A ransomware virus dubbed NullByte was reported by malware researchers to append the _nullbyte file extension to the files which it encrypts with a strong AES cipher. The name nullbyte originates from the NUL character in ASCII control code, suggesting that an experienced coder may be behind the virus. Further reports indicate the NullByte Ransomware has something to do with two other ransomware variants – DetoxCrypto and Serpico ransomware. The NullByte virus also demands a ransom payoff from the victims of the computers it infects in the size of 0.1 BTC which is approximately 60 US dollars.
|Short Description||The ransomware uses AES cipher with an asymmetric algorithm to have a decryption key different than the encryption one.|
|Symptoms||The ransomware will lock all your files with _nullbyte file extension appended to them and put a ransom note in your PC as well as lock it’s screen. The note states that you have to pay the equivalent of 60$ in Bitcoins for decryption.|
|Distribution Method||Spam Emails, Email Attachments, Suspicious Sites|
|Detection Tool|| See If Your System Has Been Affected by NullByte |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss NullByte Ransomware|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
NullByte Virus – Distribution
The NullByte ransomware virus may use malvertising campaigns to distribute malicious URLs that may cause an infection when they are visited. Sometimes, potentially unwanted programs that are ad-supported (adware) may also be used to display browser redirects to such URL’s causing direct infection on user PCs.
Furthermore, the NullByte virus may also be dropped on the computer via other malware that may currently be residing on it.
NullByte Ransowmare – How Does It Work
NullByte ransomware may drop more than one files upon infection. The files it drops may be executable types of files of the following file formats:
→ .exe, .vbs, .bat, .dll, .cmd, .tmp
After the malicious files have been dropped, the NullByte virus may modify the Windows Registry Editor’s entries with a purpose of running it’s executables on system startup. The targeted registry keys that may be modified are the Run and RunOnce keys located in the following directories:
After this has been done, the NullByte ransomware virus may also run an auto executable operation that deletes the shadow volume copies. This may be done via a .bat file that is ran automatically, executing the following vssadmin command as an administrator:
→ vssadmin delete shadows /all /quiet
After the encryption process has started, the NullByte ransomware begins to scan the user’s computer for a wide variety of types of files to encrypt. The virus primarily looks for:
- Video files.
- Image files.
- Files that are associated with widely used programs, like Adobe Photoshop, Adobe Reader, Microsoft Office programs, etc.
- Database and web server files.
- Audio files.
As soon as it’s pre-programmed list of file extensions has been put to work, the NullByte ransomware virus begins to encrypt the files. For encryption, it uses the Advanced Encryption Standard. This type of encryption algorithm is believed to be used. After the files have been encoded, the virus then generates a unique decryption key which is then sent to the cyber criminals, by establishing an active connection to their servers.
Files, encrypted by NullByte ransomware can no longer be opened and look like the following:
The _nullbyte file extension in difference to other expansions is indicated with a “_” symbol instead of “.” which is very distinctive for the _nullbyte virus.
After encryption, the malware performs several other activities that have everything to do with “motivating” it’s victims to pay the ransom money. This includes a wallpaper and another document with a QR code and the following threatening message:
→ “All of your personal files have been encrypted.
The only way you can get your information back is to purchase your decryption key.
The current price is set for 0.1 BTC (USD$57.6) and will be released to you upon successful completion of your transfer to us
Our wallet address is: lHpVz6uSgVjQxzJCeGgwYTbNAaD9tByR4u
and if you are using a BitCoin phone app, you can scan this QR code to transfer us funds.
The more popular BitCoin phone apps include Circle, Coinbase and Airbitz
To find our more information on BitCoins, and what they are, please do a youtube search.
To put in a decryption key request, please use the application called Decrypt Info on your desktop, it is the same application that opened upon completion of filesystem encryption.
We apologize for the invonvinience and will release your decryption key as soon as you transfer funds to our BitCoin Wallet.”
In addition to this, the NullByte virus also displays a lock-screen with the same message and interface that allows users to enter decryption keys that are sent to them after they have paid the ransom of 0.1 BTC.
NullByte Ransomware – Conclusion, Removal and File Restoration
Since this virus originates from two other ransomware viruses – DetoxCrypto and Serpico, it is believed they use the same encryption technique and are developed by the same team. Malware researchers strongly advise against paying any ransom money because specialists may reverse-engineer the NullByte ransomware and come up with a decryptor. Instead, it is strongly advisable to remove this virus using the removal instructions after this article. Not only this, but it is also advisable to use an advanced anti-malware tool to automatically locate all the files associated with Nullbyte ransomware and delete them and detect other malware as well If there is such on your computer.
In addition to this, it is also highly advisable to make sure and try the alternative file restoration methods that are posted after this article in step “3. Restore Files Encrypted by NullByte Ransomware” below.