Remove NoobCrypt Ransomware and Restore Locked Files - How to, Technology and PC Security Forum |

Remove NoobCrypt Ransomware and Restore Locked Files


NoobCrypt is a ransomware virus, which encrypts files and wants different currency as payment for ransom. The ransomware calls you a noob if you input a wrong decryption key. To remove the ransomware and see how to restore your files, you should read the article till the very end.

Threat Summary

Short DescriptionThe ransomware encrypts your files and shows a lockscreen with a ransom note. it gives details on how to pay the ransom.
SymptomsThe ransomware locks your screen and asks for 299 US dollars or 250 NZD paid in Bitcoins after file encryption. If you input a wrong unlock key it calls you a noob.
Distribution MethodExploit Kits, Spam Emails, File Sharing Networks
Detection Tool See If Your System Has Been Affected by NoobCrypt


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss NoobCrypt.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

NoobCrypt Ransomware – Update

UPDATE! Decryption key has been released that is Universal for the new NoobCrypt infections. Simply type “lsakhBVLIKAHg” as the unlock key and you will get your files decrypted. It is preferred that you download the anti-malware tool mentioned above, to make sure the ransomware does not encrypt your files again after decryption.

NoobCrypt Ransomware – Infection Spread

NoobCrypt ransomware could be spread with spam emails. Such type of emails is intended to reach out a lot of people containing a spam message along with an attachment. Opening that attachment triggers the malicious payload and infects your computer. Do not open emails which are suspicious or ones with an unknown origin.

Another possible way of spreading the infection and compromising computers might be via social media and file-sharing networks. Such networks are at times used by cyber-criminals to additionally spread their ransomware viruses. The same advice as before can be applied here – to avoid infection be careful and do not download, open or click anything suspicious or unknown.

NoobCrypt Ransomware – Technical Information

NoobCrypt ransomware is coded on .NET, but has flaws and errors in its code. The virus will display a message that you are a noob if you try to enter an invalid decryption key. But the real noobs here seem to be the cyber-criminals behind it, because of the way they have written the ransomware. Not only there are mistakes in the code, but some of these mistakes show in the ransom note.

NoobCrypt ransomware creates the following registry key:


Inside there are these three strings:

  • (Default)
  • iv
  • key

It does not seem to be any registry for automatically launching with the start of Windows, too.

You can see a screenshot of the lockscreen that appears after encryption down here:


You can read the text from the ransom note here:

Your personal files is are encrypted!
Coded in R0MANIA
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer.
Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key.
You have 48 hours to pay 250 NZD in Bitcoins to get the decryption key.
Every 2 hours files will be deleted.Increasing in amount every time frame.
If you do not send money within provided (deadline) your files will be permanently crypted and no one will be able to recover them.
Time left until your files will be DELETED! – Don’t try to trick us.
Send approximately 250NZD to this BTC Address I have paid, check.
In order to pay use a Phone or a Laptop!
Informations CHECK

You can see in the picture above how the counter and one of the $299 are misplaced. Maybe it was intended for the 250 New Zealand dollars to be covered by the sum of 299 US dollars. 250 New Zealand dollars are only 175 American ones, so that can be a good reason, why the criminals maybe wanted to change it.

Whatever the asked sum is, it is not advised to pay the ransom, nor is it advised to contact the criminals in any way. Paying will only support the people behind the ransomware and make them want to continue doing this. Keep reading, to find out how to recover your data.

You can see that the ransomware is detected by security programs already, according to the VirusTotal website:


The NoobCrypt ransomware is a screenlock ransomware, and will not let you access your files while it is on your computer.

NoobCrypt ransomware is not known to delete Shadow Volume Copies from the Windows operating system. That may not be so important as currently there is a way to decrypt your files according to researchers. Read below to see what you can do to unlock your PC.

Remove NoobCrypt Ransomware and Restore Locked Files

If your computer system is infected with the NoobCrypt ransomware, you should have some experience with removing malware. You should get rid of this ransomware before it infects somebody else on the network you use. The recommended action for you is to read the step-by-step instructions manual provided down below, try to restore your files and to remove the ransomware completely.

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share