Computer security researchers discovered a new variant of BTCWare ransomware which named Nuclear ransomware. It appends the [firstname.lastname@example.org].nuclear extension to encrypted file names. This article will provide you a brief summary of info related to this new ransomware virus and how to decrypt or recover all encrypted files for free.
Once installed, the Nuclear ransomware infection will scan the personal computer for certain file types and encrypt them. When encrypting a file it will add the [email@example.com].nuclear extension to every encrypted file name to identify that the file has been encrypted. For example, a file named example.xls would be encrypted and renamed to example.xls.[firstname.lastname@example.org].nuclear.
Table of contents
- What is Nuclear ransomware
- How to decrypt .[email@example.com].nuclear files
- How to remove Nuclear ransomware virus
- How to restore .[firstname.lastname@example.org].nuclear files
- How to prevent your computer from becoming infected by Nuclear ransomware infection?
- How does your personal computer get infected with Nuclear ransomware virus
- To sum up
The Nuclear ransomware virus encourages to make a payment in Bitcoins to get a key to decrypt files. Important to know, currently not possible to decrypt your photos, documents and music without sending an email to email@example.com to get a private key and decrypt application. If you choose to pay the ransom, there is no 100% guarantee that you can decrypt all documents, photos and music! If you do not want to pay for a decryption key, then you have a chance to recover encrypted documents, photos and music.
We advise you to remove Nuclear virus ASAP, until the presence of the ransomware virus has not led to even worse consequences. You need to follow the tutorial below that will help you to completely remove Nuclear ransomware virus from your PC as well as restore encrypted personal files, using only few free utilities.
What is Nuclear ransomware
Nuclear virus is a variant of crypto viruses (malware which encrypt personal files and demand a ransom) from the BTCWare ransomware family. It affects all current versions of Windows operating systems such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. This ransomware uses a strong encryption algorithm with large key to eliminate the possibility of brute force a key that will allow to decrypt encrypted files.
When the ransomware infects a computer, it uses system directories to store own files. To run automatically whenever you turn on your computer, Nuclear ransomware infection creates a registry entry in Windows: sections HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce.
Immediately after the launch, the ransomware infection scans all available drives, including network and cloud storage, to determine which files will be encrypted. The ransomware virus uses the file name extension, as a way to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
.wcf, .zi, .png, .zabw, .pfx, .zw, .mef, .w3x, .mdbackup, .avi, .xy3, .p12, .webp, .3ds, .db0, .xlsx, .hplg, .bik, .ibank, .cr2, .xwp, .pef, .re4, .wmd, .sr2, .lvl, .bsa, .iwd, .crw, .dbf, .xmmap, .mp4, .xx, .pptx, .xbplate, .dazip, .vdf, .icxs, .xpm, .wdp, .jpg, .rwl, .wp, .svg, .sidd, .srf, .hvpl, .indd, .7z, .xlsx, .2bp, .z, .csv, .wsc, .kf, .bay, .bc7, .m4a, .xml, .epk, .syncdb, .yal, .wire, .wpd, .gho, .wotreplay, .mpqge, .wgz, .ztmp, .wma, .x3f, wallet, .zip, .pem, .zif, .sidn, .mdb, .eps, .wbz, .xmind, .xlsm, .wpg, .x, .bkp, .menu, .wmo, .kdc, .dmp, .wsh, .wbmp, .dcr, .crt, .xdl, .mov, .ybk, .wot, .wbd, .wpl, .sb, .snx, .dwg, .0, .tax, .zip, .bar, .asset, .ltx, .wps, .litemod, .xf, .sis, .upk, .mdf, .3dm, .xbdoc, .iwi, .wri, .lbf, .vcf, .psk, .doc, .pdf, .tor, .nrw, .docm, .css, .wpb, .wp6, .pdd, .erf, .rofl, .t12, .xdb, .js, .r3d, .mcmeta, .raf, .dxg, .m2, .xlsm, .docx, .wsd, .blob, .xar, .xll, .wpt, .wb2, .zdb, .jpeg, .sid, .ods, .sql, .xlk, .xyp, .accdb, .xlsb, .ptx, .rtf, .wbk, .map, .ws, .ff, .t13, .odm, .vtf, .bkf, .y, .big, .slm, .odt, .apk, .xlgc, .fsh, .fos, .der, .ncf, .yml, .wp4, .mddata, .wbc, .desc, .wps, .qic, .sav, .dng, .wmf, .zdc, .hkx, .x3d, .wn, .cas, .d3dbsp, .pst, .vfs0, .jpe, .pptm, .hkdb, .wma, .raw, .itl, .cer, .wmv, .arw, .psd, .orf, .xyw, .wpe, .ai, .p7c, .wbm, .fpk, .pkpass, .sie, .esm, .wpw, .rw2, .ysp, .itm, .cfr, .1st, .forge, .1, .cdr, .gdb, .wdb, .wpa, .wp5, .txt, .srw, .odc, .qdf, .x3f, .wm, .arch00, .webdoc, .wmv, .xls, .ntl, .vpp_pc, .odb, .ppt, .layout, .rgss3a, .sum, .xld, .lrf, .itdb, .wav, .rb, .m3u, .das, .p7b, .bc6, .wp7, .3fr, .pak, .xls, .dba, .flv, .rar, .mrwref, .odp, .vpk, .wpd, .rim, .mlx, .py, .z3d, .kdb, .xxx
Once a file is encrypted, its extension replaced to [firstname.lastname@example.org].nuclear. Next, the ransomware infection creates a file named “HELP.hta”. This file contain tutorial on how to decrypt all encrypted documents, photos and music. An example of the guidance is:
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail email@example.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.
Also you can find other places to buy Bitcoins and beginners guide here:
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
The Nuclear ransomware virus actively uses scare tactics by giving the victim a brief description of the encryption algorithm and showing a ransom instructions on the desktop. It is trying to force the user of the infected personal computer, do not hesitate to pay a ransom, in an attempt to recover their photos, documents and music.
How to decrypt .[firstname.lastname@example.org].nuclear files
Currently there is no available way to decrypt .nuclear files, but you have a chance to recover encrypted files for free. The ransomware infection repeatedly tells the victim that uses a hybrid AES + RSA encryption mode. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a solution because of the big length of the key. Therefore, unfortunately, the only payment to the makers of the Nuclear ransomware infection entire amount requested – the only method to try to get the decryption key and decrypt all your files.
There is absolutely no guarantee that after pay a ransom to the makers of the Nuclear ransomware virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new virus.
How to remove Nuclear ransomware virus
Even if you have the up-to-date classic antivirus installed, and you have checked your PC system for ransomwares and removed anything found, you need to do the guidance below. The Nuclear ransomware removal is not simple as installing another antivirus. Classic antivirus software are not developed to run together and will conflict with each other, or possibly crash Microsoft Windows. Instead we recommend complete the steps below an run Zemana Anti-malware, Malwarebytes or Kaspersky Virus Removal Tool, which are free programs dedicated to detect and get rid of malware such as Nuclear ransomware infection. Run these utilities to ensure the ransomware virus is removed.
How to remove Nuclear virus with Zemana Anti-malware
We recommend using the Zemana Anti-malware which are completely clean your computer of the virus. The tool is an advanced malware removal program created by (c) Zemana lab. It is able to help you remove PUPs, ransomware viruss, ‘ad supported’ software, malware, toolbars, ransomware and other security threats from your machine for free.
Download Zemana anti-malware from the link below and save it to your Desktop.
Author: Zemana Ltd
Category: Security tools
Update: February 14, 2019
When downloading is done, start it and follow the prompts. Once installed, the Zemana antimalware will try to update itself and when this procedure is complete, click the “Scan” button to start checking your personal computer for the Nuclear virus and other trojans and harmful applications.
This task can take quite a while, so please be patient. Review the scan results and then press “Next” button.
The Zemana anti malware will start removing all detected folders, files, services and registry entries.
How to remove Nuclear ransomware with Malwarebytes
We recommend using the Malwarebytes Free that are completely clean your computer of the ransomware virus. The free tool is an advanced malware removal program made by (c) Malwarebytes lab. This application uses the world’s most popular antimalware technology. It is able to help you get rid of viruss, PUPs, malicious software, adware, toolbars, ransomware and other security threats from your system for free.
Download Malwarebytes by clicking on the following link and save it directly to your Microsoft Windows Desktop.
Category: Security tools
Update: February 5, 2019
After the downloading process is done, close all applications and windows on your computer. Double-click the set up file named mb3-setup. If the “User Account Control” prompt pops up as shown in the following example, click the “Yes” button.
It will open the “Setup wizard” that will help you install Malwarebytes on your personal computer. Follow the prompts and do not make any changes to default settings.
Once setup is done successfully, click Finish button. Malwarebytes will automatically start and you can see its main screen as shown in the following example.
Now click the “Scan Now” button to start scanning your machine for the Nuclear ransomware . This process may take quite a while, so please be patient. While the tool is checking, you can see how many objects it has identified either as being malicious software.
After the scan is finished, it will display a scan report. Review the scan results and then click “Quarantine Selected” button. The Malwarebytes will start removing Nuclear ransomware infection and other security threats. Once disinfection is finished, you may be prompted to reboot the PC system.
We suggest you look at the following video, which completely explains the process of using the Malwarebytes to get rid of ransomware and other malicious software.
If the problem with Nuclear ransomware virus is still remained
The KVRT tool is free and easy to use. It may scan and remove ransomware virus such as Nuclear, malicious software, potentially unwanted programs and adware in Chrome, Internet Explorer, Firefox and MS Edge browsers and thereby restore their default settings (new tab, start page and search provider by default). KVRT is powerful enough to find and get rid of malicious registry entries and files that are hidden on the machine.
Download Kaspersky virus removal tool (KVRT) on your PC system from the link below.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After downloading is finished, double-click on the KVRT icon. Once initialization procedure is finished, you will see the Kaspersky virus removal tool screen as on the image below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button . This will begin scanning the whole PC to find out Nuclear virus and other known infections. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your PC and the speed of your PC.
Once the scan get finished, it will display a list of all threats detected by this tool as displayed in the following example.
In order to delete all threats, simply click on Continue to begin a cleaning task.
How to restore .[email@example.com].nuclear files
In some cases, you can restore files encrypted by Nuclear ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted documents, photos and music.
Use ShadowExplorer to recover .nuclear files
In some cases, you have a chance to restore your personal files which were encrypted by the Nuclear ransomware infection. This is possible due to the use of the utility named ShadowExplorer. It is a free application which designed to obtain ‘shadow copies’ of files.
Download ShadowExplorer by clicking on the link below. Save it on your MS Windows desktop. This tool is available for Windows Vista, Windows 7, Windows 8 and Windows 10.
Category: Security tools
Update: February 27, 2018
When the download is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder like below.
Launch ShadowExplorerPortable. You will see the a window like below.
From the first drop down list you can choose a drive which contains encrypted photos, documents and music, from the second drop down list you can choose the date that you wish to restore from. 1 – drive, 2 – restore point, as shown below.
Righ-click entire folder or any one encrypted file and select Export, as shown on the screen below.
It will show a prompt which asking whether you’d like to recover a file or the contents of the folder to.
Restore .[firstname.lastname@example.org].nuclear files with PhotoRec
Before a file is encrypted, the Nuclear ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your files using file restore software such as PhotoRec.
Download PhotoRec from the following link and save it directly to your Microsoft Windows Desktop.
Category: Security tools
Update: March 1, 2018
Once the download is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It’ll display a screen as shown in the following example.
Select a drive to recover like below.
You will see a list of available partitions. Choose a partition that holds encrypted files as displayed below.
Press File Formats button and select file types to restore. You can to enable or disable the recovery of certain file types. When this is done, click OK button.
Next, click Browse button to select where restored personal files should be written, then click Search.
Count of restored files is updated in real time. All recovered photos, documents and music are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is complete, click on Quit button. Next, open the directory where restored personal files are stored. You will see a contents as on the image below.
All recovered photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to prevent your computer from becoming infected by Nuclear ransomware virus?
Most antivirus programs already have built-in protection system against the ransomware. Therefore, if your system does not have an antivirus program, make sure you install it. As an extra protection, use the CryptoPrevent.
Use CryptoPrevent to protect your PC from Nuclear ransomware virus
Download CryptoPrevent from the link below and save it directly to your MS Windows Desktop.
Run it and follow the setup wizard. Once the setup is complete, you will be shown a window where you can select a level of protection, as displayed in the figure below.
Now click the Apply button to activate the protection.
How does your personal computer get infected with Nuclear virus
Usually ransomware such as Nuclear virus is delivered through phishing attacks or spam emails. Below is an email that is infected with a virus like Nuclear ransomware.
Once this attachment has been opened, this ransomware will be started automatically as you do not even notice that. The Nuclear ransomware infection will begin the encryption procedure. When this task is done, it’ll show the usual ransom demanding message like above on HELP.hta.
To sum up
After completing the step-by-step tutorial outlined above, your computer should be clean from Nuclear ransomware and other malware. Your machine will no longer encrypt your files. Unfortunately, if the step by step guide does not help you, then you have caught a new variant of ransomware, and then the best way – ask for help.
- Download HijackThis by clicking on the link below and save it to your Desktop.
Category: Security tools
Update: November 7, 2015
- Double-click on the HijackThis icon. Next click “Do a system scan only” button.
- Once that process is complete, the scan button will read “Save log”, press it. Save this log to your desktop.
- Create a Myantispyware account here. Once you’ve registered, check your e-mail for a confirmation link, and confirm your account. After that, login.
- Copy and paste the contents of the HijackThis log into your post. If you are posting for the first time, please start a new thread by using the “New Topic” button in the Spyware Removal forum. When posting your HJT log, try to give us some details about your problems, so we can try to help you more accurately.
- Wait for one of our trained “Security Team” or Site Administrator to provide you with knowledgeable assistance tailored to your problem with the Nuclear ransomware infection.