This article has been created in order to best explain what is the .ndpyhss files virus and how to remove it from your computer, plus how to restore .ndpyhss encrypted files.
The .ndpyhss files virus is the type of ransomware which is from the Magniber viruses, using Magniber exploit kit to conduct it’s infection. The virus aims to encrypt the files on the computers that are infected by it, leaving behind the .ndpyhss file suffix and making the files to no longer able to be opened. The end goal of the ransomware is to get the victims to pay a ransom in order to get the crooks to recover the files, encrypted by this infection. However, this is highly inadvisable and if your computer has been infected by this variant of Magniber ransomware, we advise that you read this article and learn how to remove this virus from your PC and restore files, encrypted by it.
Threat Summary
| Name | Magniber Ransomware |
| Type | Ransomware, Cryptovirus |
| Short Description | Aims to encrypt the files on your computer and then ask you to pay a hefty ransom fee in order to get the files recovered and working again. |
| Symptoms | Files are encrypted with an added file extension – .ndpyhss and a ransom note file, called README.txt. |
| Distribution Method | Spam Emails, Email Attachments, Executable files |
| Detection Tool |
See If Your System Has Been Affected by malware
Download
Malware Removal Tool
|
User Experience | Join Our Forum to Discuss Magniber Ransomware. |
| Data Recovery Tool | Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive. |
.ndpyhss Ransomware – Distribution Methods
For the .ndpyhss files virus to be distributed and infect the maximum amount of victims out there, the crooks behind the virus may participate in massive spam campaigns, the purpose of which is to get victims to open a malicious e-mail attachment or click on a malicious web link. The idea behind those e-mails is that they often pretend to come from big and legitimate companies from the likes of:
- DHL.
- FedEx.
- PayPal.
- eBay.
The e-mails often contain convincing statements embedded within them such as to prompt victims to open e-mail attachments whose main idea is to cause the infection.
In addition to via e-mail, the Magniber ransomware virus may also spread by posing as a legitimate type of file that is upladoaded online while posing as a legitimate file. This basically means that the file may pretend to be:
- Setup of a program.
- Game patch or crack.
- License activator.
- Key generator.
.ndpyhss Ransomware — Targeted Vulnerabilities
The Magniber ransomware and its associated .ndpyhss virus strain have been found to use various exploits that target specific vulnerabilities. One of the distinct features of this particular threat is that during the 2017 attack campaigns the threat was using a mechanism called filtering gate nick named Magnigate which distributed Cerber ransomware. This particular threat allows the operators to defined specific values that are selected in the targets. This has allowed the criminals to carry out fine-tuned attacks that have plagued several countries in Asia. Their success has provoked other ransomware authors to selectively filter out the intended victims in a similar way.
The Magniber virus was delivered using two specific exploits targeting common vulnerabiliites:
- CVE-2018-4878 — A use-after-free vulnerability was discovered in Adobe Flash Player before 28.0.0.161. This vulnerability occurs due to a dangling pointer in the Primetime SDK related to media player handling of listener objects. A successful attack can lead to arbitrary code execution.
- CVE-2018-8174 — A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka “Windows VBScript Engine Remote Code Execution Vulnerability.” This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
.ndpyhss Magniber Ransomware – Infection Activity
Once the .ndpyhss files variant of Magniber ransomware are dropped on the victims computers, the malware uses several modules which are dropped on the infected machine:
Main Infection Module – This module has a trojan-like capabilities which could turn the ransomware into spyware to steal and take control of computers.
Data Theft modules – they may be used to steal sensitive data, such as passwords, financial information or files.
Additional Malware dropper – this module may update the existing virus files or download another virus on the infected computer.
The malicious files are copied to a folder, which may also be changed after this happens. As soon as this is done, the malware’s files are changed into radnom names and may exist in te following Windows directories:
- %Temp%
- %AppData%
- %Local%
- %LocalLow%
- %Roaming%
In addtion to this, the ransomware may also spawn processes as an administrator to perform various malicious activities such as information gathering activities that check if the virus is ran on a real system or a virtual drive and if that is the case, the malware may start to delete itself and will never run encryption. But if it’s running on an actual computer, it may start to drop it’s ransom note file, called README.txt, which contains instructions on how to pay a hefty ransom fee in order to restore the files that have been encrypted by this virus. The ransom note usually leads victims to the payment page of Magniber ransomware, which looks somewhat like the following:
In addition to instructions on how to pay the ransom, the virus may also provide the free decryption of 1 file to the victims, to prove that this blackmainling works.
.ndpyhss Files Virus – Encryption Process
For this variant to encrypt the files on the victims’ computers, it uses a pre-set list of file extensions which it targets for encryption. If those types of files are detected within the victim’s computer, the ransomware virus encrypts them:
→ docx xls xlsx ppt pptx pst ost msg em vsd vsdx csv rtf 123 wks wk1 pdf dwg
onetoc2 snt docb docm dot dotm dotx xlsm xlsb xlw xlt xlm xlc xltx xltm pptm
pot pps ppsm ppsx ppam potx potm edb hwp 602 sxi sti sldx sldm vdi vmx gpg
aes raw cgm nef psd ai svg djvu sh class jar java rb asp php jsp brd sch dch
dip vb vbs ps1 js asm pas cpp cs suo sln ldf mdf ibd myi myd frm odb dbf db
mdb accdb sq sqlitedb sqlite3 asc lay6 lay mm sxm otg odg uop std sxd otp
odp wb2 slk dif stc sxc ots ods 3dm max 3ds uot stw sxw ott odt pem p12 csr
crt key pfx der 1cd cd arw jpe eq adp odm dbc frx db2 dbs pds pdt dt cf cfu
mx epf kdbx erf vrp grs geo st pff mft efd rib ma lwo lws m3d mb obj x3d c4d
fbx dgn 4db 4d 4mp abs adn a3d aft ahd alf ask awdb azz bdb bib bnd bok btr
cdb ckp clkw cma crd dad daf db3 dbk dbt dbv dbx dcb dct dcx dd df1 dmo dnc
dp1 dqy dsk dsn dta dtsx dx eco ecx emd fcd fic fid fi fm5 fo fp3 fp4 fp5
fp7 fpt fzb fzv gdb gwi hdb his ib idc ihx itdb itw jtx kdb lgc maq mdn mdt
mrg mud mwb s3m ndf ns2 ns3 ns4 nsf nv2 nyf oce oqy ora orx owc owg oyx p96
p97 pan pdb pdm phm pnz pth pwa qpx qry qvd rctd rdb rpd rsd sbf sdb sdf spq
sqb stp str tcx tdt te tmd trm udb usr v12 vdb vpd wdb wmdb xdb xld xlgc zdb
zdc cdr cdr3 abw act aim ans apt ase aty awp awt aww bad bbs bdp bdr bean
bna boc btd cnm crw cyi dca dgs diz dne docz dsv dvi dx eio eit emlx epp err
etf etx euc faq fb2 fb fcf fdf fdr fds fdt fdx fdxt fes fft flr fodt gtp frt
fwdn fxc gdoc gio gpn gsd gthr gv hbk hht hs htc hz idx ii ipf jis joe jp1 jrtf
kes klg knt kon kwd lbt lis lit lnt lp2 lrc lst ltr ltx lue luf lwp lyt lyx man
map mbox me mel min mnt mwp nfo njx now nzb ocr odo of oft ort p7s pfs pjt prt
psw pu pvj pvm pwi pwr qd rad rft ris rng rpt rst rt rtd rtx run rzk rzn saf
sam scc scm sct scw sdm sdoc sdw sgm sig sla sls smf sms ssa sty sub sxg tab
tdf tex text thp tlb tm tmv tmx tpc tvj u3d u3i unx uof upd utf8 utxt vct vnt
vw wbk wcf wgz wn wp wp4 wp5 wp6 wp7 wpa wpd wp wps wpt wpw
wri wsc wsd wsh wtx
xd xlf xps xwp xy3 xyp xyw ybk ym zabw zw abm afx agif agp aic albm apd apm
apng aps apx art asw bay bm2 bmx brk brn brt bss bti c4 ca cals can cd5 cdc
cdg cimg cin cit colz cpc cpd cpg cps cpx cr2 ct dc2 dcr dds dgt dib djv dm3
dmi vue dpx wire drz dt2 dtw dv ecw eip exr fa fax fpos fpx g3 gcdp gfb gfie
ggr gih gim spr scad gpd gro grob hdp hdr hpi i3d icn icon icpr iiq info ipx
itc2 iwi j2c j2k jas jb2 jbig jbmp jbr jfif jia jng jp2 jpg2 jps jpx jtf jw
jxr kdc kdi kdk kic kpg lbm ljp mac mbm mef mnr mos mpf mpo mrxs my ncr nct
nlm nrw oc3 oc4 oc5 oci omf oplc af2 af3 asy cdmm cdmt cdmz cdt cmx cnv csy
cv5 cvg cvi cvs cvx cwt cxf dcs ded dhs dpp drw dxb dxf egc emf ep eps epsf
fh10 fh11 fh3 fh4 fh5 fh6 fh7 fh8 fif fig fmv ft10 ft11 ft7 ft8 ft9 ftn fxg
gem glox hpg hpg hp idea igt igx imd ink lmk mgcb mgmf mgmt mt9 mgmx mgtx
mmat mat ovp ovr pcs pfv plt vrm pobj psid rd scv sk1 sk2 ssk stn svf svgz
tlc tne ufr vbr vec vm vsdm vstm stm vstx wpg vsm xar ya orf ota oti ozb
ozj ozt pa pano pap pbm pc1 pc2 pc3 pcd pdd pe4 pef pfi pgf pgm pi1 pi2 pi3
pic pict pix pjpg pm pmg pni pnm pntg pop pp4 pp5 ppm prw psdx pse psp ptg
ptx pvr px pxr pz3 pza pzp pzs z3d qmg ras rcu rgb rgf ric riff rix rle rli
rpf rri rs rsb rsr rw2 rw s2mv sci sep sfc sfw skm sld sob spa spe sph spj
spp sr2 srw wallet jpeg jpg vmdk arc paq bz2 tbk bak tar tgz gz 7z rar zip
backup iso vcd bmp png gif tif tiff m4u m3u mid wma flv 3g2 mkv 3gp mp4 mov
avi asf mpeg vob mpg wmv fla swf wav mp3
But this variant of Magniber ransomware is also a clever one, which skips encrypting files In several important Windows folders in order to leave the infected machine intact and functional. The folders in it’s so-called “whitelist” appear like the following:
→ :\documents and settings\all users\
:\documents and settings\default user\
:\documents and settings\localservice\
:\documents and settings\networkservice\
\appdata\local\
\appdata\locallow\
\appdata\roaming\
\local settings\
\public\music\sample music\
\public\pictures\sample pictures\
\public\videos\sample videos\
\tor browser\
\$recycle.bin
\$windows.~bt
\$windows.~ws
\boot
\intel
\msocache
\perflogs
\program files (x86)
\program files
\programdata
\recovery
\recycled
\recycler
\system volume information
\windows.old
\windows10upgrade
\windows
\winnt
After the encryption process has completed, the Magniber ransomware virus assigns often a random file extension, one variant of which was detected by researcher Michael Gillespie to use the .ndpyhss file extension. The files appear like the following after they have been encrypted by Magniber Ransomware:
Remove Magiber Ransomware and Restore Encrypted Files
In order to remove this version of Magniber ransomware, we recommend that you follow the removal instructions underneath this article. They have been divided in manual and automatic removal methods. If manual removal is not something you feel certain in doing, reccomendations are to automatically remove this ransomware, with the aid of an advanced anti-malware software. It’s main purpose is to help you to automatically remove this threat by scanning for it and then deleting all of the associated objects as well as ensuring future protection in real-time as well.
If you want to restore files that have been encrypted by this ransomware infection, you can try using the newly released decryptor for Magniber ranosmware. In addition to this, if this decryptor does not work out for you, you can attempt using the alternative methods for file recovery in step “2. Restore files, encrypted by Magniber Ransomware”. They may not be 100% guarantee to be able to restore all of your encrypted files, but may help you recover some or more of them.
Ventsislav Krastev
Ventsislav is a cybersecurity expert at SensorsTechForum since 2015. He has been researching, covering, helping victims with the latest malware infections plus testing and reviewing software and the newest tech developments. Having graduated Marketing as well, Ventsislav also has passion for learning new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management, Network Administration and Computer Administration of System Applications, he found his true calling within the cybersecrurity industry and is a strong believer in the education of every user towards online safety and security.
Follow Me:
- Step 1
- Step 2
- Step 3
- Step 4
- Step 5
Step 1: Scan for Magniber Ransomware with SpyHunter Anti-Malware Tool
Ransomware Automatic Removal - Video Guide
Step 2: Uninstall Magniber Ransomware and related malware from Windows
Here is a method in few easy steps that should be able to uninstall most programs. No matter if you are using Windows 10, 8, 7, Vista or XP, those steps will get the job done. Dragging the program or its folder to the recycle bin can be a very bad decision. If you do that, bits and pieces of the program are left behind, and that can lead to unstable work of your PC, errors with the file type associations and other unpleasant activities. The proper way to get a program off your computer is to Uninstall it. To do that:
Follow the instructions above and you will successfully delete most unwanted and malicious programs.
Step 3: Clean any registries, created by Magniber Ransomware on your computer.
The usually targeted registries of Windows machines are the following:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
You can access them by opening the Windows registry editor and deleting any values, created by Magniber Ransomware there. This can happen by following the steps underneath:
Tip: To find a virus-created value, you can right-click on it and click "Modify" to see which file it is set to run. If this is the virus file location, remove the value.
Before starting "Step 4", please boot back into Normal mode, in case you are currently in Safe Mode.
This will enable you to install and use SpyHunter 5 successfully.
Step 4: Boot Your PC In Safe Mode to isolate and remove Magniber Ransomware
Step 5: Try to Restore Files Encrypted by Magniber Ransomware.
Method 1: Use STOP Decrypter by Emsisoft.
Not all variants of this ransomware can be decrypted for free, but we have added the decryptor used by researchers that is often updated with the variants which become eventually decrypted. You can try and decrypt your files using the instructions below, but if they do not work, then unfortunately your variant of the ransomware virus is not decryptable.
Follow the instructions below to use the Emsisoft decrypter and decrypt your files for free. You can download the Emsisoft decryption tool linked here and then follow the steps provided below:
1 Right-click on the decrypter and click on Run as Administrator as shown below:
2. Agree with the license terms:
3. Click on "Add Folder" and then add the folders where you want files decrypted as shown underneath:
4. Click on "Decrypt" and wait for your files to be decoded.
Note: Credit for the decryptor goes to Emsisoft researchers who have made the breakthrough with this virus.
Method 2: Use data recovery software
Ransomware infections and Magniber Ransomware aim to encrypt your files using an encryption algorithm which may be very difficult to decrypt. This is why we have suggested a data recovery method that may help you go around direct decryption and try to restore your files. Bear in mind that this method may not be 100% effective but may also help you a little or a lot in different situations.
Simply click on the link and on the website menus on the top, choose Data Recovery - Data Recovery Wizard for Windows or Mac (depending on your OS), and then download and run the tool.
Magniber Ransomware-FAQ
What is Magniber Ransomware Ransomware?
Magniber Ransomware is a ransomware infection - the malicious software that enters your computer silently and blocks either access to the computer itself or encrypt your files.
Many ransomware viruses use sophisticated encryption algorithms to make your files inaccessible. The goal of ransomware infections is to demand that you pay a ransom payment to get access to your files back.
What Does Magniber Ransomware Ransomware Do?
Ransomware in general is a malicious software that is designed to block access to your computer or files until a ransom is paid.
Ransomware viruses can also damage your system, corrupt data and delete files, resulting in the permanent loss of important files.
How Does Magniber Ransomware Infect?
Via several ways.Magniber Ransomware Ransomware infects computers by being sent via phishing emails, containing virus attachment. This attachment is usually masked as an important document, like an invoice, bank document or even a plane ticket and it looks very convincing to users.
Another way you may become a victim of Magniber Ransomware is if you download a fake installer, crack or patch from a low reputation website or if you click on a virus link. Many users report getting a ransomware infection by downloading torrents.
How to Open .Magniber Ransomware files?
You can't without a decryptor. At this point, the .Magniber Ransomware files are encrypted. You can only open them once they are decrypted using a specific decryption key for the particular algorithm.
What to Do If a Decryptor Does Not Work?
Do not panic, and backup the files. If a decryptor did not decrypt your .Magniber Ransomware files successfully, then do not despair, because this virus is still new.
Can I Restore ".Magniber Ransomware" Files?
Yes, sometimes files can be restored. We have suggested several file recovery methods that could work if you want to restore .Magniber Ransomware files.
These methods are in no way 100% guaranteed that you will be able to get your files back. But if you have a backup, your chances of success are much greater.
How To Get Rid of Magniber Ransomware Virus?
The safest way and the most efficient one for the removal of this ransomware infection is the use a professional anti-malware program.
It will scan for and locate Magniber Ransomware ransomware and then remove it without causing any additional harm to your important .Magniber Ransomware files.
Can I Report Ransomware to Authorities?
In case your computer got infected with a ransomware infection, you can report it to the local Police departments. It can help authorities worldwide track and determine the perpetrators behind the virus that has infected your computer.
Below, we have prepared a list with government websites, where you can file a report in case you are a victim of a cybercrime:
Cyber-security authorities, responsible for handling ransomware attack reports in different regions all over the world:
Germany - Offizielles Portal der deutschen Polizei
United States - IC3 Internet Crime Complaint Centre
United Kingdom - Action Fraud Police
France - Ministère de l'Intérieur
Italy - Polizia Di Stato
Spain - Policía Nacional
Netherlands - Politie
Poland - Policja
Portugal - Polícia Judiciária
Greece - Cyber Crime Unit (Hellenic Police)
India - Mumbai Police - CyberCrime Investigation Cell
Australia - Australian High Tech Crime Center
Reports may be responded to in different timeframes, depending on your local authorities.
Can You Stop Ransomware from Encrypting Your Files?
Yes, you can prevent ransomware. The best way to do this is to ensure your computer system is updated with the latest security patches, use a reputable anti-malware program and firewall, backup your important files frequently, and avoid clicking on malicious links or downloading unknown files.
Can Magniber Ransomware Ransomware Steal Your Data?
Yes, in most cases ransomware will steal your information. It is a form of malware that steals data from a user's computer, encrypts it, and then demands a ransom in order to decrypt it.
In many cases, the malware authors or attackers will threaten to delete the data or publish it online unless the ransom is paid.
Can Ransomware Infect WiFi?
Yes, ransomware can infect WiFi networks, as malicious actors can use it to gain control of the network, steal confidential data, and lock out users. If a ransomware attack is successful, it could lead to a loss of service and/or data, and in some cases, financial losses.
Should I Pay Ransomware?
No, you should not pay ransomware extortionists. Paying them only encourages criminals and does not guarantee that the files or data will be restored. The better approach is to have a secure backup of important data and be vigilant about security in the first place.
What Happens If I Don't Pay Ransom?
If you don't pay the ransom, the hackers may still have access to your computer, data, or files and may continue to threaten to expose or delete them, or even use them to commit cybercrimes. In some cases, they may even continue to demand additional ransom payments.
Can a Ransomware Attack Be Detected?
Yes, ransomware can be detected. Anti-malware software and other advanced security tools can detect ransomware and alert the user when it is present on a machine.
It is important to stay up-to-date on the latest security measures and to keep security software updated to ensure ransomware can be detected and prevented.
Do Ransomware Criminals Get Caught?
Yes, ransomware criminals do get caught. Law enforcement agencies, such as the FBI, Interpol and others have been successful in tracking down and prosecuting ransomware criminals in the US and other countries. As ransomware threats continue to increase, so does the enforcement activity.
About the Magniber Ransomware Research
The content we publish on SensorsTechForum.com, this Magniber Ransomware how-to removal guide included, is the outcome of extensive research, hard work and our team’s devotion to help you remove the specific malware and restore your encrypted files.
How did we conduct the research on this ransomware?
Our research is based on an independent investigation. We are in contact with independent security researchers, and as such, we receive daily updates on the latest malware and ransomware definitions.
Furthermore, the research behind the Magniber Ransomware ransomware threat is backed with VirusTotal and the NoMoreRansom project.
To better understand the ransomware threat, please refer to the following articles which provide knowledgeable details.
As a site that has been dedicated to providing free removal instructions for ransomware and malware since 2014, SensorsTechForum’s recommendation is to only pay attention to trustworthy sources.
How to recognize trustworthy sources:
- Always check "About Us" web page.
- Profile of the content creator.
- Make sure that real people are behind the site and not fake names and profiles.
- Verify Facebook, LinkedIn and Twitter personal profiles.