A ransomware virus using the [email protected] e-mail address as a file extension and belonging to the CrySiS ransomware variants has been spotted in the wild by victims and IT support staff. The virus has been reported to also use the .xtbl file extension and be themed based on a parody video of Vinnie the Pooh. Fortunately like other CrySiS ransomware viruses, Nomoneynohoney ransomware also turns out to be decryptable. In order to remove Nomoneynohoney ransomware and decrypt your files for free, we advise you to read this article thoroughly.
Threat Summary
| Name | Nomoneynohoney |
| Type | Ransomware |
| Short Description | Part of the CrySiS ransomware variants. The malware encrypts users files using an ncryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals. |
| Symptoms | The user may witness ransom notes and it’s e-mail in the file extensions that when contacted replies with ransom payoff instructions to get back the files. |
| Distribution Method | Via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner. |
| Detection Tool | See If Your System Has Been Affected by Nomoneynohoney. |
| Data Recovery Tool | Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive. |
Nomoneynohoney Ransomware – More Information
To better inform you about this variant of XTBL/Shade also known as Nomoneynohoney ransomware, we will take you through it’s infection process methodologically since this will help affected users understand how they may have become unsuspecting victims and in the future protect themselves.
Initially you may become infected by this .xtbl ransomware virus by simply two methods:
- Opening a malicious web link.
- Opening a file attachment that is with malicious character.
Such may be spread in many different places, like spammed e-mail messages with either, spammed comments on websites as well as posted files on suspicious websites as fake setups. Not only this but it has also been reported the CrySiS may be encountered in game cracks, keygens or other fake executable files that may be existent in different forms.
After the user opens the malicious file, the Nomoneynohoney virus situates malicious files in key Windows folders, like:
- %Startup%
- %AppData%
- %Roaming%
- %Common%
- %Local%
As soon as this has been done, the malware deletes the shadow volume copies and other backups via commands, like the vssadmin command in privileged mode without the victim noticing what is happening on the computer:
After they are deleted, the Nomoneynohoney virus also uses techniques allowing it to encrypt the files of the affected computer. It may scan for and encrypt most commonly used file types, like the following:
- File extensions related to videos.
- Image file types.
- Audio files.
- Document type of files (Microsoft Office, Adobe)
- Database type of files and virtual drives.
After this has been performed the virus leaves the files in the following state:
It is widely believed that the ransomware virus may itself be originating from Russia, because of the parody it uses from the Russian viral video “no money no honey”.
Remove Nomoneynohoney and Decrypt Your Files
In order to completely remove the Nomoneynohoney virus we urge you to follow our removal instructions below. In case you lack the professional malware removal experience, it is also recommended to use an advanced anti-malware program which will automatically and swiftly take care of the Nomoneynohoney virus.
Fortunately, regarding the files encrypted by Nomoneynohoney ransomware, there is a decryptor for which we have created instructions. But bear in mind that you should consider yourself lucky by being infected with it, due to the fact that most ransomware viruses are non-decryptable. This is why we advise you to check our protection tips on ransomware.
After the removal of the virus, please follow the instructions in the article in the red box below to successfully decrypt the encrypted files by Nomoneynohoney ransomware:
Manually delete Nomoneynohoney from your computer
Note! Substantial notification about the Nomoneynohoney threat: Manual removal of Nomoneynohoney requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.
1. For Windows 7,XP and Vista.
2. For Windows 8, 8.1 and 10.
Fix registry entries created by Nomoneynohoney on your PC.
Automatically remove Nomoneynohoney by downloading an advanced anti-malware program
1. Install SpyHunter to scan for and remove Nomoneynohoney.
Back up your data to secure it against infections and file encryption by Nomoneynohoney in the future.
STOPZilla Anti Malware
