Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove New n1n1n1 Ransomware and Restore .dat Encrypted Files

shutterstock_271501652Users have begun to complain about “decrypt explanations.html” type of files set on their computers after infection with the newest and second variant of the n1n1n1 ransomware. There are not many differences when it comes to this ransomware virus, and it’s first iterations. However, the virus may be with fixed bugs and flaws to make it more evasive to malware researchers who try to develop a free decryptor for it. Not only this, but n1n1n1 ransomware also uses the file marker 999999 added to the encrypted files to distinguish them from encrypted files of other viruses. In case you have been affected by the n1n1n1’s latest variant, we advise you to read this article carefully to learn how to cope with the virus and attempt to reverse your files to a working state.

Threat Summary

Name

n1n1n1

TypeRansomware
Short DescriptionThe malware encrypts users files using a strong RSA encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom notes and “instructions” and a sound message all linking to a web page and a decryptor. Changed file names and the file-extension .dat has been used.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by n1n1n1

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss N1N1N1 Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

N1n1n1 Ransomware – How Does It Spread

Similar to the previous version of the ransomware, virus may use several types of tools to spread:

  • Exploit kits.
  • JavaScript of malicious character.
  • Other malware that may have previously infected the victim’s computer.

In addition to this the n1n1n1 ransomware could also use spam campaigns of malicious character that allow the makers of the virus to spread it’s payload by a malicious attachments carrying the tools above in combination with obfuscator that will evade any security software.

N1n1n1 v2 Ransomware – Technical Analysis

When it has infected the computer, the n1n1n1 ransomware connects remotely to a host from where it may download one or more malicious files of the following file types:

.exe, .dll, .bat, .vbs, .tmp

Not only this but the files dropped may be preprogrammed to be located on specific Windows folders and the most often targeted folders are usually the system folders, such as:

%AppData%
%Roaming%
%Local%
%SystemDrive%
%Windows%

N1n1n1 ransomware does not end there with it’s preparation stage. The virus may also heavily modify the Windows registry settings, and this may allow it to run on system startup automatically. This is achievable by either dropping files in the %Startup% folder of Windows or using a malicious script to add value strings in the following Windows registry subkeys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

After the virus is running, one way or another, n1n1n1 immediately gets down to encoding files. The encoded files which it targets are usually the usually targeted types of data that is often associated with documents, pictures, videos, images, database files, Microsoft Office documents and even archives and Adobe .pdf files. The encrypted files’ code looks like the image below with an added 999999 file marker to them, according to researcher Michael Gillespie, who researched a sample of the virus:

michael-gillespie-ransomware-malware-sensorstechforum-n1n1n1-v2

Not only this but encrypted files by n1n1n1 ransomware may also have the .dat file format and changed names with alpha numerical and 0-9 identification which also includes other symbols like the down dash (“_”), for example:

n1n1n1-encrypted-file-sensorstechforum-ransowmare

In addition to this, the ransomware virus drops a “decrypt explanations.html” file which contains the following ransom message to the victims:

→ “Se I’inglese non e la lingua poi tradurre qui https://translate.google.com
Se o ingles nao nao sua lingua, em seguida, traduzir aqui https://translate.google.com
Si el ingles no es tu idioma y luego traducir aqui https://translate.google.com
Jesli angielski nie jest twoim jezykiem, a nastepnie tluma czyc tutaj https://translate.google.com
Files on your PC have been encrypted, but you can decrypt your files. You should follow step
1. Run your browser, enter in address bar https://www.torproject.org and open this site,
click button ‘download’ and download tor browser and install it.
2. If you can’t load or run tor browser (using step in step above) then download most stable tor browser here:
http://www45.zippyshare.com/v/BLC6NCzW/file.html
3. Enter to tor browser address bar www.hffahvbc7ppol5np.onion/decrypt.php
4. Open our secret site and you will see instuctions
If you can not make steps 1. or 2. or 3. or 4. then disable your antivirus and do steps again.
If for any reason you can not open our secret site, or you have questions then
Open google service https://mail.google.com in your usual browser (Google chrome, Firefox or Internet Iexplorer or other).
Sign up (if you don’t have google email yet). Sign in. You will get ..@gmail mail.
Compose e-mail letter and send it to our e-mail: [email protected]
Copy public key (see it below) in letter. Wait 1 or 2 days you will get our answer.
Simple explanations: We gave you the link https://mail.google.com because we checked that google allow send emails to ..@sigaint.org
Therefore don’t use other emails services because we didn’t check that your email service allow send email to ..@sigaint.org
My recommendation: do a photograph on telephone camera this text.
You need do it because soon antivirus can destroy files with this text.
Your public key is
{UNIQUE KEY HERE}”

Remove New n1n1n1 Ransomware and Restore .dat Files

The bottom line is that the creators of the virus have likely come up with a new version that may or may not be an improved one. Malware researchers advise against following the ransom instructions posted in the ransom note of the virus and removing the virus instead.

To remove n1n1n1 completely we advise users to focus on following the removal instructions below. In case you are having trouble in manually removing this ransomware virus, you should remove your computer using an advanced anti-malware program which will automatically ensure the removal of the n1n1n1 malware and other viruses along it.

To try and revert your files, we strongly suggest you to guide yourself by the alternative methods in step “2.Restore files encrypted by n1n1n1.” Below. They are focused in providing you with non-guaranteed alternative methods that do not involve paying the ransom. This is why we advise you to backup your files before following them and to try them at your risk.

Manually delete n1n1n1 from your computer

Note! Substantial notification about the n1n1n1 threat: Manual removal of n1n1n1 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove n1n1n1 files and objects
2.Find malicious files created by n1n1n1 on your PC

Automatically remove n1n1n1 by downloading an advanced anti-malware program

1. Remove n1n1n1 with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by n1n1n1
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.