Nhtnwcuf Ransomware Virus (Restore Damaged Files) - How to, Technology and PC Security Forum | SensorsTechForum.com

Nhtnwcuf Ransomware Virus (Restore Damaged Files)

Article created to help you cope with the aftermath of infection by Nhtnwcuf ransomware which adds !_RECOVERY_HELP_!.txt and HELP_ME_PLEASE.txt.

A very dangerous ransomware virus has been reported to infect systems and not encrypt but permanently destroy the files. Malware researchers believed that there was most likely a mistake in the coding of the virus which results to the permanent damaging of videos, music, documents, images and other important files. Despite this, the created of the virus may be unaware of the mistake and drops ransom notes in .txt files, named HELP_ME_PLEASE and !_RECOVERY_HELP_!. Whatever the case may be, after infection by the Nhtnwcuf virus, recommendations are to not pay any form of ransom. Instead, we advise you to read this article and learn how to remove it and try to get back at least some of the files.

Threat Summary

Name

Nhtnwcuf

TypeRansomware
Short DescriptionThe malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals. This particular virus also breaks the files permanently
SymptomsThe user may witness ransom notes and “instructions” to pop-out on his PC. Paying the ransom will not recover files.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Nhtnwcuf

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss Nhtnwcuf.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Nhtnwcuf Virus – How Does It Infect

For the infection process, this ransomware takes advantage primarily of the most widely used methods. The Nhtnwcuf virus may utilize malicious e-mail spam campaigns that contain convincing messages in them. These campaigns include a pre-configured list of e-mail addresses to which the spam is sent. The e-mails themselves may contain deceptive messages to get victims to open a malicious e-mail attachment which is uploaded In an archive. To learn how to protect yourself from such e-mails in the future, please check the related article below.

Other forms of infection that may be associated with the Nhtnwcuf ransomware, may include the infecting of the user via fake installers, fake updaters of programs or pretending-to-be game patches or cracks. Besides shady websites, these fraudulent applications may be uploaded on torrent websites as well.

Sometimes, infection can even take place via a malicious pop-up, like the case of the latest Spora ransomware virus.

Once the user opens a malicious executable, the infection becomes immediate, because this file drops the payload of the Nhtnwcuf Virus. The payload may consist of more than one files, besides the ransom notes of the virus and may be dropped within the usual targeted Windows folders, where malware tends to reside. What is more, the files may be dropped under different names:

Nhtnwcuf Virus – Further Analysis

Once an infection has taken place, the virus may run a process in the background of your computer, in an incognito mode. You may not notice the process, but it may be running in the Windows Task Manager. These processes may modify different settings of the computer such as disable antivirus programs, touch important files of Windows and also modify the Registry Editor. The registry editor modifications are done to run the malicious executable which encrypts important files on Windows boot up. The usually targeted registry entries for this to happen are:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

In these registry sub-keys, value strings may be created by the Nhtnwcuf threat which may point out the location of the malicious executable.

In addition to this, the processes of Nhtnwcuf may also delete any chance of backing up the files. One method is if the virus is programmed to delete the shadow volume copies of an infected computer. These shadow copies are usually deleted if the malware executes variations of the following command:

Usually, this activity happens in the background and the user cannot stop it while it is happening. Fake system errors may appear or the PC may restart.

Nhtnwcuf Ransomware – Encryption

The encryption of this ransomware is coded in a very poor manner. This is primarily because the Nhtnwcuf
Virus does not just encrypt the files and generate unique keys for decryption. Instead, a mistake in it’s code makes the virus able to completely destroy the files, making them no longer openable and even unable to be unlocked if you pay the ransom.

The files that may be encrypted by Nhtnwcuf may be of the following file types:

→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PR .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”Source:fileinfo.com

Nhtnwcuf Ransomware – How to Delete It and Get Back the Files

For the removal of Nhtnwcuf Ransomware it is advisable to follow the removal instructions below. They are carefully created so that certain steps can be taken to isolate and then remove the virus files from your computer. If you lack the experience in manually hunting down and removing malicious files associated with malware, experts recommend using an advanced anti-malware tool. Such program will scan the computer and safely remove all objects associated with Nhtnwcuf Ransomware and in addition, protect the system in the future too.

Regarding file recovery, there are several alternative methods that you can attempt, despite the devastating caused by Nhtnwcuf Ransomware. We have mentioned them below in step “2. Restore files encrypted by Nhtnwcuf Ransomware”. They may not be 100% effective but users on our forums report that they have recovered up to 90 files using some of those methods.

Manually delete Nhtnwcuf from your computer

Note! Substantial notification about the Nhtnwcuf threat: Manual removal of Nhtnwcuf requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Nhtnwcuf files and objects
2.Find malicious files created by Nhtnwcuf on your PC

Automatically remove Nhtnwcuf by downloading an advanced anti-malware program

1. Remove Nhtnwcuf with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Nhtnwcuf
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.