Nosu Ransomware - How to remove

Nosu encrypts user files and then asks for a ransom. Encrypted files are unopenable and unusable – pictures don’t open, text files are filled with random characters, and half of the archived files get corrupted. Nosu’s makers, the extortionists, ask for money in exchange for fixing the files, but not everyone can afford to throw out $980 – not to mention that paying would reward criminals for their crimes. Luckily, there are a few possibilities for getting your files back, as well as options to get rid of Nosu without reinstalling your Windows.

In short about Nosu ransomware:

Classification Ransomware.
Identification Extension – “.nosu”,

email addresses – [email protected], [email protected],

family – Djvu,

VirusTotal link.

Restoring your files Use backups,

use data recovery, shadow volume copies, etc.,

use the free decrypter.

Removing Nosu Scan your computer with an anti-malware program (like SpyHunter),

install security updates,

change your passwords.

Nosu symptoms

If Nosu encrypted your files, it also appends “.nosu” to the ends of their names. Windows displays NOSU as the file type of those files. But even without the strange ew extension, the files are broken and most can’t be opened. You might still be able to play some videos and audio recordings, but they’ll be missing some content at the beginning and end.

Nosu creates files called _readme.txt and litters your folders with it. The files are all the same – asking you for money and giving the email addresses of the extortionists, [email protected] and [email protected]

You might notice that your computer refuses to open certain websites. If that’s true, Nosu blocked some websites on your computer – to stop you from looking up Nosu and finding information on how to deal with it.

Plus, Nosu might download the Azorult spyware on your computer. This spyware steals passwords, including saved passwords, takes screenshots of your screen, and ca download more malware. If your computer starts showing pop-ups and redirecting your browser, that might be Nosu and Azorult’s fault.

How to fix the files?

Nosu uses encryption to lock your files. All the files marked with the “.nosu” extension are encrypted and can only be decrypted with the correct and unique to you decryption key.

If you have file backups, just delete Nosu off of your computer and replace the encrypted files with the ones from your backup. If you don’t have backups, you can wait for the offline decryption key.

If Nosu works like the other ransomware infections from this family, like Kodc, Redl, and Nbes, then there should be a file called C:\SystemID\PersonalID.txt on your computer. If any IDs on it end with “t1”, that could indicate that the offline key was used – the only key shared among multiple victims of Nosu. Nosu uses it when it can’t download a unique key. If this affects you, download Esisoft's decrypter for Djvu and wait and hope for Nosu’s offline key to be obtained.

Lastly, there are ways to restore lost data using shadow volume copies (if Nosu hasn’t deleted them), data recovery software (if you use a hard disk), and other options – they are listed at the bottom of this article. They’re not 100% effective, but still worth trying.

Just in case, if you have Nosu-encrypted files that you want to get back but can’t, just keep them for now. Don’t change or edit them in any way. Who knows, maybe Nosu’s makers will be caught by law enforcement and the decryption keys – released. It’s unlikely, though.

Nosu ransom note is the same for each victim.

How to avoid ransomware infections?

Nosu spreads in piracy sites. It uploaded there as unlocked installers, activators, and various “free” files and programs. Some victims of Nosu are embarrassed to admit how they got infected, but only talking honestly about it is how more people can learn to be more careful and safer.

Nosu is part of the Djvu family, which affects victims all over the world through illegal downloads. Piracy is dangerous and a great medium for malware to spread. But it’s not practical to ask people to completely stop pirating. For some people, pirating is the only practical way to download stuff because of availability or price. So, what else can you do?

Make copies of your most important files and put them on a separate device. Or use cloud storage. A backup is only secure if your software can’t access it. If you put backups on an external drive, do not keep it connected longer than necessary so that malware won’t infect it.

Other ways that ransomware (not Nosu) spreads include:

  • Phishing emails – like fake “documents from work”, bills, invoices, and other email attachments and links. These are done in convoluted ways, for example, you’re asked to open a document, allow macros, and then double-click an object to see your document. Stay away from such emails.
  • Hacked remote desktop access. Weak password and username, RDP being exposed to the internet, will cause criminals to try and access your computer sooner or later.
  • Malicious ads. Windows, browsers and media players that are missing security updates make your computer vulnerable to malicious scripts that can automatically download and execute malware.

How to get rid of Nosu

It’s important to remove Nosu ransomware and to delete the file that downloaded Nosu in the first place: whether it was a fake movie download, an unlocked program, a cracking tool, or whatever else, it should be removed. It’s not necessary to reinstall your Windows, as most reliable anti-malware programs (such as SpyHunter) can get rid of Nosu with no problems. The encrypted files aren’t dangerous and don’t need to be removed.

Remember that Azoorult, if it’s on your device, also must be removed. And you may want to change your passwords afterward.

Before all this, though, you might need to unblock cybersecurity websites that Nosu blocked.

Important -- edit the hosts file to unblock security websites

TL DR : The hosts file is edited to block security sites Before the virus can be removed, it's necessary to fix the hosts file (the file which controls which addresses connect to which IPs). That is the reason the majority of security websites is inaccessible when infected with this particular parasite. This infection edits this file to stop certain websites, including anti-malware download sites, from being accessed from the infected computer, making browsers return the "This site can't be reached" error. Luckily, it's trivial to fix the file and remove the edits that were made to it.

Find and edit the hosts file

The hosts file can be found on C:/Windows/System32/Drivers/etc/hosts. If you don't see it, change the settings to see hidden files.
  1. In the Start Menu, search for Control Panel.
  2. In the Control Panel, find Appearance and Personalization.
  3. Select Folder Options.
  4. Open the View tab.
  5. Open Advanced settings.
  6. Select "Show hidden files...".
  7. Select OK.
Open this file with administrator privileges. notepad run as administrator
  1. Open the Start Menu and enter "notepad".
  2. When Notepad shows up in the result, right-click on it.
  3. In the menu, choose "Run as administrator"
  4. File->Open and browse for the hosts file.
The hosts file should look like this: hosts file default contents Delete additional lines that they connect various domain names to the wrong IP address. Save the file.

Download and run the antivirus program

After that, download antivirus programs and use them to remove the ransomware, the trojan, and other malware. Spyhunter (

Automatic Malware removal tools

Download Spyhunter for Malware detection

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,

How to recover Nosu Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Nosu Ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of Nosu Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Nosu Ransomware. You can check other tools here.  

Step 3. Restore Nosu Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Nosu Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Nosu Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *