Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Nx (Next) Ransomware –Remove and Restore Encrypted Files

This article will show you how to successfully delete Nx Ransomware infection and try to restore encrypted files by the virus.

A ransomware virus, uploaded as an open source malware in GitHub in the end of march 2016 has begun to show activity in the end of March 2017, reports indicate. The virus is oriented on victims who are not experienced and may spread on a global scale. The ransomware aims to encrypt the files on the computers infected by it via the AES and RSA encryption algorithms. After this, the virus begins to drop information on how to contact the cyber-criminals and pay a hefty ransom fee to restore encrypted files. In case your computer has been infected by the Nx ransomware infection, recommendations are to read the following article thoroughly.

Threat Summary

Name

Nx Ransomware

Type Ransomware
Short Description The malware encrypts users files using a AES and RSA, ciphers, generating a public and private key files.
Symptoms The user may witness that the files are no longer openable, plus instructions on how to pay a hefty ransom fee to the criminals to decrypt the files.
Distribution Method Via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Nx Ransomware

Download

Malware Removal Tool

User Experience Join our forum to Discuss Nx Ransomware.
Data Recovery Tool Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Nx Ransomware – How Does It Infect

The infection process of Nx Ransomware is conducted via a malicious file, pretending to be Google Update Service. The false name on the description of the file is Google Software Update and it is called GoogleUpdate.exe. There is even data in it’s description to deceive that the creators of these file are Google themselves.

The infection file related to the GoogleUpdate.exe file, however is different than it. It is named ransomware1.exe and has the following signature and detection rate:

In addition to being spread as a false Google Service update, the Nx virus may also be replicated via the assistance of massive spam services that spread suspicious e-mail messages that seem legitimate only at first glance. However, many of those e-mails only aim to convince the victim into opening the suspicious e-mail attachment attached to them:

Nx Ransomware – Infection Activity

After causing the infection, the Nx Ransomware virus may begin to drop it’s malicious files on the compromised computers. The files that are being dropped are the following:

  • GoogleUpdate.exe (SHA256: 2a3da7eaae24d815a246beb194c72eacf10383e6ac3f46ef23298fb65ca10407)
  • master_pri_key.info
  • master_public_key.info

Along those main files of the virus, there may be other support files (.dll, .tmp, .vbs, .bat, .exe, .js, .wsf, .bin) that may be dropped alongside them. They are usually located in the following Windows directories:

  • %AppData%
  • %Local%
  • %Roaming%
  • %LocalRow%
  • %Windows%

After all the malicious files are dropped on the compromised computer, the Nx ransomware infection may begin to perform multiple other activities, such as delete the shadow volume copies of it, for example. This is achievable by executing versions of the following vssadmin command in the background:

In addition to deleting system backups, the Nx virus may also begin to modify the Windows Registry Editor. Among the attacked Windows Registry sub-keys may usually be the ones that change the wallpaper and run files on Windows boot:

→ HKEY_CURRENT_USER\Control Panel\Desktop\
HKEY_USERS\.DEFAULT\Control Panel\Desktop\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Other interference the Nx virus may perform is modify the following files within the %WINDIR% directory of Windows, again related to the registry:

→ Clr.dll
Mscorwks.dll
Mscorlib.ni.dll.aux
Sortdefault.nls
System.xml.ni.dll.aux
Pubpol47.dat
System.ni.dll.aux
Mscorlib.dl

Nx Ransomware’s Encryption Process
For the encryption of files, the Nx virus is believed to use a combination of two of the strongest known ciphers for public use.

Rivest-Shamir-Adleman or RSA encryption.
Advanced Encryption Standard also known as AES.

The AES cipher may be used to scramble the following important files, if detected on the compromised computer:

→ .AVI, .C, .CLASS, .CONFIG, .CPP, .CS, .CSC, .DBX, .DOC, .DOCX, .EML, .GIF, .GZ, .H, .JAVA, .JPG, .JS, .JSON, .JSP, .MBX, .MP3, .MP4, .MPEG, .MSG, .NEF, .PDF, .PHP, .PNG, .PPT, .PPTX, .PST, .PY, .R, .RAR, .TAR, .TXT, .VB, .VBS, .WAB, .XAML, .XLS, .XLSX, .ZIP Source: id-ransomware.blogspot.bg

After these files have already been encoded by this ransomware virus, the infection may use the RSA cipher to further insert private and public keys within the files themselves, making them increasingly difficult to decrypt, primarily because different key may be assigned to each of the files.

When the encryption process has completed, the files encoded by it can no longer be opened and the user may be presented a ransom note with instructions on how to decrypt them by making a payoff.

Remove Nx Ransomware and Restore Encoded Files

Before beginning the removal process of Nx Ransomware infection, users are advised to perform multiple backups of the encrypted files, just in case.

For the removal of this virus to be successful, we advise following the instruction steps down below, which will help isolate the threat and then locate the malicious files belonging to this virus and delete them. In case you cannot manually locate the files or feel unsure that manual removal would do the job, experts always advise downloading an advanced anti-malware tool to scan for and remove those malicious objects automatically and protect your computer against future threats as well.

For the file restoration, there is no free decryption scenario at the moment. However, we will track the situation and post decryption instructions with web links as soon as there are such available. In the meantime, we advise following the alternative methods for restoring your files at your own risk, even though they are not 100% guaranteed to get all the files back. They are located down in step “2. Restore files encrypted by Nx Ransomware”.

Manually delete Nx Ransomware from your computer

Note! Substantial notification about the Nx Ransomware threat: Manual removal of Nx Ransomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Nx Ransomware files and objects
2.Find malicious files created by Nx Ransomware on your PC

Automatically remove Nx Ransomware by downloading an advanced anti-malware program

1. Remove Nx Ransomware with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Nx Ransomware
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.