Remove New n1n1n1 Ransomware and Restore .dat Encrypted Files - How to, Technology and PC Security Forum |

Remove New n1n1n1 Ransomware and Restore .dat Encrypted Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

shutterstock_271501652Users have begun to complain about “decrypt explanations.html” type of files set on their computers after infection with the newest and second variant of the n1n1n1 ransomware. There are not many differences when it comes to this ransomware virus, and it’s first iterations. However, the virus may be with fixed bugs and flaws to make it more evasive to malware researchers who try to develop a free decryptor for it. Not only this, but n1n1n1 ransomware also uses the file marker 999999 added to the encrypted files to distinguish them from encrypted files of other viruses. In case you have been affected by the n1n1n1’s latest variant, we advise you to read this article carefully to learn how to cope with the virus and attempt to reverse your files to a working state.

Threat Summary



Short DescriptionThe malware encrypts users files using a strong RSA encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom notes and “instructions” and a sound message all linking to a web page and a decryptor. Changed file names and the file-extension .dat has been used.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by n1n1n1


Malware Removal Tool

User ExperienceJoin our forum to Discuss N1N1N1 Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

N1n1n1 Ransomware – How Does It Spread

Similar to the previous version of the ransomware, virus may use several types of tools to spread:

  • Exploit kits.
  • JavaScript of malicious character.
  • Other malware that may have previously infected the victim’s computer.

In addition to this the n1n1n1 ransomware could also use spam campaigns of malicious character that allow the makers of the virus to spread it’s payload by a malicious attachments carrying the tools above in combination with obfuscator that will evade any security software.

N1n1n1 v2 Ransomware – Technical Analysis

When it has infected the computer, the n1n1n1 ransomware connects remotely to a host from where it may download one or more malicious files of the following file types:

.exe, .dll, .bat, .vbs, .tmp

Not only this but the files dropped may be preprogrammed to be located on specific Windows folders and the most often targeted folders are usually the system folders, such as:


N1n1n1 ransomware does not end there with it’s preparation stage. The virus may also heavily modify the Windows registry settings, and this may allow it to run on system startup automatically. This is achievable by either dropping files in the %Startup% folder of Windows or using a malicious script to add value strings in the following Windows registry subkeys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

After the virus is running, one way or another, n1n1n1 immediately gets down to encoding files. The encoded files which it targets are usually the usually targeted types of data that is often associated with documents, pictures, videos, images, database files, Microsoft Office documents and even archives and Adobe .pdf files. The encrypted files’ code looks like the image below with an added 999999 file marker to them, according to researcher Michael Gillespie, who researched a sample of the virus:


Not only this but encrypted files by n1n1n1 ransomware may also have the .dat file format and changed names with alpha numerical and 0-9 identification which also includes other symbols like the down dash (“_”), for example:


In addition to this, the ransomware virus drops a “decrypt explanations.html” file which contains the following ransom message to the victims:

→ “Se I’inglese non e la lingua poi tradurre qui
Se o ingles nao nao sua lingua, em seguida, traduzir aqui
Si el ingles no es tu idioma y luego traducir aqui
Jesli angielski nie jest twoim jezykiem, a nastepnie tluma czyc tutaj
Files on your PC have been encrypted, but you can decrypt your files. You should follow step
1. Run your browser, enter in address bar and open this site,
click button ‘download’ and download tor browser and install it.
2. If you can’t load or run tor browser (using step in step above) then download most stable tor browser here:
3. Enter to tor browser address bar www.hffahvbc7ppol5np.onion/decrypt.php
4. Open our secret site and you will see instuctions
If you can not make steps 1. or 2. or 3. or 4. then disable your antivirus and do steps again.
If for any reason you can not open our secret site, or you have questions then
Open google service in your usual browser (Google chrome, Firefox or Internet Iexplorer or other).
Sign up (if you don’t have google email yet). Sign in. You will get ..@gmail mail.
Compose e-mail letter and send it to our e-mail:
Copy public key (see it below) in letter. Wait 1 or 2 days you will get our answer.
Simple explanations: We gave you the link because we checked that google allow send emails to
Therefore don’t use other emails services because we didn’t check that your email service allow send email to
My recommendation: do a photograph on telephone camera this text.
You need do it because soon antivirus can destroy files with this text.
Your public key is

Remove New n1n1n1 Ransomware and Restore .dat Files

The bottom line is that the creators of the virus have likely come up with a new version that may or may not be an improved one. Malware researchers advise against following the ransom instructions posted in the ransom note of the virus and removing the virus instead.

To remove n1n1n1 completely we advise users to focus on following the removal instructions below. In case you are having trouble in manually removing this ransomware virus, you should remove your computer using an advanced anti-malware program which will automatically ensure the removal of the n1n1n1 malware and other viruses along it.

To try and revert your files, we strongly suggest you to guide yourself by the alternative methods in step “2.Restore files encrypted by n1n1n1.” Below. They are focused in providing you with non-guaranteed alternative methods that do not involve paying the ransom. This is why we advise you to backup your files before following them and to try them at your risk.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share