.NM4 File Virus – Remove It and Restore Your Files

.NM4 File Virus – Remove It and Restore Your Files

This article will aid you in removing .NM4 File Virus fully. Follow the ransomware removal instructions at the end of the article.

.NM4 file virus is ransomware, which is the latest variant of the R cryptovirus which is believed to stem from NMoreira ransomware. The .NM4 extension is appended to every file which gets encrypted. After the encryption process, the virus will leave a ransom note with instructions to visit a Web page hosted on the TOR network for payment. Keep on reading below to see how you could try to potentially restore some of your files.

Threat Summary

NameNM4
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware virus encrypts files on your computer machine and leaves a note demanding you visit a TOR page regarding the ransom payment.
SymptomsThe ransomware will encrypt your files and then append the extension .NM4 on all of the encrypted files.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by NM4

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss NM4.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.NM4 File Virus – Infection

The .NM4 file virus could distribute its infection through many diverse methods. One method that is observed to be very commonly utilized is with the help of a payload file. That file launches the malicious script of the ransomware, which in turn infects your computer device. Such payloads are currently spread around the Internet and you should be cautious when browsing the Web.

.NM4 file virus could also distribute its payload file on social media websites and file-sharing networks. Freeware applications which are found on the Web could be presented as useful but at the same time could hide the malicious script for the cryptovirus. Avoid opening files straight away after you have downloaded them. That stands especially for ones that came from sources like suspicious e-mails or links. What you should rather do is to scan files before opening them with a security tool, while also checking their size and signatures for anything dubious. You should read the ransomware prevention tips in our forums.

.NM4 File Virus – Analysis

The .NM4 file virus is a ransomware type, which will encrypt your files. This virus will append the .NM4 extension to all files that it encrypts. Malware researchers have discovered that the ransomware is a variant of the R Ransomware Virus which is very probable to stem from NMoreira / AiraCrop ransomware. The NMoreira 4 variant (dubbed NM4) has a new extension, name and payment pages.

The .NM4 file virus could make entries in the Windows Registry to achieve persistence, launch and repress processes in Windows. Some entries are designed in a way that will start the virus automatically with each launch of the Windows Operating System, and one such entry is outlined right here:

→HKEY_CURRENT_USER\Software\Microsoft\\Windows\CurrentVersion\Run

The ransom note will show up in your computer after the encryption process is set and done. The note is written in English, but that doesn’t mean only English-speaking users are being targeted, as everybody could get their PC infected. Inside the file, you will see instructions for how to allegedly get your files restored. The ransom note is inside a file named “Recovers your files.html”.

The Recovers your files.html file will load the following message, upon opening:

The ransom note states the following:

Your Key: [redacted] Encrypted files!
All your files are encrypted.Using AES256-bit encryption and RSA-2048-bit encryption.
Making it impossible to recover files without the correct private key.
If you are interested in getting is the key and recover your files
You should proceed with the following steps.

The only way to decrypt your files safely is to buy the Descrypt and Private Key software.
Any attempts to restore your files with the third-party software will be fatal for your files!
To proceed with the purchase you must access one of the link below

https://3fprihycwetwk2m7.onion.to/
https://3fprihycwetwk2m7.onion.link/

If neither of the links is online for a long period of time, there is another way to open it, you should install the Tor Browser

If your personal page is not available for a long period there is another way to open your personal page – installation and use of Tor Browser:

1. run your Internet browser (if you do not know what it is run the Internet Explorer);
2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER;
3. wait for the site loading;
4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;
5. run Tor Browser;
6. connect with the button ‘Connect’ (if you use the English version);
7. a normal Internet browser window will be opened after the initialization;
8. type or copy the address https://3fprihycwetwk2m7.onion in this browser address bar;
9. press ENTER;
10. the site should be loaded; if for some reason the site is not loading wait for a moment and try again.
If you have any problems during installation or use of Tor Browser, please, visit https://www.youtube.com and type request in the search bar ‘Install Tor Browser Windows’ and you will find a lot of training videos about Tor Browser installation and use.

Your Key: [redacted]

The makers of the NM4 ransomware are using the TOR network for their ransom payment pages. The following three addresses are currently being used:

  • https://3fprihycwetwk2m7.onion
  • https://3fprihycwetwk2m7.onion.link
  • https://3fprihycwetwk2m7.onion.to

Upon loading any of the three URLs provided above, the following “Login” page will load:

From there, you will be asked to enter your ID and the following message about ransom payment will show:

From the above picture, you can clearly see that the cybercriminals who own the .NM4 file virus demand a ransom price of 3 Bitcoin, which equates to nearly 3.858 US dollars. You should NOT under any circumstances contact the cybercriminals, nor pay up. Nobody could give you a guarantee that your files will get recovered if you pay the ransom. Besides, financially supporting cybercriminals is a genuinely bad idea. That will probably inspire the crooks to continue making ransomware viruses or get involved in more criminal activities.

.NM4 File Virus – Encryption

The .NM4 file virus ransomware will encrypt files on your PC, which are from these file type categories:

  • Audio
  • Video
  • Database
  • Document
  • Picture

Currently, a list with file extensions which could be targeted is non-existent. The article will get duly updated if such a list is discovered.Every file that gets encrypted will receive the .NM4 extension appended to it. In the encryption process, a mixture of both the AES and RSA algorithms is being used. More precisely, AES 256-bit and RSA 2048-bit algorithms are used, or at least that is according to the ransom note.

The .NM4 file virus cryptovirus erases the Shadow Volume Copies from the Windows operating system. That makes the encryption process more viable since it eliminates one of the ways for file decryption. The following command with one or more subcommands is initiated:

→vssadmin.exe delete shadows /all /Quiet

Continue reading an see what ways you can try out to potentially recover some of your data.

Remove .NM4 File Virus and Restore Your Files

In case your computer got infected with the .NM4 file virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread deeper and infect more computer systems. You should remove this ransomware and follow the step-by-step instructions guide provided down below.

Manually delete NM4 from your computer

Note! Substantial notification about the NM4 threat: Manual removal of NM4 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove NM4 files and objects
2. Find malicious files created by NM4 on your PC

Automatically remove NM4 by downloading an advanced anti-malware program

1. Remove NM4 with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by NM4
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

3 Comments

  1. Mark Neary

    Having just dealt with this in a comercial envoirnment can I comment on this article? This is one of the smartest pieces of kit I have seen in a while and bucks the trend. This is not a standard cryptlocker routine. It can not be dealt with traditionally. While easy to isolate in home situation, its a nightmare in the corporate realm. The rate of infection is nuts, and it is NOT a blanket crypto toolkit. Its a focoused clusterfuck.It allows users a false sense of work-aroundness while it criple systems. In my experience its payloud seems to effect the windows driver payload.
    In networks, the sympton is printing issues. Followed by windows services and apps just not working as it targets very specific windows systems.
    This is not a simple , run the malware app and walk away. When infected its a burn everything and start over remedy.
    Its flaw is its own speed.
    Dont be fooled. This is devilish criminality.

    Reply
    1. Corey

      Hey Mark, Did you have any luck decrypting any files?

      Reply
      1. Mark Neary

        Hello Corey. Our variant mainly affected system files and databases. Actuall data files were left untouched. Attempting decrypt was pointless.
        We had no choice other than to rebuild from the ground up, while taking the opportunity to remove and replace insecure XP machines and bad security practices along the way.

        Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.