Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Decrypt Files Encrypted by Nomoneynohoney Ransomware

no-money-no-honey-ransomware-sensorstechforumA ransomware virus using the nomoneynohoney@india.com e-mail address as a file extension and belonging to the CrySiS ransomware variants has been spotted in the wild by victims and IT support staff. The virus has been reported to also use the .xtbl file extension and be themed based on a parody video of Vinnie the Pooh. Fortunately like other CrySiS ransomware viruses, Nomoneynohoney ransomware also turns out to be decryptable. In order to remove Nomoneynohoney ransomware and decrypt your files for free, we advise you to read this article thoroughly.

Threat Summary

Name

Nomoneynohoney

Type Ransomware
Short Description Part of the CrySiS ransomware variants. The malware encrypts users files using an ncryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
Symptoms The user may witness ransom notes and it’s e-mail in the file extensions that when contacted replies with ransom payoff instructions to get back the files.
Distribution Method Via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Nomoneynohoney.
Data Recovery Tool Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Nomoneynohoney Ransomware – More Information

To better inform you about this variant of XTBL/Shade also known as Nomoneynohoney ransomware, we will take you through it’s infection process methodologically since this will help affected users understand how they may have become unsuspecting victims and in the future protect themselves.

Initially you may become infected by this .xtbl ransomware virus by simply two methods:

  • Opening a malicious web link.
  • Opening a file attachment that is with malicious character.

Such may be spread in many different places, like spammed e-mail messages with either, spammed comments on websites as well as posted files on suspicious websites as fake setups. Not only this but it has also been reported the CrySiS may be encountered in game cracks, keygens or other fake executable files that may be existent in different forms.

After the user opens the malicious file, the Nomoneynohoney virus situates malicious files in key Windows folders, like:

  • %Startup%
  • %AppData%
  • %Roaming%
  • %Common%
  • %Local%

As soon as this has been done, the malware deletes the shadow volume copies and other backups via commands, like the vssadmin command in privileged mode without the victim noticing what is happening on the computer:

cerber-ransomware-shadow-command-sensorstechforum-3

After they are deleted, the Nomoneynohoney virus also uses techniques allowing it to encrypt the files of the affected computer. It may scan for and encrypt most commonly used file types, like the following:

  • File extensions related to videos.
  • Image file types.
  • Audio files.
  • Document type of files (Microsoft Office, Adobe)
  • Database type of files and virtual drives.

After this has been performed the virus leaves the files in the following state:

ransomware-nomoneynohoney-encrypted-sensorstechforum

It is widely believed that the ransomware virus may itself be originating from Russia, because of the parody it uses from the Russian viral video “no money no honey”.

Remove Nomoneynohoney and Decrypt Your Files

In order to completely remove the Nomoneynohoney virus we urge you to follow our removal instructions below. In case you lack the professional malware removal experience, it is also recommended to use an advanced anti-malware program which will automatically and swiftly take care of the Nomoneynohoney virus.

Fortunately, regarding the files encrypted by Nomoneynohoney ransomware, there is a decryptor for which we have created instructions. But bear in mind that you should consider yourself lucky by being infected with it, due to the fact that most ransomware viruses are non-decryptable. This is why we advise you to check our protection tips on ransomware.

After the removal of the virus, please follow the instructions in the article in the red box below to successfully decrypt the encrypted files by Nomoneynohoney ransomware:

Decrypt Files Encrypted by Shade .Xtbl Ransomware

Manually delete Nomoneynohoney from your computer

Note! Substantial notification about the Nomoneynohoney threat: Manual removal of Nomoneynohoney requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Nomoneynohoney files and objects
2.Find malicious files created by Nomoneynohoney on your PC

Automatically remove Nomoneynohoney by downloading an advanced anti-malware program

1. Remove Nomoneynohoney with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Nomoneynohoney
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.