Decrypt Files Encrypted by Nomoneynohoney Ransomware - How to, Technology and PC Security Forum |

Decrypt Files Encrypted by Nomoneynohoney Ransomware

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

no-money-no-honey-ransomware-sensorstechforumA ransomware virus using the e-mail address as a file extension and belonging to the CrySiS ransomware variants has been spotted in the wild by victims and IT support staff. The virus has been reported to also use the .xtbl file extension and be themed based on a parody video of Vinnie the Pooh. Fortunately like other CrySiS ransomware viruses, Nomoneynohoney ransomware also turns out to be decryptable. In order to remove Nomoneynohoney ransomware and decrypt your files for free, we advise you to read this article thoroughly.

Threat Summary



Short DescriptionPart of the CrySiS ransomware variants. The malware encrypts users files using an ncryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom notes and it’s e-mail in the file extensions that when contacted replies with ransom payoff instructions to get back the files.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Nomoneynohoney.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Nomoneynohoney Ransomware – More Information

To better inform you about this variant of XTBL/Shade also known as Nomoneynohoney ransomware, we will take you through it’s infection process methodologically since this will help affected users understand how they may have become unsuspecting victims and in the future protect themselves.

Initially you may become infected by this .xtbl ransomware virus by simply two methods:

  • Opening a malicious web link.
  • Opening a file attachment that is with malicious character.

Such may be spread in many different places, like spammed e-mail messages with either, spammed comments on websites as well as posted files on suspicious websites as fake setups. Not only this but it has also been reported the CrySiS may be encountered in game cracks, keygens or other fake executable files that may be existent in different forms.

After the user opens the malicious file, the Nomoneynohoney virus situates malicious files in key Windows folders, like:

  • %Startup%
  • %AppData%
  • %Roaming%
  • %Common%
  • %Local%

As soon as this has been done, the malware deletes the shadow volume copies and other backups via commands, like the vssadmin command in privileged mode without the victim noticing what is happening on the computer:


After they are deleted, the Nomoneynohoney virus also uses techniques allowing it to encrypt the files of the affected computer. It may scan for and encrypt most commonly used file types, like the following:

  • File extensions related to videos.
  • Image file types.
  • Audio files.
  • Document type of files (Microsoft Office, Adobe)
  • Database type of files and virtual drives.

After this has been performed the virus leaves the files in the following state:


It is widely believed that the ransomware virus may itself be originating from Russia, because of the parody it uses from the Russian viral video “no money no honey”.

Remove Nomoneynohoney and Decrypt Your Files

In order to completely remove the Nomoneynohoney virus we urge you to follow our removal instructions below. In case you lack the professional malware removal experience, it is also recommended to use an advanced anti-malware program which will automatically and swiftly take care of the Nomoneynohoney virus.

Fortunately, regarding the files encrypted by Nomoneynohoney ransomware, there is a decryptor for which we have created instructions. But bear in mind that you should consider yourself lucky by being infected with it, due to the fact that most ransomware viruses are non-decryptable. This is why we advise you to check our protection tips on ransomware.

After the removal of the virus, please follow the instructions in the article in the red box below to successfully decrypt the encrypted files by Nomoneynohoney ransomware:

Decrypt Files Encrypted by Shade .Xtbl Ransomware

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share