Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove NanoLocker Ransomware and Restore Encrypted Files

nanolocker-main-sensorstechforumA new ransomware has recently appeared, going by the name of NanoLocker Ransomware. The malicious infection may encrypt the important user files on the hard drive as well as portable drives attached to the victim computer with a new extension. Such files become corrupt, and the only way to decrypt them is via a decryption key. The ransomware may also leave a ransom note with ransom instructions, demanding money from the victims. All users affected by NanoLocker Ransomware are strongly advised not to pay any ransom money that may be requested from them and to look for alternative methods for decryption and removal, instructions for which we have provided after this article.

NameNanoLocker Ransomware
TypeRansomware
Short DescriptionThe malicious threat ecrypts user files and demands ransom money for their decryption.

SymptomsThe user may witness a ransom massage and his/her files encrypted with an unfamiliar file extension. The files cannot be opened by removing the extension.
Distribution MethodVia malicious links posted online or malicious email attachments
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by NanoLocker Ransomware
User ExperienceJoin our forum to follow the discussion about NanoLocker Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

shutterstock_271501652

NanoLocker Ransomware – How Did I Get Infected with It

This ransomware may be distributed in more than just malicious web links posted in spam comments online. Such links or attachment files may be included in spam e-mails as well. One of such mails may contain the following types of malicious attachments or archives:

Files: .docx; .bat; .vbs; .exe; .pdf;
Archives: .zip; .rar

Furthermore, the ransomware may be distributed via malicious files shared in torrent websites that are not reputable. Such files may be a malicious payload carrier, resembling a keygen, crackfix or a patch for a video game or other software.

NanoLocker Ransomware – What Does It Do

According to Symantec Security Response, once its malicious files have affected the user PC, the ransomware may displays a fake PDF error message and begins to drop its module files:

  • %UserProfile%\Desktop\ATTENTION.RTF
  • %UserProfile%\Desktop\Decryptor.lnk
  • %UserProfile%\Application Data\lansrv.exe
  • %UserProfile%\Application Data\lansrv.ini

These files are also known as modules or payload of the ransomware. The Ransomware infection then creates this registry entry for one of the modules:

→HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”LanmanServer” = “%UserProfile%\Application Data\lansrv.exe”

After these processes are done, the NanoLocker ransomware may run a module which begins to scan your computer for files of the most commonly used extensions and encrypt them:

3g2 3gp aaf accdb aep aepx aet ai aif arw as as3 asf asp asx avi bay bmp cdr cer class cpp cr2 crt crw cs csv db dbf dcr der dng doc docb docm docx dot dotm dotx dwg dxf dxg efx eps erf fla flv idml iff indb indd indl indt inx jar java jpeg jpg kdc m3u m3u8 m4u max mdb mdf mef mid mov mp3 mp4 mpa mpeg mpg mrw msg nef nrw odb odc odm odp ods odt orf p12 p7b p7c pdb pdf pef pem pfx php plb pmd pot potm potx ppam ppj pps ppsm ppsx ppt pptm pptx prel prproj ps psd pst ptx r3d ra raf rar raw rb rtf rw2 rwl sdf sldm sldx sql sr2 srf srw svg swf tif vcf vob wav wb2 wma wmv wpd wps x3f xla xlam xlk xll xlm xls xlsb xlsm xlsx xlt xltm xltx xlw xml xqx zip

After the encryption is successful, the user may see his files to become corrupt when he/she tries to open them. They may also have unfamiliar file extension and the user`s wallpaper may be changed, along with files dropped on his desktop that may contain the following message with instructions on how to bring back his/her files:

nanlocker-screen Source: Bleeping Computer

Furthermore, the ransomware may also have the ability to delete Volume Shadow Copies and backups so that there is no way of decrypting the data. What is more is that the NanoLocker ransomware may open ports to connect to remote hosts, one of which is 52.91.55.122. This is believed to be the Command and Control (C&C) center ran by the cyber-criminals.

Removing NanoLocker Ransomware

This ransomware infection`s behavior is almost identical to any other Trojan horse. This means that to remove it you must isolate the threat first. This is why it is strongly advisable to disconnect from the web and copy the encrypted files to a portable drive just in case. Then you should download an advanced anti-malware scanner from a safe computer and install it on the infected one. After this you may follow the following instructions to safely scan your device below:

1. Boot Your PC In Safe Mode to isolate and remove NanoLocker Ransomware
2. Remove NanoLocker Ransomware with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by NanoLocker Ransomware in the future
Optional: Using Alternative Anti-Malware Tools

Restoring Your Encrypted Files

To attempt getting back your files it is recommended to start recovering them with the following methods:

To restore your data, your best bet is to check again for shadow volume copies using this software:

Shadow Explorer

The other method of restoring your files is by trying to bring back your files via data recovery software. Here are some examples of data recovery programs:

You may also try decrypting different files using Kaspersky`s decryptors:

Kaspersky Decryption Utilities

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.