Remove NamPoHyu Virus

Remove NamPoHyu Virus

NamPoHyu virus

What is .NamPoHyu files virus? Is .NamPoHyu files virus a variant of the MegaLocker ransomware family? What kind of encryption does the .NamPoHyu files virus use?

.NamPoHyu Files Virus is a cryptovirus that targets Ubuntu Apache servers, NAS storages, along with other servers used for various purposes, be it running a website (domain) or ones used for storing data. Mac and PC operating systems can be affected. The virus encrypts files by using the AES encryption algorithm via CBC (Cipher Block Chaining) and places a ransom note. With the ransom note, the cybercriminals that are behind the virus demand money as a ransom to get the files restored. Files will receive a custom extension, which is .NamPoHyu but other variants are not excluded from appearing. The .NamPoHyu Files Virus is called NamPoHyu Virus and it is actually a variant of the MegaLocker ransomware.

Threat Summary

Name.NamPoHyu files virus
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts files on a computer system and specifically targets servers and network operated systems. The virus demands a ransom to be paid to allegedly recover the system and its data.
SymptomsThe ransomware will encrypt files, may slow down the machine that is being encrypted, leave a ransom note with payment instructions and place the .NamPoHyu extension to locked files.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by .NamPoHyu files virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .NamPoHyu files virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.NamPoHyu Files Virus – Update May, 2019

There’s some great news for victims of the NamPoHyu ransomware – a decryptor is now available. Emsisoft developers have released a decryptor for the ransomware, and its victims can now use the tool to recover their files for free.

NamPoHyu is a variant of the MegaLocker ransomware, meaning that the decryptor will also work for MegaLocker victims. As explained by the developers of the decryption tool, to use it, you will require one of the ransom notes left by the malware. You can download the NamPoHyu dectyptor and recover your files. Emsisoft has also provided a detailed guide on how to use their tool.

.NamPoHyu Files Virus – What Does It Do?

Users have contacted us and reported new information about the infection method of the .NamPoHyu virus. The report states that the NAS storage device of one user was infected remotely, due to the router accidentally placing the server in a Virtual DMZ, hence making the public IP open. The same user had checked his own WDmycloud IP on his router and also found out that the IP was in a DMZ. Thus, the NAS device was encrypted, but nothing else on the configured network.

The .NamPoHyu Files Virus ransomware might distribute itself via different tactics. A payload dropper which initiates the malicious script for this ransomware is being spread around the Internet, and researchers have gotten their hands on a malware sample for the original variant. The website that got hit with the ransomware has not been identified to be hit by malware by most security tools as showcased in the below snapshot:

NamPoHyu virus virustotal

In addition, to try and get ahead of ransomware threats, you should read the ransomware prevention tips located at the corresponding forum thread.

.NamPoHyu Files Virus is a virus that encrypts files and demands a ransom via a note. The ransomware is also known as the NamPoHyu virus, but it is actually a variant of the

MegaLocker Ransomware family. The cryptovirus uses the AES encryption algorithm by using Cipher Block Chaining (CBC) with 128-bit ciphers. That encryption is sequential (i.e., it cannot be parallelized), and the message is padded to a multiple of the cipher block size. Every block of data is encrypted by using data from the previously encrypted block, making this a chain, hence naming the encryption method CBC. AES-CBC, operates by XOR’ing (eXclusive OR) each block with the previous block and cannot be written in parallel. This affects performance due to the complex mathematics involved requiring serial encryption. AES-CBC also is vulnerable to padding oracle attacks, which exploit the tendency of block ciphers to add arbitrary values onto the end of the last block in a sequence in order to meet the specified block size. That could explain why the ransomware is set to encrypt systems in strange hours in the night, so users could be less aware of an attack.

.NamPoHyu Files Virus ransomware might make new entries in the Registry to achieve persistence, and could launch or repress processes of the operating system. Such entries are typically designed in a way to start the virus automatically with each boot of the operating system.

The ransom note message itself is located inside a file called !DECRYPT_INSTRUCTION.TXT:

NamPoHyu ransom note

The ransom note file has the following contents:

What happened to your files ?
All of your files were protected by a strong encryption with AES cbc-128 using NamPoHyu Virus.

What does this mean ?
This means that the structure and data within your files have been irrevocably changed,
you will not be able to work with them, read them or see them,
it is the same thing as losing them forever, but with our help, you can restore them.

The encryption key and ID are unique to your computer, so you are guaranteed to be able to return your files.
Your unique id: 02DCED685XXXXXXXXX41863

What do I do ?
You can buy decryption for 250$.
But before you pay, you can make sure that we can really decrypt any of your files.

To do this:
1) Download and install Tor Browser ( )
2) Open the http://qlcd3bgmyv4kvztb.onion/index.php?id=23CAEC83B8FF4ED5A89A8E19B0D7E85C web page in the Tor Browser and follow the instructions.


How much time do I have to pay for decryption?
You have 10 days to pay for the ransom after decrypting the test files.
The number of bitcoins for payment is fixed at the rate at the time of decryption of test files.
Keep in mind that some exchangers delay payment for 1-3 days! Also keep in mind that Bitcoin is a very volatile currency,
its rate can be both stable and change very quickly. Therefore, we recommend that you make payment within a few hours.

How to contact you?
We do not support any contact.

What are the guarantees that I can decrypt my files after paying the ransom?
Your main guarantee is the ability to decrypt test files.
This means that we can decrypt all your files after paying the ransom.
We have no reason to deceive you after receiving the ransom, since we are not barbarians and moreover it will harm our business.

How do I pay the ransom?
After decrypting the test files, you will see the amount of payment in bitcoins and a bitcoin wallet for payment.
Depending on your location, you can pay the ransom in different ways.
Use Google to find information on how to buy bitcoins in your country or use the help of more experienced friends.
Here are some links: – payment by bank card

How can I decrypt my files?
After confirmation of payment (it usually takes 8 hours, maximum 24 hours)
you will see on this page ( http://qlcd3bgmyv4kvztb.onion/index.php?id=02DCED685XXXXXXXXX3C0DFD0E241863 ) a link to download the decryptor and your aes-key
(for this, simply re-enter (refresh) this page a day after payment)
Download the program and run it.
Attention! Disable all anti-virus programs, they can block the work of the decoder!
Copy aes-key to the appropriate field and select the folder to decrypt.
The program will scan and decrypt all encrypted files in the selected folder and its subfolders.
We recommend that you first create a test folder and copy several encrypted files into it to verify the decryption.

Accessing the TOR link provided in the message opens up a FAQ page with some of the text included in the ransom note as seen from the below screenshot:

NamPoHyu Tor page

The ransom note of .NamPoHyu Files Virus indicates that your files are encrypted. You are demanded to pay a ransom sum to allegedly restore your files. However, you should NOT under any circumstances pay any ransom sum. Your files may not get recovered, and nobody could give you a guarantee for that. Adding to that, giving money to cybercriminals will most likely motivate them to create more ransomware viruses or commit different criminal activities. That may even result to you getting your files encrypted all over again after payment.

If a server or a computer system was infected with this ransomware and your files are locked, read on below on how you can remove the cryptovirus and what you try to potentially restore some of your files.

*Note: Some of the information used in this article has been provided by users, who became victims of the NamPoHyu virus.

Remove .NamPoHyu Files Virus

If your computer system got infected with the .NamPoHyu Files Virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Tsetso Mihailov

Tsetso Mihailov

Tsetso Mihailov is a tech-geek and loves everything that is tech-related, while observing the latest news surrounding technologies. He has worked in IT before, as a system administrator and a computer repair technician. Dealing with malware since his teens, he is determined to spread word about the latest threats revolving around computer security.

More Posts

Follow Me:


  1. AvatarJosep Antoni

    Buenas tardes
    Soy José Antonio, les informamos que ya disponemos de la capacidad de recuperar los archivos encritpados por medio de este ramson MegaLocker – NamPoHyu Virus (.crypted, .NamPoHyu, !DECRYPT_INSTRUCTION.TXT)
    Para ello, sólo necesitamos que nos abran un ticket de soporte en nuestra pagina web y adunten un par de archivos encriptados más la nota de rescate y en 24 horas podremos calcular la clave privada.

    1. AvatarAlberto

      buen dia Jose Anotnio. mira se me infectaron los archivos con ese virus, lo que hice saque mi equipo de la red, py los archivos estan encriptados con la extencion .NamPoHyu. pero el archivo de rescate ya no lo encuentro en mi equipo !DECRYPT_INSTRUCTION.TXT). que procede, aun se puede recuperar.

      En espera de tus comentarios.
      saludos !

  2. AvatarLamborot jean jacques

    j’ai été attaqué par NAMPOHYU (Megalocker),
    avec Spyhunter et Emsisoft, je me suis , à prior, débarassé du Virus, cependant le decrypter de Emsisoft ne fonctionne pas

    1. Milena DimitrovaMilena Dimitrova

      Bonjour Jean Jacques, que se passe-t-il exactement avec le décrypteur?


Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share