Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.
Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.
Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.
Note! Your computer might be affected by NM4 and other threats.
Threats such as NM4 may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files. SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy
Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.
This article will aid you in removing .NM4 File Virus fully. Follow the ransomware removal instructions at the end of the article.
.NM4 file virus is ransomware, which is the latest variant of the R cryptovirus which is believed to stem from NMoreira ransomware. The .NM4 extension is appended to every file which gets encrypted. After the encryption process, the virus will leave a ransom note with instructions to visit a Web page hosted on the TOR network for payment. Keep on reading below to see how you could try to potentially restore some of your files.
Threat Summary
Name
NM4
Type
Ransomware, Cryptovirus
Short Description
The ransomware virus encrypts files on your computer machine and leaves a note demanding you visit a TOR page regarding the ransom payment.
Symptoms
The ransomware will encrypt your files and then append the extension .NM4 on all of the encrypted files.
Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.
.NM4 File Virus – Infection
The .NM4 file virus could distribute its infection through many diverse methods. One method that is observed to be very commonly utilized is with the help of a payload file. That file launches the malicious script of the ransomware, which in turn infects your computer device. Such payloads are currently spread around the Internet and you should be cautious when browsing the Web.
.NM4 file virus could also distribute its payload file on social media websites and file-sharing networks. Freeware applications which are found on the Web could be presented as useful but at the same time could hide the malicious script for the cryptovirus. Avoid opening files straight away after you have downloaded them. That stands especially for ones that came from sources like suspicious e-mails or links. What you should rather do is to scan files before opening them with a security tool, while also checking their size and signatures for anything dubious. You should read the ransomware prevention tips in our forums.
.NM4 File Virus – Analysis
The .NM4 file virus is a ransomware type, which will encrypt your files. This virus will append the .NM4 extension to all files that it encrypts. Malware researchers have discovered that the ransomware is a variant of the R Ransomware Virus which is very probable to stem from NMoreira / AiraCrop ransomware. The NMoreira 4 variant (dubbed NM4) has a new extension, name and payment pages.
The .NM4 file virus could make entries in the Windows Registry to achieve persistence, launch and repress processes in Windows. Some entries are designed in a way that will start the virus automatically with each launch of the Windows Operating System, and one such entry is outlined right here:
The ransom note will show up in your computer after the encryption process is set and done. The note is written in English, but that doesn’t mean only English-speaking users are being targeted, as everybody could get their PC infected. Inside the file, you will see instructions for how to allegedly get your files restored. The ransom note is inside a file named “Recovers your files.html”.
The Recovers your files.html file will load the following message, upon opening:
The ransom note states the following:
Your Key: [redacted]
Encrypted files! All your files are encrypted.Using AES256-bit encryption and RSA-2048-bit encryption. Making it impossible to recover files without the correct private key. If you are interested in getting is the key and recover your files You should proceed with the following steps.
The only way to decrypt your files safely is to buy the Descrypt and Private Key software. Any attempts to restore your files with the third-party software will be fatal for your files! To proceed with the purchase you must access one of the link below
If neither of the links is online for a long period of time, there is another way to open it, you should install the Tor Browser
If your personal page is not available for a long period there is another way to open your personal page – installation and use of Tor Browser:
1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button ‘Connect’ (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address https://3fprihycwetwk2m7.onion in this browser address bar; 9. press ENTER; 10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or use of Tor Browser, please, visit https://www.youtube.com and type request in the search bar ‘Install Tor Browser Windows’ and you will find a lot of training videos about Tor Browser installation and use.
Your Key: [redacted]
The makers of the NM4 ransomware are using the TOR network for their ransom payment pages. The following three addresses are currently being used:
https://3fprihycwetwk2m7.onion
https://3fprihycwetwk2m7.onion.link
https://3fprihycwetwk2m7.onion.to
Upon loading any of the three URLs provided above, the following “Login” page will load:
From there, you will be asked to enter your ID and the following message about ransom payment will show:
From the above picture, you can clearly see that the cybercriminals who own the .NM4 file virus demand a ransom price of 3 Bitcoin, which equates to nearly 3.858 US dollars. You should NOT under any circumstances contact the cybercriminals, nor pay up. Nobody could give you a guarantee that your files will get recovered if you pay the ransom. Besides, financially supporting cybercriminals is a genuinely bad idea. That will probably inspire the crooks to continue making ransomware viruses or get involved in more criminal activities.
.NM4 File Virus – Encryption
The .NM4 file virus ransomware will encrypt files on your PC, which are from these file type categories:
Audio
Video
Database
Document
Picture
Currently, a list with file extensions which could be targeted is non-existent. The article will get duly updated if such a list is discovered.Every file that gets encrypted will receive the .NM4 extension appended to it. In the encryption process, a mixture of both the AES and RSA algorithms is being used. More precisely, AES 256-bit and RSA 2048-bit algorithms are used, or at least that is according to the ransom note.
The .NM4 file virus cryptovirus erases the Shadow Volume Copies from the Windows operating system. That makes the encryption process more viable since it eliminates one of the ways for file decryption. The following command with one or more subcommands is initiated:
→vssadmin.exe delete shadows /all /Quiet
Continue reading an see what ways you can try out to potentially recover some of your data.
Remove .NM4 File Virus and Restore Your Files
In case your computer got infected with the .NM4 file virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread deeper and infect more computer systems. You should remove this ransomware and follow the step-by-step instructions guide provided down below.
Note! Your computer system may be affected by NM4 and other threats. Scan Your PC with SpyHunter SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as NM4. Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.
To remove NM4 follow these steps:
1. Boot Your PC In Safe Mode to isolate and remove NM4 files and objects
OFFER
Manual Removal Usually Takes Time and You Risk Damaging Your Files If Not Careful!
We Recommend To Scan Your PC with SpyHunter
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria
Boot Your PC Into Safe Mode
1. For Windows XP, Vista and 7. 2. For Windows 8, 8.1 and 10. Fix registry entries created by malware and PUPs on your PC.
For Windows XP, Vista and 7 systems:
1. Remove all CDs and DVDs, and then Restart your PC from the “Start” menu. 2. Select one of the two options provided below:
– For PCs with a single operating system: Press “F8” repeatedly after the first boot screen shows up during the restart of your computer. In case the Windows logo appears on the screen, you have to repeat the same task again.
– For PCs with multiple operating systems: Тhe arrow keys will help you select the operating system you prefer to start in Safe Mode. Press “F8” just as described for a single operating system.
3. As the “Advanced Boot Options” screen appears, select the Safe Mode option you want using the arrow keys. As you make your selection, press “Enter“.
4. Log on to your computer using your administrator account
While your computer is in Safe Mode, the words “Safe Mode” will appear in all four corners of your screen.
Step 1: Open up the Start Menu.
Step 2: Click on the Power button (for Windows 8 it is the little arrow next to the “Shut Down” button) and whilst holding down “Shift” click on Restart.
Step 3: After reboot, a blue menu with options will appear. From them you should choose Troubleshoot.
Step 4: You will see the Troubleshoot menu. From this menu choose Advanced Options.
Step 5: After the Advanced Options menu appears, click on Startup Settings.
Step 6: From the Startup Settings menu, click on Restart.
Step 7: A menu will appear upon reboot. You can choose any of the three Safe Mode options by pressing its corresponding number and the machine will restart.
Some malicious scripts may modify the registry entries on your computer to change different settings. This is why cleaning your Windows Registry Database is recommended. Since the tutorial on how to do this is a bit long and tampering with registries could damage your computer if not done properly you should refer and follow our instructive article about fixing registry entries, especially if you are unexperienced in that area.
2. Find files created by NM4 on your PC
Find files created by NM4
1. For Windows 8, 8.1 and 10. 2. For Windows XP, Vista, and 7.
For Newer Windows Operating Systems
Step 1:
On your keyboard press + R and write explorer.exe in the Run text box and then click on the Ok button.
Step 2:
Click on your PC from the quick access bar. This is usually an icon with a monitor and its name is either “My Computer”, “My PC” or “This PC” or whatever you have named it.
Step 3:
Navigate to the search box in the top-right of your PC’s screen and type “fileextension:” and after which type the file extension. If you are looking for malicious executables, an example may be “fileextension:exe”. After doing that, leave a space and type the file name you believe the malware has created. Here is how it may appear if your file has been found:
N.B. We recommend to wait for the green loading bar in the navination box to fill up in case the PC is looking for the file and hasn’t found it yet.
For Older Windows Operating Systems
In older Windows OS’s the conventional approach should be the effective one:
Step 1:
Click on the Start Menu icon (usually on your bottom-left) and then choose the Search preference.
Step 2:
After the search window appears, choose More Advanced Options from the search assistant box. Another way is by clicking on All Files and Folders.
Step 3:
After that type the name of the file you are looking for and click on the Search button. This might take some time after which results will appear. If you have found the malicious file, you may copy or open its location by right-clicking on it.
Now you should be able to discover any file on Windows as long as it is on your hard drive and is not concealed via special software.
IMPORTANT! Before starting the Automatic Removal below, please boot back into Normal mode, in case you are currently in Safe Mode. This will enable you to install and use SpyHunter 5 successfully.
Use SpyHunter to scan for malware and unwanted programs
3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
Scan your PC and Remove NM4 with SpyHunter Anti-Malware Tool and back up your data
1. Install SpyHunter to scan for NM4 and remove them.2. Scan with SpyHunter, Detect and Remove NM4. Back up your data to secure it from malware in the future.
Step 1: Click on the “Download” button to proceed to SpyHunter’s download page.
It is recommended to run a scan before purchasing the full version of the software to make sure that the current version of the malware can be detected by SpyHunter. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.
Step 2: Guide yourself by the download instructions provided for each browser.
Step 3: After you have installed SpyHunter, wait for it to update automatically.
Step 1: After the update process has finished, click on the ‘Malware/PC Scan’ tab. A new window will appear. Click on ‘Start Scan’.
Step 2: After SpyHunter has finished scanning your PC for any files of the associated threat and found them, you can try to get them removed automatically and permanently by clicking on the ‘Next’ button.
Step 3: If any threats have been removed, it is highly recommended to restart your PC.
Back up your data to secure it against attacks in the future
IMPORTANT! Before reading the Windows backup instructions, we highly recommend to back up your data with a cloud backup solution and insure your files against any type of loss, even from the most severe threats. We recommend you to read more about it and to download SOS Online Backup.
4. Try to Restore files encrypted by NM4
Try to Restore Files Encrypted by NM4
Ransomware infections and NM4 aim to encrypt your files using an encryption algorithm which may be very difficult to decrypt. This is why we have suggested several alternative methods that may help you go around direct decryption and try to restore your files. Bear in mind that these methods may not be 100% effective but may also help you a little or a lot in different situations.
Method 1: Scanning your drive’s sectors by using Data Recovery software. Another method for restoring your files is by trying to bring back your files via data recovery software. Here are some suggestions for preferred data recovery software solutions:
Method 2: Trying Kaspersky and EmsiSoft’s decryptors. If the first method does not work, we suggest trying to use decryptors for other ransomware viruses, in case your virus is a variant of them. The two primary developers of decryptors are Kaspersky and EmsiSoft, links to which we have provided below:
To restore your data in case you have backup set up, it is important to check for Volume Shadow Copies, if ransomware has not deleted them, in Windows using the below software:
Method 4: Finding the decryption key while the cryptovirus sends it over a network via a sniffing tool.
Another way to decrypt the files is by using a Network Sniffer to get the encryption key, while files are encrypted on your system. A Network Sniffer is a program and/or device monitoring data traveling over a network, such as its internet traffic and internet packets. If you have a sniffer set before the attack happened you might get information about the decryption key. See how-to instructions below:
Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.
Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.
Having just dealt with this in a comercial envoirnment can I comment on this article? This is one of the smartest pieces of kit I have seen in a while and bucks the trend. This is not a standard cryptlocker routine. It can not be dealt with traditionally. While easy to isolate in home situation, its a nightmare in the corporate realm. The rate of infection is nuts, and it is NOT a blanket crypto toolkit. Its a focoused clusterfuck.It allows users a false sense of work-aroundness while it criple systems. In my experience its payloud seems to effect the windows driver payload. In networks, the sympton is printing issues. Followed by windows services and apps just not working as it targets very specific windows systems. This is not a simple , run the malware app and walk away. When infected its a burn everything and start over remedy. Its flaw is its own speed. Dont be fooled. This is devilish criminality.
Hello Corey. Our variant mainly affected system files and databases. Actuall data files were left untouched. Attempting decrypt was pointless. We had no choice other than to rebuild from the ground up, while taking the opportunity to remove and replace insecure XP machines and bad security practices along the way.
Having just dealt with this in a comercial envoirnment can I comment on this article? This is one of the smartest pieces of kit I have seen in a while and bucks the trend. This is not a standard cryptlocker routine. It can not be dealt with traditionally. While easy to isolate in home situation, its a nightmare in the corporate realm. The rate of infection is nuts, and it is NOT a blanket crypto toolkit. Its a focoused clusterfuck.It allows users a false sense of work-aroundness while it criple systems. In my experience its payloud seems to effect the windows driver payload.
In networks, the sympton is printing issues. Followed by windows services and apps just not working as it targets very specific windows systems.
This is not a simple , run the malware app and walk away. When infected its a burn everything and start over remedy.
Its flaw is its own speed.
Dont be fooled. This is devilish criminality.
Hey Mark, Did you have any luck decrypting any files?
Hello Corey. Our variant mainly affected system files and databases. Actuall data files were left untouched. Attempting decrypt was pointless.
We had no choice other than to rebuild from the ground up, while taking the opportunity to remove and replace insecure XP machines and bad security practices along the way.
Hello, any updates on how to restore files affected by the nm4 ransomware? I’m dealing with this now on my office server.