N1N1N1 Virus Remove and Restore .n1n1n1 Files - How to, Technology and PC Security Forum | SensorsTechForum.com

N1N1N1 Virus Remove and Restore .n1n1n1 Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

ransomware-on-focus-sensorstechforumA ransomware virus going by the name N1N1N1 has been reported to use a very stron encryption algorithm to encode the files of unsuspecting users. The virus leaves behind the .n1n1n1 file extension to every file it has encrypted along with ransom instructions, name “how return files” in .txt and .html document. In those instructions the victim is notified that the files can no longer be opened by this ransomware and is asked to make a ransom payoff of 1.5 BTC to get the files back. Everyone who has become victims of the N1N1N1 crypto-virus is strongly advised to follow the instructions in this article to remove this malware and use alternative methods to try and restore encrypted files instead of paying the ransom.

Threat Summary



Short DescriptionThe malware encrypts users files using a strong RSA encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom notes and “instructions” and a sound message all linking to a web page and a decryptor. Changed file names and the file-extension .n1n1n1 has been used.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by N1N1N1


Malware Removal Tool

User ExperienceJoin our forum to Discuss N1N1N1 Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

N1N1N1 Ransomware – Spread

In order to be widespread and infect the maximum amount of victims, N1N1N1 may spread via Exploit kits, JavaScript and even other malware that may currently be residing on the victims computers. The N1N1N1 virus also may use malicious spam campaigns that distribute it’s payload as an e-mail attachment or via a malicious URL that may be placed along a convincing message, motivating the user to click on it. Not only this, but the N1N1N1 ransomware might also infect via malicious web links that may be sent out on various Social Media websites, like Facebook, Twitter and others. Those web links may cause a browser redirect and an infection via a drive by download. To cause a successful infection and slip by any antivirus software and firewalls the N1N1N1 virus may also use malware obfuscators that make it appear as if it is a legitimate application. If it attacks via an exploit kit, this virus takes advantage of an Exploit in Windows, which means that the cyber-criminals behind the N1N1N1 threat may have invested a lot of funds in such software.

N1N1N1 Ransomware – What Does It Do

As soon as it has infected your computer, the N1N1N1 virus may drop several types of malicious files on your computer:

.exe, .dll, .bat, .vbs, .tmp,

The malicious files may be programmed to perform various activities such as changing he wallpaper of the infected computer, changing settings in the registry, connect to the cyber-crooks server and most importantly encrypt the files in it. They may be located in the following folders under different, usually random names:


After having created the malicious files, the N1N1N1 virus may run it’s primary executable which encrypts the files on the compromised computer. The virus may also heavily modify the Windows Registry Editor to make the encryptor run again and again every time you start Windows.

The file types that N1N1N1 is looking for to encrypt are many, but they are primarily associated with often used files, such as:

  • Documents.
  • Audio files.
  • Image files.
  • Database Files.
  • Files associated with programs, like Photoshop, etc.

The N1N1N1 virus also cleverly skips the encryption of files that may pose a direct threat to the operating system and cause it to disfunction.

After having encrypted your files, the N1N1N1 ransomware leaves them with it’s distinctive .n1n1n1 file extension, for example:


The files can no longer be opened since their code structure is no longer the same.

After encrypting the files on a compromised machine, the N1N1N1 malware drops two files in each folder with encrypted files:


The ransom notes have the following ransom message:

“If you don’t speak english then use public online translators https://translate.google.com or https://www.bing.com/Translator or https://www.translate.com .
Your files encrypted.
To decrypt and return control to all your encrypted files you need :
1) Go to https://www.torproject.org/download/download-easy.html.en . Download Tor browser for windows.
If you can’t open this page then go to https://www.torproject.org and click on button Download.
It will redirect you to page where you can find “Tor Browser for Windows”. Download it.
If you still can’t download or run tor browser then download, unpack and run the most stable tor browser version here:
2) Install it and run it.
3) Type in the address bar www.hs5br44fuvaazn72.onion/start.php and open our secret website.
4) Secret website will ask you to input your public key.
5) Enter your public key and follow the instructions.
Your public key:
If you have any problems while downloading or installing tor browser or opening secret tor site then
if you have antivirus then remove or disable it (antivirus can prohibit open tor browser) or try use other computer.
Don’t forget that you can browse www.youtube.com and search videos with tor browser installation process.
If you still can’t open this secret page then
1) Go to https://mail.google.com (use your usual browser: (firefox, google chrome, …)
2) If you don’t have …@gmail account then sign up. You will get google (gmail) account.
3) Compose letter and send it to strongonion@sigaint.org
In letter you need type us your public key (see public key above).
4) Soon (in 1 or 2 days), we will send you instructions what you need to do to decrypt your files.
Small remark:
You can compose and send letter using other mail provider (…@aol.com …@yahoo.com or other)
but we DON’T RECOMMEND you to do it because we are not sure that we will receive your letter!”

The HTML document leads to the primary web page where the user can enter the decryption key after paying the ransom amount. After paying the user is provided with a decrypter and a master key to decode his files.


Remove N1N1N1 Ransomware and Decrypt .n1n1n1 Files

Before trying to restore the encrypted files, it is strongly advisable to get rid of this virus from your computer. You can follow the instructions below to remove N1N1N1 ransomware effectively, but it is also possible to remove it via an advanced anti-malware program automatically, swiftly and effectively.

The encryption algorithm used by the N1N1N1 ransomware is believed to be RSA cipher which generates a unique private and public keys after every infection. Direct decryption may be a time costly process and this is why researchers recommend not to pay any type of ransom money to cyber-criminals and to seek alternative solutions to decode the files, while a free decrypter is released out to the public. This is why we strongly advise using the alternative file restoration methods below in step “3. Restore files encrypted by N1N1N1” to help recover at least some of your files while a free decryptor is released which can happen in the near future. Make sure to often check this article as we will update it as soon as a free decryption method is discovered.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share