NullByte ransomware - How to remove

NullByte ransomware

A new variant of a crypto-ransomware virus has caught our attention. At first, people though that this infection was somehow associated with the Cerber virus. However, some suggest that this assumption is wrong and that this is a completely new encryptor. We are not doing to go great extends to prove which side is most presumably to be correct. As far as we are concerned, NullByte ransomware is a dangerous infection and people should be informed about its features. Most importantly, infected victims should have the opportunity to quickly find information, helping them get acquainted with the possible methods to decrypt their files. Even though this is a new virus, IT specialists have discovered a way to help victims get out of this mess without having to pay the demanded ransom.

About NullByte Ransomware

At first, an infection with NullByte virus can be completely unnoticeable. Before actually revealing its existence in your device, it attempts to be invisible and to not attract any unnecessary attention. That is why ransomware viruses usually have executables that resemble random files, left behind after an update or another process. Many folders can host such files and you are most probably not going to notice. In this case, IT specialists have indicated that NullByte virus is spread with a program called Necrobot. This is a free Pokemon GO Bot, giving a possibility for users to enjoy catching pokemons, humanlike walking and etc. More specifically, the program will be called Necrobot.Rebuilt and it will require that users reveal their accounts’ credentials. This information will be stored in a FTP server. Like we said, you will have no idea that the NullByte virus is actually making its way for a successful encryption. After it finds a necessary amount of files to encrypt, it utilizes a strong algorithm for encryption and makes files completely inoperative. Users won’t be able to run them and it does not matter how many times they will try. Encrypted data will be marked with an extension _nullByte which will indicate that this piece of data is encoded with AES encoding. The content of letter of demands (which will be displayed in the background picture) is the following:

“All of your personal files have been encrypted. In short meaning you cannot ever access them again without a passwords. The only way you can retrieve your personal information is to buy the decryption key from us, using bitcoins for both your security and our safety.
You may choose the vendor of your choice for bitcoins. You can use either our QR code or wallet address. If you are unfamiliar with BitCoins, and how they work; we suggest you watch a youtube video for more details.
The price for you to receive your password is currently set for 0.1 BTC (USD 57.6) and it can be sent to the address to the right or the QR code can be scanned with your smartphone using any bitcoin wallet application.
Some of the more popular and easy to use Bitcoins apps are: Coinbase, CircleApp and Airbitz. They have many good user reviews and guides.
Once you have transferred the bitcoins to our wallet address, you may contact us using the form on your right.
Please be sure that you did not misspell your email or your bitcoin wallet address or otherwise your transfer will not show up in our system. Decryption key request is generally processed in 1 hour. The decryption itself, with the key, only takes a few mins.
We would also like to apologize for the inconvenience this may have cost you.

How to Decrypt Files Encrypted by NullByte Ransomware?

IT specialists, in a surprisingly short amount of time, managed to find a way to decrypt files, ruined by NullByte virus. You can download a tool for decryption from the Internet and proceed with the revival of your data. However, for the sake of this procedure being successful, infected victims have to have a full path to the user profile that was infected. For the future, make sure that your files would be stored in backup storages: you can retrieve your files from these facilities anytime you want. Creating copies and placing them in USB flash drives is also a good decision, but make sure not to keep this drive plugged into your device at all times. Ransomware viruses sometimes are able to decrypt even that data, which is available from an inserted USB. On the last note, we remind never to pay the demanded ransom. Even if NullByte virus demands a nominal fee, paying would still be a waste of 0.1 BTC (57.6 US dollars).

How is NullByte Ransomware Distributed?

As we have mentioned, NullByte virus has been recognized to travel with the Necrobot.Rebuilt program. If you notice a pop-up, email or other content, offering to install exactly this application, make sure to not to actually do it. IT specialists indicate that people should be extremely cautious while browsing online: a lot of the material can be laden with malware and other viruses. We offer you to recognize a perfect opportunity to not only eliminate NullByte ransomware, but also all of the potentially harmful programs. Install Spyhunter or Hitman and forget about ever worrying about your personal information and safety. If you have any questions, regarding this ransomware, make sure to leave a comment below.

How to recover NullByte ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before NullByte virus has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of NullByte ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to NullByte virus. You can check other tools here.  

Step 3. Restore NullByte ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually NullByte virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover NullByte ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Removal guides in other languages

Leave a Reply

Your email address will not be published. Required fields are marked *