.ndpyhss Files Virus (Magniber Ransomware) – Remove + Decrypt Data

.ndpyhss Files Virus (Magniber Ransomware) – Remove + Decrypt Data

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article has been created in order to best explain what is the .ndpyhss files virus and how to remove it from your computer, plus how to restore .ndpyhss encrypted files.

The .ndpyhss files virus is the type of ransomware which is from the Magniber viruses, using Magniber exploit kit to conduct it’s infection. The virus aims to encrypt the files on the computers that are infected by it, leaving behind the .ndpyhss file suffix and making the files to no longer able to be opened. The end goal of the ransomware is to get the victims to pay a ransom in order to get the crooks to recover the files, encrypted by this infection. However, this is highly inadvisable and if your computer has been infected by this variant of Magniber ransomware, we advise that you read this article and learn how to remove this virus from your PC and restore files, encrypted by it.

Threat Summary

NameMagniber Ransomware
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt the files on your computer and then ask you to pay a hefty ransom fee in order to get the files recovered and working again.
SymptomsFiles are encrypted with an added file extension – .ndpyhss and a ransom note file, called README.txt.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by Magniber Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Magniber Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.ndpyhss Ransomware – Distribution Methods

For the .ndpyhss files virus to be distributed and infect the maximum amount of victims out there, the crooks behind the virus may participate in massive spam campaigns, the purpose of which is to get victims to open a malicious e-mail attachment or click on a malicious web link. The idea behind those e-mails is that they often pretend to come from big and legitimate companies from the likes of:

  • DHL.
  • FedEx.
  • PayPal.
  • eBay.

The e-mails often contain convincing statements embedded within them such as to prompt victims to open e-mail attachments whose main idea is to cause the infection.

In addition to via e-mail, the Magniber ransomware virus may also spread by posing as a legitimate type of file that is upladoaded online while posing as a legitimate file. This basically means that the file may pretend to be:

  • Setup of a program.
  • Game patch or crack.
  • License activator.
  • Key generator.

.ndpyhss Ransomware — Targeted Vulnerabilities

The Magniber ransomware and its associated .ndpyhss virus strain have been found to use various exploits that target specific vulnerabilities. One of the distinct features of this particular threat is that during the 2017 attack campaigns the threat was using a mechanism called filtering gate nick named Magnigate which distributed Cerber ransomware. This particular threat allows the operators to defined specific values that are selected in the targets. This has allowed the criminals to carry out fine-tuned attacks that have plagued several countries in Asia. Their success has provoked other ransomware authors to selectively filter out the intended victims in a similar way.

The Magniber virus was delivered using two specific exploits targeting common vulnerabiliites:

  • CVE-2018-4878 — A use-after-free vulnerability was discovered in Adobe Flash Player before This vulnerability occurs due to a dangling pointer in the Primetime SDK related to media player handling of listener objects. A successful attack can lead to arbitrary code execution.
  • CVE-2018-8174 — A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka “Windows VBScript Engine Remote Code Execution Vulnerability.” This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

.ndpyhss Magniber Ransomware – Infection Activity

Once the .ndpyhss files variant of Magniber ransomware are dropped on the victims computers, the malware uses several modules which are dropped on the infected machine:

Main Infection Module – This module has a trojan-like capabilities which could turn the ransomware into spyware to steal and take control of computers.
Data Theft modules – they may be used to steal sensitive data, such as passwords, financial information or files.
Additional Malware dropper – this module may update the existing virus files or download another virus on the infected computer.

The malicious files are copied to a folder, which may also be changed after this happens. As soon as this is done, the malware’s files are changed into radnom names and may exist in te following Windows directories:

  • %Temp%
  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%

In addtion to this, the ransomware may also spawn processes as an administrator to perform various malicious activities such as information gathering activities that check if the virus is ran on a real system or a virtual drive and if that is the case, the malware may start to delete itself and will never run encryption. But if it’s running on an actual computer, it may start to drop it’s ransom note file, called README.txt, which contains instructions on how to pay a hefty ransom fee in order to restore the files that have been encrypted by this virus. The ransom note usually leads victims to the payment page of Magniber ransomware, which looks somewhat like the following:

In addition to instructions on how to pay the ransom, the virus may also provide the free decryption of 1 file to the victims, to prove that this blackmainling works.

.ndpyhss Files Virus – Encryption Process

For this variant to encrypt the files on the victims’ computers, it uses a pre-set list of file extensions which it targets for encryption. If those types of files are detected within the victim’s computer, the ransomware virus encrypts them:

→ docx xls xlsx ppt pptx pst ost msg em vsd vsdx csv rtf 123 wks wk1 pdf dwg
onetoc2 snt docb docm dot dotm dotx xlsm xlsb xlw xlt xlm xlc xltx xltm pptm
pot pps ppsm ppsx ppam potx potm edb hwp 602 sxi sti sldx sldm vdi vmx gpg
aes raw cgm nef psd ai svg djvu sh class jar java rb asp php jsp brd sch dch
dip vb vbs ps1 js asm pas cpp cs suo sln ldf mdf ibd myi myd frm odb dbf db
mdb accdb sq sqlitedb sqlite3 asc lay6 lay mm sxm otg odg uop std sxd otp
odp wb2 slk dif stc sxc ots ods 3dm max 3ds uot stw sxw ott odt pem p12 csr
crt key pfx der 1cd cd arw jpe eq adp odm dbc frx db2 dbs pds pdt dt cf cfu
mx epf kdbx erf vrp grs geo st pff mft efd rib ma lwo lws m3d mb obj x3d c4d
fbx dgn 4db 4d 4mp abs adn a3d aft ahd alf ask awdb azz bdb bib bnd bok btr
cdb ckp clkw cma crd dad daf db3 dbk dbt dbv dbx dcb dct dcx dd df1 dmo dnc
dp1 dqy dsk dsn dta dtsx dx eco ecx emd fcd fic fid fi fm5 fo fp3 fp4 fp5
fp7 fpt fzb fzv gdb gwi hdb his ib idc ihx itdb itw jtx kdb lgc maq mdn mdt
mrg mud mwb s3m ndf ns2 ns3 ns4 nsf nv2 nyf oce oqy ora orx owc owg oyx p96
p97 pan pdb pdm phm pnz pth pwa qpx qry qvd rctd rdb rpd rsd sbf sdb sdf spq
sqb stp str tcx tdt te tmd trm udb usr v12 vdb vpd wdb wmdb xdb xld xlgc zdb
zdc cdr cdr3 abw act aim ans apt ase aty awp awt aww bad bbs bdp bdr bean
bna boc btd cnm crw cyi dca dgs diz dne docz dsv dvi dx eio eit emlx epp err
etf etx euc faq fb2 fb fcf fdf fdr fds fdt fdx fdxt fes fft flr fodt gtp frt
fwdn fxc gdoc gio gpn gsd gthr gv hbk hht hs htc hz idx ii ipf jis joe jp1 jrtf
kes klg knt kon kwd lbt lis lit lnt lp2 lrc lst ltr ltx lue luf lwp lyt lyx man
map mbox me mel min mnt mwp nfo njx now nzb ocr odo of oft ort p7s pfs pjt prt
psw pu pvj pvm pwi pwr qd rad rft ris rng rpt rst rt rtd rtx run rzk rzn saf
sam scc scm sct scw sdm sdoc sdw sgm sig sla sls smf sms ssa sty sub sxg tab
tdf tex text thp tlb tm tmv tmx tpc tvj u3d u3i unx uof upd utf8 utxt vct vnt
vw wbk wcf wgz wn wp wp4 wp5 wp6 wp7 wpa wpd wp wps wpt wpw
wri wsc wsd wsh wtx
xd xlf xps xwp xy3 xyp xyw ybk ym zabw zw abm afx agif agp aic albm apd apm
apng aps apx art asw bay bm2 bmx brk brn brt bss bti c4 ca cals can cd5 cdc
cdg cimg cin cit colz cpc cpd cpg cps cpx cr2 ct dc2 dcr dds dgt dib djv dm3
dmi vue dpx wire drz dt2 dtw dv ecw eip exr fa fax fpos fpx g3 gcdp gfb gfie
ggr gih gim spr scad gpd gro grob hdp hdr hpi i3d icn icon icpr iiq info ipx
itc2 iwi j2c j2k jas jb2 jbig jbmp jbr jfif jia jng jp2 jpg2 jps jpx jtf jw
jxr kdc kdi kdk kic kpg lbm ljp mac mbm mef mnr mos mpf mpo mrxs my ncr nct
nlm nrw oc3 oc4 oc5 oci omf oplc af2 af3 asy cdmm cdmt cdmz cdt cmx cnv csy
cv5 cvg cvi cvs cvx cwt cxf dcs ded dhs dpp drw dxb dxf egc emf ep eps epsf
fh10 fh11 fh3 fh4 fh5 fh6 fh7 fh8 fif fig fmv ft10 ft11 ft7 ft8 ft9 ftn fxg
gem glox hpg hpg hp idea igt igx imd ink lmk mgcb mgmf mgmt mt9 mgmx mgtx
mmat mat ovp ovr pcs pfv plt vrm pobj psid rd scv sk1 sk2 ssk stn svf svgz
tlc tne ufr vbr vec vm vsdm vstm stm vstx wpg vsm xar ya orf ota oti ozb
ozj ozt pa pano pap pbm pc1 pc2 pc3 pcd pdd pe4 pef pfi pgf pgm pi1 pi2 pi3
pic pict pix pjpg pm pmg pni pnm pntg pop pp4 pp5 ppm prw psdx pse psp ptg
ptx pvr px pxr pz3 pza pzp pzs z3d qmg ras rcu rgb rgf ric riff rix rle rli
rpf rri rs rsb rsr rw2 rw s2mv sci sep sfc sfw skm sld sob spa spe sph spj
spp sr2 srw wallet jpeg jpg vmdk arc paq bz2 tbk bak tar tgz gz 7z rar zip
backup iso vcd bmp png gif tif tiff m4u m3u mid wma flv 3g2 mkv 3gp mp4 mov
avi asf mpeg vob mpg wmv fla swf wav mp3

But this variant of Magniber ransomware is also a clever one, which skips encrypting files In several important Windows folders in order to leave the infected machine intact and functional. The folders in it’s so-called “whitelist” appear like the following:

→ :\documents and settings\all users\
:\documents and settings\default user\
:\documents and settings\localservice\
:\documents and settings\networkservice\
\local settings\
\public\music\sample music\
\public\pictures\sample pictures\
\public\videos\sample videos\
\tor browser\
\program files (x86)
\program files
\system volume information

After the encryption process has completed, the Magniber ransomware virus assigns often a random file extension, one variant of which was detected by researcher Michael Gillespie to use the .ndpyhss file extension. The files appear like the following after they have been encrypted by Magniber Ransomware:

Remove Magiber Ransomware and Restore Encrypted Files

In order to remove this version of Magniber ransomware, we recommend that you follow the removal instructions underneath this article. They have been divided in manual and automatic removal methods. If manual removal is not something you feel certain in doing, reccomendations are to automatically remove this ransomware, with the aid of an advanced anti-malware software. It’s main purpose is to help you to automatically remove this threat by scanning for it and then deleting all of the associated objects as well as ensuring future protection in real-time as well.

If you want to restore files that have been encrypted by this ransomware infection, you can try using the newly released decryptor for Magniber ranosmware. In addition to this, if this decryptor does not work out for you, you can attempt using the alternative methods for file recovery in step “2. Restore files, encrypted by Magniber Ransomware”. They may not be 100% guarantee to be able to restore all of your encrypted files, but may help you recover some or more of them.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share