously, the first thing you need to do is to completely eliminate Nemesis virus from your computer. Why? Because if you successfully recover encrypted files and the virus is still on the system, it will automatically encrypt them over again and this won’t stop until the virus is removed. It can be a really complicated task to do this manually, so you should scan a computer with Spyhunter. This anti-malware software should be able to detect and automatically remove all malicious files that are associated with Nemesis.

Now, if you have successfully removed the virus itself, try to recover your files by performing the system restore. However, it’s only possible if you have a valid copy of your hard drive that was made before the infection and was not corrupted by the virus. If this is not possible, you can use a ’free to get a hold of your personal files once again.

Automatic Malware removal tools

How to recover Nemesis Virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Nemesis Virus has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Nemesis Virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Nemesis Virus. You can check other tools here.  

Step 3. Restore Nemesis Virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Nemesis Virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Nemesis Virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.