NOOBCRYPT .su Ransomware – Remove and Restore Files (July 2017)

NOOBCRYPT .su Ransomware – Remove and Restore Files (July 2017)

This article aims to help you by showing how to remove the new NOOBCRYPT ransomware infection from your computer and how to restore .su encrypted files.

A new version of the well known NOOBCRYPT ransomware which was previously unlocked has reappeared. The ransomware virus, this time claims to use the RSA-2048 and AES-128 encryption algorithms in order to encrypt the files on the computers which have become it’s unfortunate victims. The virus also changes the wallpaper of the victimized computer to a ransom note wallpaper which threatens victims to pay in 24 hours or else their important documents, photos, audio and other files are likely to be deleted.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files on your computer and gives you 24 hours to pay $100 or else it claims to destroy your files.
SymptomsAdds a lockscreen with a ransom note and the files may no longer be openable.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by NOOBCRYPT


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss NOOBCRYPT.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

NOOBCRYPT Ransomware – How Does It Infect

The infection process of this ransomware virus is conducted in a very similar way to most ransomware viruses. The primary method which it uses is called malspam. It is essentially when the cyber-criminals mask a malicious executable or a web link as a legitimate one that poses as a document or another legitimate file. This process tricks the victim that the attachment is an invoice, a receipt or any other type of file that only seems legitimate. The messages are accompanied by big company names, to increase their legitimacy, like:

  • PayPal.
  • FedEx.
  • DHL.
  • UPS.

Most e-mail attachments may be executable files or JavaScript files, but the cases with Microsoft Word documents with malicious macros are increasing. This method of infection is particularly interesting because the legitimate document only becomes malicious when you click on the “Enable Content” button which enables macros, similar to what the graphic below displays:

Other methods of infection may also include the usage of fake setups of free programs you may search for download online. In addition to this, other types of patches, game cracks or others may be used as a pretext to infect a computer with NOOBCRYPT.

NOOBCRYPT Ransomware – More Information

The NOOBCRYPT ransomware is believed to be coded in .NET and it may have multiple different errors, just like the previous version.

Once infected your computer, NOOBCRYPT ransomware may begin to create the a completely random named sub-key in the Windows Registry Editor. The key it targets is the HKEY_CURRENT_USER key. In the random sub-key within it, there are values that are created with random names.

Another action this virus performs is to change the wallpaper of the infected computer with a threatening one that has the following message to victims:

Your files has been crypted!
All of your files are encrypted with RSA-2048 and AES- 128 ciphers-
More information about the RSA and AES can be found here:
Decrypting of your files is only possible with the private key and decrypt program which is on our secret server.
Time left to pay (if you don’t pay, all your files will be PERMANENTLY deleted!)
23 Hours | 59 Minutes | 50 Seconds
In order to receive your files back, you have to pay a RANSOM and get a LICENSE which you will use in our DECRYPTOR to get your files back!
Please Transfer 0.03615 BTC (100$) to:
{cyber-criminals address}
Waiting for payment, current status: Not Paid
Your License will appear here once paid: (hidden)

This ransom note is reported not only to change the wallpaper, but the new wallpaper to be a direct lockscreen as well, denying any access to the computer.

The virus is not reported to tamper with any Run and RunOnce registry sub-keys or mess with the shadow volume copies of the infected computer, so it is possible that files could be recovered if you have enabled shadow volume copies and manage to bypass the lockscreen.

NOOBCRYPT Ransomware – Encryption Process

For the encryption process, this ransomware virus may use AES-128 bit encryption algorithm in order to render the files no longer openable. After the files are encrypted, the virus generates symmetric decryption key which may be further encrypted via the RSA-2048 encryption algorithm. After this process has finished, the virus may leave the files unopenable, possibly with the .su file extension.

NOOBCRYPT is very specific when it encrypts user files. It is very careful to skip important Windows files and aims to encrypt files which are often opened, such as:

  • Videos.
  • Documents.
  • Music.
  • Audio Files.
  • Archives.
  • Virtual Drives.

After the encryption process, the malware threatens to delete files in 24 hours if a ransom of around $100 is not paid.

Remove NOOBCRYPT Ransomware from Your PC and Restore Encrypted Files

For the removal process of NOOBCRYPT ransomware, we advise you to follow the removal instructions below. They are specifically designed to help you delete the malware either manually or automatically. Since manual removal may present some difficulties as well as risks, the NOOBCRYPT ransomware virus should be removed automatically for maximum safety. The best method according to security experts is to use an advanced anti-malware program which will take care of the removal process for you.

If you want to restore files that have been encrypted by this ransomware virus, we recommend you to check the alternative methods in step “3. Restore files encrypted by NOOBCRYPT”.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share