NK_ File Virus Remove and Restore Data

This article is created to show you how to remove NK_ file ransomware (SQ_ variant) and restore files encrypted with the nk_ prefix added to them.

A ransomware infection appending the nk_ file prefix to the files which it encrypts has been reported to be active out in the wild. The virus infects via different methods and after infection demands victims to pay a hefty sum (4 BitCoins) to get the files which it has encoded back to a working state. In case you have become a victim of the NK_ file ransomware, recommendations are to read this article thoroughly.

Threat Summary

Name

NK_ Virus

TypeRansomware
Short DescriptionThe NK_ ransomware is an evolved variant of the SQ_ ransomware virus. Encrypts files then demands a 4 BTC ransom payoff.
SymptomsThe user may witness ransom notes and “instructions”, , called NK_ IN YOUR FILES.txt. The file prefix nk_ may be added.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by NK_ Virus

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss NK_ Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

NK_ File Virus – How Does It Infect

The infection process of NK_ ransomware begins with it’s distribution process. It is conducted via multiple different methods. One of them is via spam e-mails sent out to users, pretending to be legitimate. The e-mails usually contain one of both:

A web link redirecting to a site where the malicious file is uploaded.
A malicious archive uploaded as an e-mail attachment.

These two malicious objects may also be accompanied by deceitful messages that aim to convince the victims of this ransomware virus to open the attachments or click on the web links. They may resemble invoice notices, notifications of suspicious activity on your bank account and even fake LinkedIn, PayPal, eBay or Facebook messages with the same images and content as the original e-mails sent. This is why users should know, how to protect themselves from malicious e-mails as well as archives.

In addition to these methods, other methods of malware replication may also be used. Those methods usually include the usage of fake updater programs, fake software licensing programs and game cracks that contain malicious codes. Such may be uploaded on suspicious websites and also be uploaded on websites that offer torrent downloads.

NK_ File Virus – Infection Activity

After the user opens the malicious file infecting with NK_ ransomware, multiple types of files including the ransom note NK_ IN YOUR FILES.txt may be dropped onto the computer of the user. The files may assume different names and be located in different Windows folders, for example:

As soon as the malicious files belonging to NK_ file virus are dropped on the computer of the user, the ransomware may begin to delete the shadow volume copies on it. These shadow copies are essentially the backed up files on pre-selected important folders of Windows. The commands by which the NK_ ransomware may delete these backups without the victim noticing are the following:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

These commands permanently delete the shadow copies without the user noticing. In addition to this the ransomware also heavily interferes with Windows registry entries creating multiple registry value strings which may reside in the following Windows sub-keys:

→ HKEY_CURRENT_USER\Control Panel\Desktop\
HKEY_USERS\.DEFAULT\Control Panel\Desktop\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Other malicious activities associated with tis ransomware virus, include the running of false processes that are imitating legitimate Windows hosts, like svchost.exe.

NK_ File Virus – Encryption Process

For it’s encryption to be successful, NK_ file virus is programmed to target specific files only and skip important files that may damage Windows OS. The files targeted by the NK_ ransomware are most likely important Audio files, documents, database files, videos, images and other related file formats. If we had to sum up all the files encrypted by this ransomware infection, most of them would be among the ones in the list below:

“PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”Source:fileinfo.com

After the encryption process is complete, bytes of the algorithm used by the NK_ ransomware virus are replaces with original data of the files, making them no longer openable. The files may appear like the following image:

Then, the ransomware makes sure the user sees it’s ransom note text file, which has the following content:

Your computer has been locked by ransomware, your personal files are encrypted and you have unfortunately “lost” all your pictures,

files and documents on the computer. Your important files encryption produced on this computer: videos, photos, documents, etc.

Encryption was produced using a unique public key RSA-1024 generated for this computer. To decrypt files you need to obtain the private key.

All encrypted files contains NK_

Your number:
To obtain the program for this computer, which will decrypt all files, you need to pay
4 bitcoins on our bitcoin address 1Aq3Hfsuy3XiH7HtWMJcNjwCP2Bu39UsGU (today 1 bitcoin was 270). Only we and you know about this bitcoin address.

You can check bitcoin balanse here – https://www.blockchain.info/address/1Aq3Hfsuy3XiH7HtWMJcNjwCP2Bu39UsGU
After payment send us your number on our mail [email protected] and we will send you decryption tool (you need only run it and all files will be decrypted during 1…3 hours)
Before payment you can send us one small file (100..500 kilobytes) and we will decrypt it – it’s your garantee that we have decryption tool. And send us your number with attached file.
We dont know who are you. All what we need – it’s some money.
Don’t panic if we don’t answer you during 24 hours. It means that we didn’t received your letter (for example if you use hotmail.com or outlook.com
it can block letter, SO DON’T USE HOTMAIL.COM AND OUTLOOK.COM. You need register your mail account in www.ruggedinbox.com (it will takes 1..2 minutes) and write us again)

You can use one of that bitcoin exchangers for transfering bitcoin.

Bitcoin.co.kr

https://www.korbit.co.kr

https://www.coinplug.com

https://ko-kr.facebook.com/coinplug

https://localbitcoins.com/country/kr

www.youtube.com/watch?v=erVehAHDuel

howtobuybitcoin.info/kr.html

http://bitcoin-printing.com/trade

You dont need install bitcoin software – you need only use one of this exchangers or other exchanger that you can find in www.google.com for your country.

Please use english language in your letters. If you don’t speak english then use https://translate.google.com to translate your letter on english language.

The ransom note also contains versions on other languages as well.

Remove NK_ Ransomware and Restore Encrypted Files

Before removing NK_ ransomware, recommendations are to focus on making a backup of the encrypted files just in case.

For the removal process of NK_ ransomware to succeed, we advise isolating the virus first and then look for the files in a safer environment. This is why we recommend you to follow the steps in the instructions below carefully. For maximum effectiveness during the removal process malware researchers always advise using an advanced anti-malware software which will make sure that proper and automatic removal is guaranteed.

For the file restoration, at the moment there is no free decryption, but we will continue to follow the situation and update this article on any development with this situation. In the meantime, we recommend following the alternative methods for recovery of files encrypted by NK_ ransomware below in step “2. Restore files encrypted by NK_ virus”.

Manually delete NK_ Virus from your computer

Note! Substantial notification about the NK_ Virus threat: Manual removal of NK_ Virus requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove NK_ Virus files and objects
2.Find malicious files created by NK_ Virus on your PC

Automatically remove NK_ Virus by downloading an advanced anti-malware program

1. Remove NK_ Virus with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by NK_ Virus
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.