NullByte Virus Remove and Restore _nullbyte Files - How to, Technology and PC Security Forum |

NullByte Virus Remove and Restore _nullbyte Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

nullbyte-ransowmare-wallpaper-sensorstechforumA ransomware virus dubbed NullByte was reported by malware researchers to append the _nullbyte file extension to the files which it encrypts with a strong AES cipher. The name nullbyte originates from the NUL character in ASCII control code, suggesting that an experienced coder may be behind the virus. Further reports indicate the NullByte Ransomware has something to do with two other ransomware variants – DetoxCrypto and Serpico ransomware. The NullByte virus also demands a ransom payoff from the victims of the computers it infects in the size of 0.1 BTC which is approximately 60 US dollars.

Update! There is now a decryptor tool for this ransomware! The tool was created by the malware researcher Michael Gillespie and can be downloaded from the following link, wrapped inside a .zip archive: StupidDecrypter.

Threat Summary

Short DescriptionThe ransomware uses AES cipher with an asymmetric algorithm to have a decryption key different than the encryption one.
SymptomsThe ransomware will lock all your files with _nullbyte file extension appended to them and put a ransom note in your PC as well as lock it’s screen. The note states that you have to pay the equivalent of 60$ in Bitcoins for decryption.
Distribution MethodSpam Emails, Email Attachments, Suspicious Sites
Detection Tool See If Your System Has Been Affected by NullByte


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss NullByte Ransomware
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

NullByte Virus – Distribution

The NullByte ransomware virus may use malvertising campaigns to distribute malicious URLs that may cause an infection when they are visited. Sometimes, potentially unwanted programs that are ad-supported (adware) may also be used to display browser redirects to such URL’s causing direct infection on user PCs.

Another method of distribution of the NullByte Virus has been reported to be massive spam e-mail campaigns that are usually containing e-mail attachments that cause infection via JavaScript or an Exploit Kit attack.

Furthermore, the NullByte virus may also be dropped on the computer via other malware that may currently be residing on it.

NullByte Ransowmare – How Does It Work

NullByte ransomware may drop more than one files upon infection. The files it drops may be executable types of files of the following file formats:

→ .exe, .vbs, .bat, .dll, .cmd, .tmp

After the malicious files have been dropped, the NullByte virus may modify the Windows Registry Editor’s entries with a purpose of running it’s executables on system startup. The targeted registry keys that may be modified are the Run and RunOnce keys located in the following directories:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunServices

After this has been done, the NullByte ransomware virus may also run an auto executable operation that deletes the shadow volume copies. This may be done via a .bat file that is ran automatically, executing the following vssadmin command as an administrator:

→ vssadmin delete shadows /all /quiet

After the encryption process has started, the NullByte ransomware begins to scan the user’s computer for a wide variety of types of files to encrypt. The virus primarily looks for:

  • Video files.
  • Image files.
  • Files that are associated with widely used programs, like Adobe Photoshop, Adobe Reader, Microsoft Office programs, etc.
  • Database and web server files.
  • Audio files.

As soon as it’s pre-programmed list of file extensions has been put to work, the NullByte ransomware virus begins to encrypt the files. For encryption, it uses the Advanced Encryption Standard. This type of encryption algorithm is believed to be used. After the files have been encoded, the virus then generates a unique decryption key which is then sent to the cyber criminals, by establishing an active connection to their servers.

Files, encrypted by NullByte ransomware can no longer be opened and look like the following:

  • Picture.jpg_nullbyte

The _nullbyte file extension in difference to other expansions is indicated with a “_” symbol instead of “.” which is very distinctive for the _nullbyte virus.

After encryption, the malware performs several other activities that have everything to do with “motivating” it’s victims to pay the ransom money. This includes a wallpaper and another document with a QR code and the following threatening message:

→ “All of your personal files have been encrypted.
The only way you can get your information back is to purchase your decryption key.
The current price is set for 0.1 BTC (USD$57.6) and will be released to you upon successful completion of your transfer to us
Our wallet address is: lHpVz6uSgVjQxzJCeGgwYTbNAaD9tByR4u
and if you are using a BitCoin phone app, you can scan this QR code to transfer us funds.
The more popular BitCoin phone apps include Circle, Coinbase and Airbitz
To find our more information on BitCoins, and what they are, please do a youtube search.
To put in a decryption key request, please use the application called Decrypt Info on your desktop, it is the same application that opened upon completion of filesystem encryption.
We apologize for the invonvinience and will release your decryption key as soon as you transfer funds to our BitCoin Wallet.”

In addition to this, the NullByte virus also displays a lock-screen with the same message and interface that allows users to enter decryption keys that are sent to them after they have paid the ransom of 0.1 BTC.


NullByte Ransomware – Conclusion, Removal and File Restoration

Since this virus originates from two other ransomware viruses – DetoxCrypto and Serpico, it is believed they use the same encryption technique and are developed by the same team. Malware researchers strongly advise against paying any ransom money because specialists may reverse-engineer the NullByte ransomware and come up with a decryptor. Instead, it is strongly advisable to remove this virus using the removal instructions after this article. Not only this, but it is also advisable to use an advanced anti-malware tool to automatically locate all the files associated with Nullbyte ransomware and delete them and detect other malware as well If there is such on your computer.

In addition to this, it is also highly advisable to make sure and try the alternative file restoration methods that are posted after this article in step “3. Restore Files Encrypted by NullByte Ransomware” below.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share