A very dangerous ransomware virus has been reported to infect systems and not encrypt but permanently destroy the files. Malware researchers believed that there was most likely a mistake in the coding of the virus which results to the permanent damaging of videos, music, documents, images and other important files. Despite this, the created of the virus may be unaware of the mistake and drops ransom notes in .txt files, named HELP_ME_PLEASE and !_RECOVERY_HELP_!. Whatever the case may be, after infection by the Nhtnwcuf virus, recommendations are to not pay any form of ransom. Instead, we advise you to read this article and learn how to remove it and try to get back at least some of the files.
|Short Description||The malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals. This particular virus also breaks the files permanently|
|Symptoms||The user may witness ransom notes and “instructions” to pop-out on his PC. Paying the ransom will not recover files.|
|Detection Tool|| See If Your System Has Been Affected by Nhtnwcuf |
Malware Removal Tool
|User Experience||Join our forum to Discuss Nhtnwcuf.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Nhtnwcuf Virus – How Does It Infect
For the infection process, this ransomware takes advantage primarily of the most widely used methods. The Nhtnwcuf virus may utilize malicious e-mail spam campaigns that contain convincing messages in them. These campaigns include a pre-configured list of e-mail addresses to which the spam is sent. The e-mails themselves may contain deceptive messages to get victims to open a malicious e-mail attachment which is uploaded In an archive. To learn how to protect yourself from such e-mails in the future, please check the related article below.
Other forms of infection that may be associated with the Nhtnwcuf ransomware, may include the infecting of the user via fake installers, fake updaters of programs or pretending-to-be game patches or cracks. Besides shady websites, these fraudulent applications may be uploaded on torrent websites as well.
Sometimes, infection can even take place via a malicious pop-up, like the case of the latest Spora ransomware virus.
Once the user opens a malicious executable, the infection becomes immediate, because this file drops the payload of the Nhtnwcuf Virus. The payload may consist of more than one files, besides the ransom notes of the virus and may be dropped within the usual targeted Windows folders, where malware tends to reside. What is more, the files may be dropped under different names:
Nhtnwcuf Virus – Further Analysis
Once an infection has taken place, the virus may run a process in the background of your computer, in an incognito mode. You may not notice the process, but it may be running in the Windows Task Manager. These processes may modify different settings of the computer such as disable antivirus programs, touch important files of Windows and also modify the Registry Editor. The registry editor modifications are done to run the malicious executable which encrypts important files on Windows boot up. The usually targeted registry entries for this to happen are:
In these registry sub-keys, value strings may be created by the Nhtnwcuf threat which may point out the location of the malicious executable.
In addition to this, the processes of Nhtnwcuf may also delete any chance of backing up the files. One method is if the virus is programmed to delete the shadow volume copies of an infected computer. These shadow copies are usually deleted if the malware executes variations of the following command:
Usually, this activity happens in the background and the user cannot stop it while it is happening. Fake system errors may appear or the PC may restart.
Nhtnwcuf Ransomware – Encryption
The encryption of this ransomware is coded in a very poor manner. This is primarily because the Nhtnwcuf
Virus does not just encrypt the files and generate unique keys for decryption. Instead, a mistake in it’s code makes the virus able to completely destroy the files, making them no longer openable and even unable to be unlocked if you pay the ransom.
The files that may be encrypted by Nhtnwcuf may be of the following file types:
→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PR .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”Source:fileinfo.com
Nhtnwcuf Ransomware – How to Delete It and Get Back the Files
For the removal of Nhtnwcuf Ransomware it is advisable to follow the removal instructions below. They are carefully created so that certain steps can be taken to isolate and then remove the virus files from your computer. If you lack the experience in manually hunting down and removing malicious files associated with malware, experts recommend using an advanced anti-malware tool. Such program will scan the computer and safely remove all objects associated with Nhtnwcuf Ransomware and in addition, protect the system in the future too.
Regarding file recovery, there are several alternative methods that you can attempt, despite the devastating caused by Nhtnwcuf Ransomware. We have mentioned them below in step “2. Restore files encrypted by Nhtnwcuf Ransomware”. They may not be 100% effective but users on our forums report that they have recovered up to 90 files using some of those methods.