Remove NamPoHyu Virus
THREAT REMOVAL

Remove NamPoHyu Virus

NamPoHyu virus

What is .NamPoHyu files virus? Is .NamPoHyu files virus a variant of the MegaLocker ransomware family? What kind of encryption does the .NamPoHyu files virus use?

.NamPoHyu Files Virus is a cryptovirus that targets Ubuntu Apache servers, NAS storages, along with other servers used for various purposes, be it running a website (domain) or ones used for storing data. Mac and PC operating systems can be affected. The virus encrypts files by using the AES encryption algorithm via CBC (Cipher Block Chaining) and places a ransom note. With the ransom note, the cybercriminals that are behind the virus demand money as a ransom to get the files restored. Files will receive a custom extension, which is .NamPoHyu but other variants are not excluded from appearing. The .NamPoHyu Files Virus is called NamPoHyu Virus and it is actually a variant of the MegaLocker ransomware.

Threat Summary

Name.NamPoHyu files virus
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts files on a computer system and specifically targets servers and network operated systems. The virus demands a ransom to be paid to allegedly recover the system and its data.
SymptomsThe ransomware will encrypt files, may slow down the machine that is being encrypted, leave a ransom note with payment instructions and place the .NamPoHyu extension to locked files.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by .NamPoHyu files virus

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .NamPoHyu files virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.NamPoHyu Files Virus – What Does It Do?

Users have contacted us and reported new information about the infection method of the .NamPoHyu virus. The report states that the NAS storage device of one user was infected remotely, due to the router accidentally placing the server in a Virtual DMZ, hence making the public IP open. The same user had checked his own WDmycloud IP on his router and also found out that the IP was in a DMZ. Thus, the NAS device was encrypted, but nothing else on the configured network.

The .NamPoHyu Files Virus ransomware might distribute itself via different tactics. A payload dropper which initiates the malicious script for this ransomware is being spread around the Internet, and researchers have gotten their hands on a malware sample for the original variant. The website that got hit with the ransomware has not been identified to be hit by malware by most security tools as showcased in the below snapshot:

NamPoHyu virus virustotal

In addition, to try and get ahead of ransomware threats, you should read the ransomware prevention tips located at the corresponding forum thread.

.NamPoHyu Files Virus is a virus that encrypts files and demands a ransom via a note. The ransomware is also known as the NamPoHyu virus, but it is actually a variant of the

Remove MegaLocker ransomware efficiently. Follow the MegaLocker ransomware removal instructions provided at the end of the article.
MegaLocker Ransomware family. The cryptovirus uses the AES encryption algorithm by using Cipher Block Chaining (CBC) with 128-bit ciphers. That encryption is sequential (i.e., it cannot be parallelized), and the message is padded to a multiple of the cipher block size. Every block of data is encrypted by using data from the previously encrypted block, making this a chain, hence naming the encryption method CBC. AES-CBC, operates by XOR’ing (eXclusive OR) each block with the previous block and cannot be written in parallel. This affects performance due to the complex mathematics involved requiring serial encryption. AES-CBC also is vulnerable to padding oracle attacks, which exploit the tendency of block ciphers to add arbitrary values onto the end of the last block in a sequence in order to meet the specified block size. That could explain why the ransomware is set to encrypt systems in strange hours in the night, so users could be less aware of an attack.

.NamPoHyu Files Virus ransomware might make new entries in the Registry to achieve persistence, and could launch or repress processes of the operating system. Such entries are typically designed in a way to start the virus automatically with each boot of the operating system.

The ransom note message itself is located inside a file called !DECRYPT_INSTRUCTION.TXT:

NamPoHyu ransom note

The ransom note file has the following contents:

What happened to your files ?
All of your files were protected by a strong encryption with AES cbc-128 using NamPoHyu Virus.

What does this mean ?
This means that the structure and data within your files have been irrevocably changed,
you will not be able to work with them, read them or see them,
it is the same thing as losing them forever, but with our help, you can restore them.

The encryption key and ID are unique to your computer, so you are guaranteed to be able to return your files.
Your unique id: 02DCED685XXXXXXXXX41863

What do I do ?
You can buy decryption for 250$.
But before you pay, you can make sure that we can really decrypt any of your files.

To do this:
1) Download and install Tor Browser ( https://www.torproject.org/download/ )
2) Open the http://qlcd3bgmyv4kvztb.onion/index.php?id=23CAEC83B8FF4ED5A89A8E19B0D7E85C web page in the Tor Browser and follow the instructions.

FAQ:

How much time do I have to pay for decryption?
You have 10 days to pay for the ransom after decrypting the test files.
The number of bitcoins for payment is fixed at the rate at the time of decryption of test files.
Keep in mind that some exchangers delay payment for 1-3 days! Also keep in mind that Bitcoin is a very volatile currency,
its rate can be both stable and change very quickly. Therefore, we recommend that you make payment within a few hours.

How to contact you?
We do not support any contact.

What are the guarantees that I can decrypt my files after paying the ransom?
Your main guarantee is the ability to decrypt test files.
This means that we can decrypt all your files after paying the ransom.
We have no reason to deceive you after receiving the ransom, since we are not barbarians and moreover it will harm our business.

How do I pay the ransom?
After decrypting the test files, you will see the amount of payment in bitcoins and a bitcoin wallet for payment.
Depending on your location, you can pay the ransom in different ways.
Use Google to find information on how to buy bitcoins in your country or use the help of more experienced friends.
Here are some links: https://buy.blockexplorer.com – payment by bank card
https://www.buybitcoinworldwide.com
https://localbitcoins.net

How can I decrypt my files?
After confirmation of payment (it usually takes 8 hours, maximum 24 hours)
you will see on this page ( http://qlcd3bgmyv4kvztb.onion/index.php?id=02DCED685XXXXXXXXX3C0DFD0E241863 ) a link to download the decryptor and your aes-key
(for this, simply re-enter (refresh) this page a day after payment)
Download the program and run it.
Attention! Disable all anti-virus programs, they can block the work of the decoder!
Copy aes-key to the appropriate field and select the folder to decrypt.
The program will scan and decrypt all encrypted files in the selected folder and its subfolders.
We recommend that you first create a test folder and copy several encrypted files into it to verify the decryption.

Accessing the TOR link provided in the message opens up a FAQ page with some of the text included in the ransom note as seen from the below screenshot:

NamPoHyu Tor page

The ransom note of .NamPoHyu Files Virus indicates that your files are encrypted. You are demanded to pay a ransom sum to allegedly restore your files. However, you should NOT under any circumstances pay any ransom sum. Your files may not get recovered, and nobody could give you a guarantee for that. Adding to that, giving money to cybercriminals will most likely motivate them to create more ransomware viruses or commit different criminal activities. That may even result to you getting your files encrypted all over again after payment.

If a server or a computer system was infected with this ransomware and your files are locked, read on below on how you can remove the cryptovirus and what you try to potentially restore some of your files.

*Note: Some of the information used in this article has been provided by users, who became victims of the NamPoHyu virus.

Remove .NamPoHyu Files Virus

If your computer system got infected with the .NamPoHyu Files Virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Tsetso Mihailov

Tsetso Mihailov

Tsetso Mihailov is a tech-geek and loves everything that is tech-related, while observing the latest news surrounding technologies. He has worked in IT before, as a system administrator and a computer repair technician. Dealing with malware since his teens, he is determined to spread word about the latest threats revolving around computer security.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...