Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove NoobCrypt Ransomware and Restore Locked Files

STF-noobcrypt-ransomware-coded-in-romania-ransom-note

NoobCrypt is a ransomware virus, which encrypts files and wants different currency as payment for ransom. The ransomware calls you a noob if you input a wrong decryption key. To remove the ransomware and see how to restore your files, you should read the article till the very end.

UPDATE! Decryption key has been released that is Universal for the new NoobCrypt infections. Simply type “lsakhBVLIKAHg” as the unlock key and you will get your files decrypted

Threat Summary

NameNoobCrypt
TypeRansomware
Short DescriptionThe ransomware encrypts your files and shows a lockscreen with a ransom note. it gives details on how to pay the ransom.
SymptomsThe ransomware locks your screen and asks for 299 US dollars or 250 NZD paid in Bitcoins after file encryption. If you input a wrong unlock key it calls you a noob.
Distribution MethodExploit Kits, Spam Emails, File Sharing Networks
Detection Tool See If Your System Has Been Affected by NoobCrypt

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss NoobCrypt.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

NoobCrypt Ransomware – Infection Spread

NoobCrypt ransomware could be spread with spam emails. Such type of emails is intended to reach out a lot of people containing a spam message along with an attachment. Opening that attachment triggers the malicious payload and infects your computer. Do not open emails which are suspicious or ones with an unknown origin.

Another possible way of spreading the infection and compromising computers might be via social media and file-sharing networks. Such networks are at times used by cyber-criminals to additionally spread their ransomware viruses. The same advice as before can be applied here – to avoid infection be careful and do not download, open or click anything suspicious or unknown.

NoobCrypt Ransomware – Technical Information

NoobCrypt ransomware is coded on .NET, but has flaws and errors in its code. The virus will display a message that you are a noob if you try to enter an invalid decryption key. But the real noobs here seem to be the cyber-criminals behind it, because of the way they have written the ransomware. Not only there are mistakes in the code, but some of these mistakes show in the ransom note.

NoobCrypt ransomware creates the following registry key:

→HKEY_CURRENT_USER\k1j3jk153kj153

Inside there are these three strings:

  • (Default)
  • iv
  • key

It does not seem to be any registry for automatically launching with the start of Windows, too.

You can see a screenshot of the lockscreen that appears after encryption down here:

STF-noobcrypt-ransomware-coded-in-romania-ransom-note

You can read the text from the ransom note here:

Your personal files is are encrypted!
Coded in R0MANIA
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer.
Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key.
You have 48 hours to pay 250 NZD in Bitcoins to get the decryption key.
Every 2 hours files will be deleted.Increasing in amount every time frame.
If you do not send money within provided (deadline) your files will be permanently crypted and no one will be able to recover them.
Time left until your files will be DELETED! – Don’t try to trick us.
Send approximately 250NZD to this BTC Address I have paid, check.
$299
1JrYNuMaE4VXKrod2gA9keBo6nzPvtaoZ6
In order to pay use a Phone or a Laptop!
Informations CHECK

You can see in the picture above how the counter and one of the $299 are misplaced. Maybe it was intended for the 250 New Zealand dollars to be covered by the sum of 299 US dollars. 250 New Zealand dollars are only 175 American ones, so that can be a good reason, why the criminals maybe wanted to change it.

Whatever the asked sum is, it is not advised to pay the ransom, nor is it advised to contact the criminals in any way. Paying will only support the people behind the ransomware and make them want to continue doing this. Keep reading, to find out how to recover your data.

You can see that the ransomware is detected by security programs already, according to the VirusTotal website:

STF-noobcrypt-ransomware-coded-in-romania-virus-total

The NoobCrypt ransomware is a screenlock ransomware, and will not let you access your files while it is on your computer.

NoobCrypt ransomware is not known to delete Shadow Volume Copies from the Windows operating system. That may not be so important as currently there is a way to decrypt your files according to researchers. Read below to see what you can do to unlock your PC.

Remove NoobCrypt Ransomware and Restore Locked Files

If your computer system is infected with the NoobCrypt ransomware, you should have some experience with removing malware. You should get rid of this ransomware before it infects somebody else on the network you use. The recommended action for you is to read the step-by-step instructions manual provided down below, try to restore your files and to remove the ransomware completely.

Manually delete NoobCrypt from your computer

Note! Substantial notification about the NoobCrypt threat: Manual removal of NoobCrypt requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove NoobCrypt files and objects.
2. Find malicious files created by NoobCrypt on your PC.
3. Fix registry entries created by NoobCrypt on your PC.

Automatically remove NoobCrypt by downloading an advanced anti-malware program

1. Remove NoobCrypt with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by NoobCrypt in the future
3. Restore files encrypted by NoobCrypt
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.