Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


N1N1N1 Virus Remove and Restore .n1n1n1 Files

ransomware-on-focus-sensorstechforumA ransomware virus going by the name N1N1N1 has been reported to use a very stron encryption algorithm to encode the files of unsuspecting users. The virus leaves behind the .n1n1n1 file extension to every file it has encrypted along with ransom instructions, name “how return files” in .txt and .html document. In those instructions the victim is notified that the files can no longer be opened by this ransomware and is asked to make a ransom payoff of 1.5 BTC to get the files back. Everyone who has become victims of the N1N1N1 crypto-virus is strongly advised to follow the instructions in this article to remove this malware and use alternative methods to try and restore encrypted files instead of paying the ransom.

Threat Summary

Name

N1N1N1

Type Ransomware
Short Description The malware encrypts users files using a strong RSA encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
Symptoms The user may witness ransom notes and “instructions” and a sound message all linking to a web page and a decryptor. Changed file names and the file-extension .n1n1n1 has been used.
Distribution Method Via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by N1N1N1

Download

Malware Removal Tool

User Experience Join our forum to Discuss N1N1N1 Ransomware.

N1N1N1 Ransomware – Spread

In order to be widespread and infect the maximum amount of victims, N1N1N1 may spread via Exploit kits, JavaScript and even other malware that may currently be residing on the victims computers. The N1N1N1 virus also may use malicious spam campaigns that distribute it’s payload as an e-mail attachment or via a malicious URL that may be placed along a convincing message, motivating the user to click on it. Not only this, but the N1N1N1 ransomware might also infect via malicious web links that may be sent out on various Social Media websites, like Facebook, Twitter and others. Those web links may cause a browser redirect and an infection via a drive by download. To cause a successful infection and slip by any antivirus software and firewalls the N1N1N1 virus may also use malware obfuscators that make it appear as if it is a legitimate application. If it attacks via an exploit kit, this virus takes advantage of an Exploit in Windows, which means that the cyber-criminals behind the N1N1N1 threat may have invested a lot of funds in such software.

N1N1N1 Ransomware – What Does It Do

As soon as it has infected your computer, the N1N1N1 virus may drop several types of malicious files on your computer:

.exe, .dll, .bat, .vbs, .tmp,

The malicious files may be programmed to perform various activities such as changing he wallpaper of the infected computer, changing settings in the registry, connect to the cyber-crooks server and most importantly encrypt the files in it. They may be located in the following folders under different, usually random names:

%AppData%
%Roaming%
%Local%
%SystemDrive%
%Windows%

After having created the malicious files, the N1N1N1 virus may run it’s primary executable which encrypts the files on the compromised computer. The virus may also heavily modify the Windows Registry Editor to make the encryptor run again and again every time you start Windows.

The file types that N1N1N1 is looking for to encrypt are many, but they are primarily associated with often used files, such as:

  • Documents.
  • Audio files.
  • Image files.
  • Database Files.
  • Files associated with programs, like Photoshop, etc.

The N1N1N1 virus also cleverly skips the encryption of files that may pose a direct threat to the operating system and cause it to disfunction.

After having encrypted your files, the N1N1N1 ransomware leaves them with it’s distinctive .n1n1n1 file extension, for example:

29823d8hh23.n1n1n1

The files can no longer be opened since their code structure is no longer the same.

After encrypting the files on a compromised machine, the N1N1N1 malware drops two files in each folder with encrypted files:

how-return-files-files-txt-html-sensorstechforum

The ransom notes have the following ransom message:

“If you don’t speak english then use public online translators https://translate.google.com or https://www.bing.com/Translator or https://www.translate.com .
Your files encrypted.
To decrypt and return control to all your encrypted files you need :
1) Go to https://www.torproject.org/download/download-easy.html.en . Download Tor browser for windows.
If you can’t open this page then go to https://www.torproject.org and click on button Download.
It will redirect you to page where you can find “Tor Browser for Windows”. Download it.
If you still can’t download or run tor browser then download, unpack and run the most stable tor browser version here:
https://docs.google.com/uc?id=0B7IelRsUOVDAMjF3M3VySjFFbFE&export=download
2) Install it and run it.
3) Type in the address bar www.hs5br44fuvaazn72.onion/start.php and open our secret website.
4) Secret website will ask you to input your public key.
5) Enter your public key and follow the instructions.
Your public key:
If you have any problems while downloading or installing tor browser or opening secret tor site then
if you have antivirus then remove or disable it (antivirus can prohibit open tor browser) or try use other computer.
Don’t forget that you can browse www.youtube.com and search videos with tor browser installation process.
If you still can’t open this secret page then
1) Go to https://mail.google.com (use your usual browser: (firefox, google chrome, …)
2) If you don’t have …@gmail account then sign up. You will get google (gmail) account.
3) Compose letter and send it to strongonion@sigaint.org
In letter you need type us your public key (see public key above).
4) Soon (in 1 or 2 days), we will send you instructions what you need to do to decrypt your files.
Small remark:
You can compose and send letter using other mail provider (…@aol.com …@yahoo.com or other)
but we DON’T RECOMMEND you to do it because we are not sure that we will receive your letter!”

The HTML document leads to the primary web page where the user can enter the decryption key after paying the ransom amount. After paying the user is provided with a decrypter and a master key to decode his files.

tor-page-ransomware-n1n1n1-sensorstechforum

Remove N1N1N1 Ransomware and Decrypt .n1n1n1 Files

Before trying to restore the encrypted files, it is strongly advisable to get rid of this virus from your computer. You can follow the instructions below to remove N1N1N1 ransomware effectively, but it is also possible to remove it via an advanced anti-malware program automatically, swiftly and effectively.

The encryption algorithm used by the N1N1N1 ransomware is believed to be RSA cipher which generates a unique private and public keys after every infection. Direct decryption may be a time costly process and this is why researchers recommend not to pay any type of ransom money to cyber-criminals and to seek alternative solutions to decode the files, while a free decrypter is released out to the public. This is why we strongly advise using the alternative file restoration methods below in step “3. Restore files encrypted by N1N1N1” to help recover at least some of your files while a free decryptor is released which can happen in the near future. Make sure to often check this article as we will update it as soon as a free decryption method is discovered.

Manually delete N1N1N1 from your computer

Note! Substantial notification about the N1N1N1 threat: Manual removal of N1N1N1 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove N1N1N1 files and objects.
2. Find malicious files created by N1N1N1 on your PC.
3. Fix registry entries created by N1N1N1 on your PC.

Automatically remove N1N1N1 by downloading an advanced anti-malware program

1. Remove N1N1N1 with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by N1N1N1 in the future
3. Restore files encrypted by N1N1N1
Optional: Using Alternative Anti-Malware Tools

How to Find Decryption Key for Files Encrypted By N1N1N1 Ransomware

We have designed to make a tutorial which is as simple as possible to theoretically explain how could you detect your decryption key. Find out how

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.