Npsg File Extension Virus - How to remove

Npsg is a Windows file-encrypting malware that was created by cybercriminals for an extortion scheme. Npsg is a new incarnation of Djvu ransomware, a globe-spanning malware family. It locks your files and installs spyware, so it’s important to clean your computer as soon as possible. As for restoring the locked files, there is no easy way (unless you had backups), but there are some options that may yield results.

In short about Npsg ransomware:

How to fix Npsg files	Restore from a backup, restore deleted files, fix corrupted files, wait for a free decrypter.
How Npsg spreads	With pirated software.
How to avoid ransomware	Don’t pirate, scan every downloaded file, always have file backups.
How to delete Npsg	Unblock security websites, use an antivirus scanner (SpyHunter, etc.), delete related files, change passwords.

How to restore Npsg files

Alternative methods

After an Npsg attack, the burning question is usually “can I get my files back”, but there’s no definitive answer.

Deleting Npsg and the files that downloaded it stops it from continuing to encrypt more files, but it does nothing to fix the already-encrypted .npsg files.

You could restore your files from a backup, but not everyone has file backups. If you don’t, you should set something up in the future. It doesn't have to be expensive or complicated.

Npsg deletes backups stored on the computer that it infects, so things like that probably can’t be used. Although, if your storage device is a hard disk, maybe you can get something out of it with a data recovery program. These programs can restore deleted files if they haven’t yet been overwritten. You can expect the best results if you haven’t used the computer at all since the event.

Some of the files that Npsg locked may be only partially corrupted, such as some songs, and pictures. Npsg saves time by only breaking small sections of big files. If you have any large archives, like Zip files, you can probably recover some of the archived files by removing “.npsg” from the file name and simply opening the archive. The first few files of the archive will be broken, but the next ones should be fine.

Also, the extortionists behind Npsg offer to decrypt one file for free to prove that they can. It’s not advised to contact them and certainly not to reveal any personal information about yourself, but if you’re careful, you might be able to get at least one file back.

Free decryption

The .npsg files are not dangerous and you can move them and keep them without any danger. But remember that if you edit those files, they won’t be decrypted; even the smallest changes can mess up the math. So, always make backups of the Npsg-locked files before you try to edit them in any way.

There is no free universal decrypter for .npsg files. And there won’t be one, unless Npsg’s authors are caught by law enforcement. There is the Emsisoft decrypter for Djvu which works on Npsg, but only if you have the decryption key. And the only way for you to get your decryption key for free is if someone else pays for it.

Each decryption key is unique to each victim with one exception – the offline key. This key is used if Npsg can’t get a connection to its control server. To see if the offline key was used on any of your files, check your IDs that Npsg generated (C:\SystemID\PersonalID.txt). If one of them ends with “t1”, you’re in luck (at least, that used to be the case with the previous Djvu versions, including Btos, Nosu, and Kodc). If the offline key for Npsg is recovered, Emsisoft will make it available and their decrypter will work on the files that were encrypted offline.

How Npsg infects computers

Npsg gets downloaded from pirating sites. As pirating is popular all over the world, so is Djvu ransomware. Free software, “unlocked” programs, cracks, and other illegally modified programs are shared after being infected with Npsg. Even trusted community members can start sharing malware, as they’re probably paid pretty well for that.

Scanning the installer with an antivirus program could have helped, but Npsg just came out a few days ago, and not all antivirus programs recognize it so early.

If Npsg infects your computer, it deletes backups, installs a password stealer, and then downloads the unique encryption key. Then it starts encrypting your files, which doesn’t take very long at all. It changes the names of those files to include the second extension “.npsg” and if your Windows doesn’t show file extensions, you can enable that in File Explorer.

Npsg creates a few ransom notes and litters your computer with them. They’re called _readme.txt and they include the email addresses of the extortionists ([email protected], [email protected]) and the ransom demands ($490 or $980, depending on how long you wait). The ransom note starts like this:

ATTENTION!

Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
…

How to get rid of Npsg

An antivirus scanner like SpyHunter should have no problems removing Npsg and the other malware. Make sure to delete the file that infected you with Npsg in the first place and be careful with where you got it from.

Also, you might need to change your passwords to avoid having your accounts hacked. Or at least make sure that 2-step verification is on for every important account.

Important -- edit the hosts file to unblock security websites

TL DR : The hosts file is edited to block security sites Before the virus can be removed, it's necessary to fix the hosts file (the file which controls which addresses connect to which IPs). That is the reason the majority of security websites is inaccessible when infected with this particular parasite. This infection edits this file to stop certain websites, including anti-malware download sites, from being accessed from the infected computer, making browsers return the "This site can't be reached" error. Luckily, it's trivial to fix the file and remove the edits that were made to it.

Find and edit the hosts file

The hosts file can be found on C:/Windows/System32/Drivers/etc/hosts. If you don't see it, change the settings to see hidden files.

1. In the Start Menu, search for Control Panel.
2. In the Control Panel, find Appearance and Personalization.
3. Select Folder Options.
4. Open the View tab.
5. Open Advanced settings.
6. Select "Show hidden files...".
7. Select OK.

Open this file with administrator privileges.

1. Open the Start Menu and enter "notepad".
2. When Notepad shows up in the result, right-click on it.
3. In the menu, choose "Run as administrator"
4. File->Open and browse for the hosts file.

The hosts file should look like this: Delete additional lines that they connect various domain names to the wrong IP address. Save the file.

Download and run the antivirus program

After that, download antivirus programs and use them to remove the ransomware, the trojan, and other malware. Spyhunter (https://www.2-viruses.com/reviews/spyhunter/dwnld/).

Automatic Malware removal tools

How to recover Npsg File Extension Virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Npsg has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Npsg File Extension Virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Npsg. You can check other tools here.  

Step 3. Restore Npsg File Extension Virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Npsg tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Npsg File Extension Virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.