This article will show you how to successfully delete Nx Ransomware infection and try to restore encrypted files by the virus.
A ransomware virus, uploaded as an open source malware in GitHub in the end of march 2016 has begun to show activity in the end of March 2017, reports indicate. The virus is oriented on victims who are not experienced and may spread on a global scale. The ransomware aims to encrypt the files on the computers infected by it via the AES and RSA encryption algorithms. After this, the virus begins to drop information on how to contact the cyber-criminals and pay a hefty ransom fee to restore encrypted files. In case your computer has been infected by the Nx ransomware infection, recommendations are to read the following article thoroughly.
Threat Summary
| Name | Nx Ransomware |
| Type | Ransomware |
| Short Description | The malware encrypts users files using a AES and RSA, ciphers, generating a public and private key files. |
| Symptoms | The user may witness that the files are no longer openable, plus instructions on how to pay a hefty ransom fee to the criminals to decrypt the files. |
| Distribution Method | Via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner. |
| Detection Tool | See If Your System Has Been Affected by Nx Ransomware Download Malware Removal Tool |
| User Experience | Join our forum to Discuss Nx Ransomware. |
| Data Recovery Tool | Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive. |
Nx Ransomware – How Does It Infect
The infection process of Nx Ransomware is conducted via a malicious file, pretending to be Google Update Service. The false name on the description of the file is Google Software Update and it is called GoogleUpdate.exe. There is even data in it’s description to deceive that the creators of these file are Google themselves.
The infection file related to the GoogleUpdate.exe file, however is different than it. It is named ransomware1.exe and has the following signature and detection rate:
In addition to being spread as a false Google Service update, the Nx virus may also be replicated via the assistance of massive spam services that spread suspicious e-mail messages that seem legitimate only at first glance. However, many of those e-mails only aim to convince the victim into opening the suspicious e-mail attachment attached to them:
Nx Ransomware – Infection Activity
After causing the infection, the Nx Ransomware virus may begin to drop it’s malicious files on the compromised computers. The files that are being dropped are the following:
- GoogleUpdate.exe (SHA256: 2a3da7eaae24d815a246beb194c72eacf10383e6ac3f46ef23298fb65ca10407)
- master_pri_key.info
- master_public_key.info
Along those main files of the virus, there may be other support files (.dll, .tmp, .vbs, .bat, .exe, .js, .wsf, .bin) that may be dropped alongside them. They are usually located in the following Windows directories:
- %AppData%
- %Local%
- %Roaming%
- %LocalRow%
- %Windows%
After all the malicious files are dropped on the compromised computer, the Nx ransomware infection may begin to perform multiple other activities, such as delete the shadow volume copies of it, for example. This is achievable by executing versions of the following vssadmin command in the background:
In addition to deleting system backups, the Nx virus may also begin to modify the Windows Registry Editor. Among the attacked Windows Registry sub-keys may usually be the ones that change the wallpaper and run files on Windows boot:
→ HKEY_CURRENT_USER\Control Panel\Desktop\
HKEY_USERS\.DEFAULT\Control Panel\Desktop\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Other interference the Nx virus may perform is modify the following files within the %WINDIR% directory of Windows, again related to the registry:
→ Clr.dll
Mscorwks.dll
Mscorlib.ni.dll.aux
Sortdefault.nls
System.xml.ni.dll.aux
Pubpol47.dat
System.ni.dll.aux
Mscorlib.dl
Nx Ransomware’s Encryption Process
For the encryption of files, the Nx virus is believed to use a combination of two of the strongest known ciphers for public use.
Rivest-Shamir-Adleman or RSA encryption.
Advanced Encryption Standard also known as AES.
The AES cipher may be used to scramble the following important files, if detected on the compromised computer:
→ .AVI, .C, .CLASS, .CONFIG, .CPP, .CS, .CSC, .DBX, .DOC, .DOCX, .EML, .GIF, .GZ, .H, .JAVA, .JPG, .JS, .JSON, .JSP, .MBX, .MP3, .MP4, .MPEG, .MSG, .NEF, .PDF, .PHP, .PNG, .PPT, .PPTX, .PST, .PY, .R, .RAR, .TAR, .TXT, .VB, .VBS, .WAB, .XAML, .XLS, .XLSX, .ZIP Source: id-ransomware.blogspot.bg
After these files have already been encoded by this ransomware virus, the infection may use the RSA cipher to further insert private and public keys within the files themselves, making them increasingly difficult to decrypt, primarily because different key may be assigned to each of the files.
When the encryption process has completed, the files encoded by it can no longer be opened and the user may be presented a ransom note with instructions on how to decrypt them by making a payoff.
Remove Nx Ransomware and Restore Encoded Files
Before beginning the removal process of Nx Ransomware infection, users are advised to perform multiple backups of the encrypted files, just in case.
For the removal of this virus to be successful, we advise following the instruction steps down below, which will help isolate the threat and then locate the malicious files belonging to this virus and delete them. In case you cannot manually locate the files or feel unsure that manual removal would do the job, experts always advise downloading an advanced anti-malware tool to scan for and remove those malicious objects automatically and protect your computer against future threats as well.
For the file restoration, there is no free decryption scenario at the moment. However, we will track the situation and post decryption instructions with web links as soon as there are such available. In the meantime, we advise following the alternative methods for restoring your files at your own risk, even though they are not 100% guaranteed to get all the files back. They are located down in step “2. Restore files encrypted by Nx Ransomware”.
