How Can I Remove NegozI Ransomware and Decrypt .evil Files?

How Can I Remove NegozI Ransomware and Decrypt .evil Files?

malware-infections-sensorstechforumReports have appeared about a new crypto virus, called NegozI ransomware. According to victims, the ransomware appends “.evil” extension to encrypted files and demands a payment in exchange for their decryption. Because of the extension it adds, some victims may refer to the threat as “.evil ransomware” or “.evil virus”. Another possible name for the ransomware is “[email protected](.)me ransomware” – after the email address provided in the ransom note. Due to the similar ransom notes, researchers suspect that NegozI ransomware has something in common with Sanction ransomware. The two ransomware pieces may be operated by the same individual or group of individuals.

Threat Summary

NameNegozI Ransomware
Short DescriptionThe ransomware encrypts files and appends an ‘.evil’ extension.
SymptomsFiles are enciphered and become inaccessible. A text file with ransom instructions is added.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by NegozI Ransomware


Malware Removal Tool

User ExperienceJoin our forum to discuss NegozI Ransomware
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Is NegozI Ransomware Spread?

Ransomware viruses typically rely on several distribution vectors:

  • Spam emails and malicious email attachments or corrupted links;
  • Social networks and file sharing services.

Keep in mind that if you open a malicious attachment, the malware can be injected automatically. Malicious code can also be ‘hidden’ in the text of the email itself which means that you can get infected just by opening the message, without the need of further interaction.

More sophisticated ransomware viruses can be distributed via exploit kits. However, it’s not reported that NegozI is spread this way.

You should also be careful with file sharing services, p2p networks and social networks, as malware and ransomware operators may exploit them to spread their payload to as many users as possible.

Torrent websites are often at fault for the distribution of Trojan horses. That being said, ransomware such as Negozl may be distributed with the help of Trojans.

Technical Details about NegozI Ransomware and .Evil Extension

At this moment, not much information is available about Negozl ransomware. When your computer is infected, an executable or a type of batch file is usually created, and the ransomware could make new entries in the Windows Registry.

The executable can be generated on a random basis so that it has a different name on every system. Keep in mind that modifications in the Windows Registry are usually created in the following registry entries:




This way, the ransomware may load automatically upon every system restart.

This is the ransom note dropped by NegozI, according to research:

All your files have been encrypted with NegozI Ransomware.
For each file unique ,strong key. Algorithm AES256
All your attempts to restore files on their own, lead to the loss of the possibility of recovery and we are not going to help you.
All your actions are traced and known to us.

If you do not make payment within 5 days, you will lose the ability to decrypt them.
Make your Bitcoin Wallet on: https://www.coinbase(.)com/ , or http://blockchain(.)info
How to buy /sell and send Bitcoin:

After the payment, send the wallet from which paid and your uniq ID to mail : [email protected](.)me
After receiving the payment, we will contact and give you decryption tools and faq how to decrypt your files.

NegozI Ransomware Removal Instructions

If you have been infected by NegozI ransomware, you should consider following the removal instructions below the article.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share