Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


NullByte Virus Remove and Restore _nullbyte Files

nullbyte-ransowmare-wallpaper-sensorstechforumA ransomware virus dubbed NullByte was reported by malware researchers to append the _nullbyte file extension to the files which it encrypts with a strong AES cipher. The name nullbyte originates from the NUL character in ASCII control code, suggesting that an experienced coder may be behind the virus. Further reports indicate the NullByte Ransomware has something to do with two other ransomware variants – DetoxCrypto and Serpico ransomware. The NullByte virus also demands a ransom payoff from the victims of the computers it infects in the size of 0.1 BTC which is approximately 60 US dollars.

Update! There is now a decryptor tool for this ransomware! The tool was created by the malware researcher Michael Gillespie and can be downloaded from the following link, wrapped inside a .zip archive: StupidDecrypter.

Threat Summary

NameNullByte
TypeRansomware
Short DescriptionThe ransomware uses AES cipher with an asymmetric algorithm to have a decryption key different than the encryption one.
SymptomsThe ransomware will lock all your files with _nullbyte file extension appended to them and put a ransom note in your PC as well as lock it’s screen. The note states that you have to pay the equivalent of 60$ in Bitcoins for decryption.
Distribution MethodSpam Emails, Email Attachments, Suspicious Sites
Detection Tool See If Your System Has Been Affected by NullByte

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss NullByte Ransomware
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

NullByte Virus – Distribution

The NullByte ransomware virus may use malvertising campaigns to distribute malicious URLs that may cause an infection when they are visited. Sometimes, potentially unwanted programs that are ad-supported (adware) may also be used to display browser redirects to such URL’s causing direct infection on user PCs.

Another method of distribution of the NullByte Virus has been reported to be massive spam e-mail campaigns that are usually containing e-mail attachments that cause infection via JavaScript or an Exploit Kit attack.

Furthermore, the NullByte virus may also be dropped on the computer via other malware that may currently be residing on it.

NullByte Ransowmare – How Does It Work

NullByte ransomware may drop more than one files upon infection. The files it drops may be executable types of files of the following file formats:

→ .exe, .vbs, .bat, .dll, .cmd, .tmp

After the malicious files have been dropped, the NullByte virus may modify the Windows Registry Editor’s entries with a purpose of running it’s executables on system startup. The targeted registry keys that may be modified are the Run and RunOnce keys located in the following directories:

→HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup

After this has been done, the NullByte ransomware virus may also run an auto executable operation that deletes the shadow volume copies. This may be done via a .bat file that is ran automatically, executing the following vssadmin command as an administrator:

→ vssadmin delete shadows /all /quiet

After the encryption process has started, the NullByte ransomware begins to scan the user’s computer for a wide variety of types of files to encrypt. The virus primarily looks for:

  • Video files.
  • Image files.
  • Files that are associated with widely used programs, like Adobe Photoshop, Adobe Reader, Microsoft Office programs, etc.
  • Database and web server files.
  • Audio files.

As soon as it’s pre-programmed list of file extensions has been put to work, the NullByte ransomware virus begins to encrypt the files. For encryption, it uses the Advanced Encryption Standard. This type of encryption algorithm is believed to be used. After the files have been encoded, the virus then generates a unique decryption key which is then sent to the cyber criminals, by establishing an active connection to their servers.

Files, encrypted by NullByte ransomware can no longer be opened and look like the following:

  • Picture.jpg_nullbyte

The _nullbyte file extension in difference to other expansions is indicated with a “_” symbol instead of “.” which is very distinctive for the _nullbyte virus.

After encryption, the malware performs several other activities that have everything to do with “motivating” it’s victims to pay the ransom money. This includes a wallpaper and another document with a QR code and the following threatening message:

→ “All of your personal files have been encrypted.
The only way you can get your information back is to purchase your decryption key.
The current price is set for 0.1 BTC (USD$57.6) and will be released to you upon successful completion of your transfer to us
Our wallet address is: lHpVz6uSgVjQxzJCeGgwYTbNAaD9tByR4u
and if you are using a BitCoin phone app, you can scan this QR code to transfer us funds.
The more popular BitCoin phone apps include Circle, Coinbase and Airbitz
To find our more information on BitCoins, and what they are, please do a youtube search.
To put in a decryption key request, please use the application called Decrypt Info on your desktop, it is the same application that opened upon completion of filesystem encryption.
We apologize for the invonvinience and will release your decryption key as soon as you transfer funds to our BitCoin Wallet.”

In addition to this, the NullByte virus also displays a lock-screen with the same message and interface that allows users to enter decryption keys that are sent to them after they have paid the ransom of 0.1 BTC.

nullbyte-lockscreen-sensorstechforum

NullByte Ransomware – Conclusion, Removal and File Restoration

Since this virus originates from two other ransomware viruses – DetoxCrypto and Serpico, it is believed they use the same encryption technique and are developed by the same team. Malware researchers strongly advise against paying any ransom money because specialists may reverse-engineer the NullByte ransomware and come up with a decryptor. Instead, it is strongly advisable to remove this virus using the removal instructions after this article. Not only this, but it is also advisable to use an advanced anti-malware tool to automatically locate all the files associated with Nullbyte ransomware and delete them and detect other malware as well If there is such on your computer.

In addition to this, it is also highly advisable to make sure and try the alternative file restoration methods that are posted after this article in step “3. Restore Files Encrypted by NullByte Ransomware” below.

Manually delete NullByte from your computer

Note! Substantial notification about the NullByte threat: Manual removal of NullByte requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove NullByte files and objects.
2. Find malicious files created by NullByte on your PC.
3. Fix registry entries created by NullByte on your PC.

Automatically remove NullByte by downloading an advanced anti-malware program

1. Remove NullByte with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by NullByte in the future
3. Restore files encrypted by NullByte
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.