Noos Ransomware - How to remove

Noos is a ransomware infection. If Noos infects your computer, it locks your files and then demands money from you — you’re told that paying is the only way to get the files back. Noos is part of the Djvu ransomware family.

Noos characteristics

This ransomware is named after the extension that is used to mark the encrypted files — “.noos”. Beyond that, the files are encrypted, which means that their internal contents were mathematically obscured (at least, important parts of the files were).

So, an encrypted text file might be named something like “list.txt.noos” and, if you opened the file, text would have turned into nonsensically arranged random symbols. Encryption is meant to hide data, after all.

To reverse the encryption, one needs the specific and unique decryption key. The Noos extortionists have all the decryption keys and they offer to sell you yours for a few hundred dollars. You can find this in the _readme.txt files that Noos puts in various folders on your computer. These files have a message from the same people who created the ransomware and it basically asks the [email protected] and [email protected] emails to be contacted to find out how to send them money. Don’t listen to them — they’re criminals who shouldn’t be trusted.

Noos is a virus that is meant to make money to its creators by holding your files for ransom (the files might be impossible to recover, in some cases). It might also install a password-stealer. Noos is dangerous and should be removed as soon as possible.

Characteristics	File names have the “.noos” suffix Files called _readme can be found on the infected computer Some cybersecurity websites are blocked A spyware trojan is installed
Distribution	Pirated files and programs Free programs on untrustworthy distribution sites
Remove the malware	Delete Noos ransomware using anti-malware programs (SpyHunter) Change passwords and activate 2-factor authentication
Restore the files	System restore Shadow volume copies Data recovery Wait for a free decrypter

 

There are some other symptoms, for example, the infected computer might be unable to load certain websites and the installed anti-malware program might not perform normally (because Noos might have deleted its updates). Additionally, some versions of Djvu install AZORult, a spyware program that can steal your passwords and even some files.

How to avoid ransomware

Ransomware is a real threat to many people’s data. Djvu alone has many thousands of victims, and unfortunately, the creators of Noos have got enough money from all the ransoms to continue their activity. And then remember that Noos’ Djvu is by far not the only ransomware family out there — there’s Maoloa, Dharma, GandCrab, and many others.

Backup your files. There are many ways to do it and it doesn’t have to cost a lot. Ransomware like Noos only works because a lot of people don’t have backups of their data. If a victim does, they don’t need to worry about losing their files or paying the ransom — only about removing the infection.

But it’s also good if you avoid being infected in the first place. Noos primarily spreads by being downloaded from unreliable piracy and freeware websites. The ransomware is uploaded as both programs and files. To protect yourself from accidentally downloading ransomware, find reputable sites to download from, but don’t trust anyone completely. Scan every program and file you download — do not open or run these files without scanning them first. This should also apply to files that were sent to you over email. Ransomware other than Noos spreads using malicious email spam, where infected files are attached to emails and sent out.

Updating your software is also really important. Almost every time a new threat comes out, the various anti-malware vendors have to update their program to properly warn you about it, which is why these updates are so frequent. Outdated browsers can also be abused to infect computers with ransomware, such as by using exploit kits, so try to install the newest updates. Even if Noos doesn’t spread this way, other viruses do.

How to recover the files and remove Noos

Don’t contact the extortionists. Experts advise to never pay the ransom. Not only does it not guarantee that you can return your files, but it also helps the ransomware creators continue their business. The ransom is something like $490 or 980$ for the decrypter, which is a ridiculously high price for most of the victims, who include schoolchildren, elders, and everyone inbetween. But even if you are willing to spend the money, the extortionists don’t always send the decryption software.

Unfortunately, Noos files don’t have a free decrypter available at the moment, though there are a few ransomware researchers that are looking into Djvu. For now, there are some ways to restore lost data, such as by using data recovery software, but they’re not guaranteed to work, either. Your best bet is restoring your files from a backup.

Update: Researchers found the offline key and released an updated decrypter, which means that some people will be able to recover some of their files .noos with it. Follow the instructions in the link.

If you must pay the ransom, don’t use the infected computer for anything important, like accessing your bank account — or at least remove all malware before that. It’s crucial to clean your computer of malware to stop repeated encryptions and to get rid of the password stealer. This is easiest to do with an anti-malware program like SpyHunter or another scanner that can be run in safe mode. It’s just that you might not be able to download it on the infected computer because Noos edits the victims’ hosts file to block some cybersecurity websites.

Important -- edit the hosts file to unblock security websites

TL DR : The hosts file is edited to block security sites Before the virus can be removed, it's necessary to fix the hosts file (the file which controls which addresses connect to which IPs). That is the reason the majority of security websites is inaccessible when infected with this particular parasite. This infection edits this file to stop certain websites, including anti-malware download sites, from being accessed from the infected computer, making browsers return the "This site can't be reached" error. Luckily, it's trivial to fix the file and remove the edits that were made to it.

Find and edit the hosts file

The hosts file can be found on C:/Windows/System32/Drivers/etc/hosts. If you don't see it, change the settings to see hidden files.

1. In the Start Menu, search for Control Panel.
2. In the Control Panel, find Appearance and Personalization.
3. Select Folder Options.
4. Open the View tab.
5. Open Advanced settings.
6. Select "Show hidden files...".
7. Select OK.

Open this file with administrator privileges.

1. Open the Start Menu and enter "notepad".
2. When Notepad shows up in the result, right-click on it.
3. In the menu, choose "Run as administrator"
4. File->Open and browse for the hosts file.

The hosts file should look like this: Delete additional lines that they connect various domain names to the wrong IP address. Save the file.

Download and run the antivirus program

After that, download antivirus programs and use them to remove the ransomware, the trojan, and other malware. Spyhunter (https://www.2-viruses.com/reviews/spyhunter/dwnld/).

Automatic Malware removal tools

How to recover Noos Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Noos has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Noos Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Noos . You can check other tools here.  

Step 3. Restore Noos Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Noos tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Noos Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.