NinjaLoc Ransomware - How to remove

NinjaLoc is not a copy of other ransomware viruses. Usually, notorious ransomware infections set the tone for the upcoming viruses and other developers just use a base of code that already was proven to be efficient in infecting computers and luring money from innocent users. That’s how ransomware families like Hidden Tear, Scarab or Petya was formed.

In this case, NinjaLoc uses a unique code that was never seen before. We also know that this infection fakes to employ strong ’AES to do their job and encrypt files on infected systems, however, they can’t actually do that. That can be really irritating, especially if you have some really important personal files and you think that you won’t be able to use them anymore.

Luckily, there are some alternative methods that can be helpful in restoring locked files, so you can actually avoid paying the ransom. And in this case, you won’t even have to do that because they are not actually encrypted. Also, we will provide you with detailed instructions on how to remove NinjaLoc virus completely just in several minutes, so please stay with us.

How NinjaLoc Ransomware Locks Files

So you probably are already familiar with the way ransomware viruses are operating. First of all, they get infiltrated into the computer and then they scan the hard drive for files that can be locked. After that is done, they immediately start encrypting those files and that’s a crucial point of the operation of infections like this. We have seen ransomware viruses like Ryuk, FOX, and ShutUpAndDance – they all operate using the same scheme.

By using strong encryption and unique extension, they are able to lock those files and gain the advantage, because only they can easily unlock them and solve problems. Then, cyber criminals take advantage of such a situation and start threatening users. They require to pay the ransom in an exchange of decryption tool that would solve this problem. Also, they often employ some kind of scare technique – for instance, they can threaten that those locked files will be permanently deleted if you fail to pay the ransom in several days, or that they will raise the price after some period of time.

It’s easy to understand that users get scared and simply pay the ransom, even though sometimes they are asking for a ridiculous amount of money. If you didn’t pay the ransom the ransom yet, you are in a good place – we will help you to solve this problem in the other way.

It is not possible not to notice that your computer was hit by NinjaLoc infection, because they change the screen saver and lock the screen. They also display a ransom message right on the locked screen, as well as on a file “HowtoDecryptYourfiles.txt” that is dropped on the desktop and it goes like this:

Opps All of your files have been encrypted!
JUST ENCRYPTED YOUR FILES!
[What Happened to my files!] My Bitcoin Address
[1MxjjTN6hVJGJtVkLzPat1FCzb1YKdgaup] [Copy Address!] DON’T WASTE YOUR TIME ON INTERNET SEARCHING FOR SOLUTION NIGGA!
NOTE: IF YOU TRY TO REMOVE THIS RANSOMWARE YOU WILL LOSE YOUR ALL FILES INSTANTLY!
Enter Key To Decrypt!
[…] Start Decrypting

 

Why NinjaLoc Is Not That Dangerous

We have some good news for you – even if your computer is infected with NinjaLoc virus, it is not as dangerous as it would be with extremely powerful ransomware like CryptoLocker or TeslaCrypt. It seems like this infection is just a test or a different approach to gathering personal data of the user.

In-depth analysis of this virus revealed, that they do not have the technology to actually encrypt files on the infected computer, so NinjaLoc belongs to the sub-category of malware which is called scareware. They are simply trying to scam you by using this virus and/or gather some of your personal data without even bothering to create actual ransomware that works.

However, you should not be happy just because your files are not encrypted. This virus can receive an update that will be capable of encrypting files, and since it is on your system, the update can be downloaded automatically. Eventually, there are two things you need to do in this situation:

• Remove NinjaLoc from your computer as soon as possible;
• Increase overall security level of your system to ensure that this won’t happen ever again.

How NinjaLoc Is Infiltrated

There are several of the most common methods that are used to distribute various malware, but in this particular case, it seems like NinjaLoc comes together with installers of free software. This way unsuspecting users download malicious files to their computers alongside other legitimate software.

Also, ’malspam’ campaigns can be launched and you can receive those dangerous files attached to the letter. That’s why we suggest not to open emails from Spam folders.

Regardless of the way it came to your computer, there is free software on the market that can protect your system from those infections. You can use Plumbytes or Malware Fighter for this task. Actually, we especially recommend giving a try to IObit Malware Fighter as it features a special function dedicated to fighting ransomware. Even if malicious files manage to get inside of the computer, Malware Fighter will block any unauthorized access to make changes to the files, so no ransomware will be ever able to encrypt your personal data.

Removal of NinjaLoc Virus

Since it is more of a scareware than actual ransomware infection, it is enough to remove NinjaLoc and all malicious files that are associated with it to restore normal order of your system. Unfortunately, it can be a difficult task to do manually because you might be not able to locate and successfully remove all of the files by yourself.

That’s why we have a special set of tools for you. You will need either Spyhunter. Those are anti-malware tools that can automatically detect and kill malicious processes, as well as completely remove viruses. Also, there are instructions below this article – take a look at it. They describe what actions you should take step-by-step and how to operate those tools, so that will be easier for you to complete this task.

Automatic Malware removal tools

How to recover NinjaLoc Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before NinjaLoc Ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of NinjaLoc Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to NinjaLoc Ransomware. You can check other tools here.  

Step 3. Restore NinjaLoc Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually NinjaLoc Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover NinjaLoc Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.