.Nelasod file extension ransomware virus (Restore, Decrypt .nelasod files)

This week, computer security researchers discovered a new ransomware. It is named ‘Nelasod file virus‘ and used malicious software to infect Windows computers. It encrypts files, adding the .nelasod file extension to the names of all encrypted files, on all attached data storage a short time after the computer has been infected.

The Nelasod file virus is developed to encrypt files on the computer. It belongs to the list of ransomware. Such as other ransomware, it is able to block files like archives, documents, movies, photos, databases, web application-related files and drawings, and other files that are important to the user and stop the operation of which is unacceptable to him. The victim will not be able to use them even if he tries to do it through various software. Nelasod ransomware virus locks up almost of files, including common as:

.css, .xmind, .arch00, .itdb, .rim, .raf, .wav, .xdb, .xlsm, .sav, .webdoc, .litemod, .vcf, .wsc, .z, .icxs, .fsh, .zip, .ltx, .dbf, .wpg, .bsa, .hkx, .lbf, .flv, .arw, .ncf, .wot, .sql, .xyp, .indd, .xy3, .vtf, .d3dbsp, .esm, .hplg, .p12, .ibank, .pak, .nrw, .pem, .crw, .wmd, .itm, .wmf, .mrwref, .w3x, .bc7, .wmo, .tax, .wire, .lrf, .docx, .xml, .wbd, .map, .psk, .pptx, .big, .wma, .7z, .xmmap, .cer, .odt, .wdb, .wbk, .y, .1, .der, .wmv, .dng, .m3u, .xbdoc, .x3d, .re4, .xls, .mcmeta, .zdc, .dazip, .pst, .xpm, .t13, .apk, .xlgc, .wri, .odp, .dmp, .xbplate, .zip, .raw, .png, .xar, .py, .x, .syncdb, .wbmp, .mdbackup, .xlk, .zi, .forge, .wp4, .p7b, .epk, .sb, .wn, .zdb, .cas, .wdp, .wpw, .rofl, .mov, .xf, .xdl, .xxx, .hkdb, .wp5, .wsd, .wpd, .wb2, .eps, .mddata, .ws, .desc, .qic, .yml, .ppt, .wma, .pptm, .bc6, .sid, .upk, .accdb, .wotreplay, .pdf, .xll, .bay, .bik, .xx, .wbc, .gdb, .zif, .wbm, .xlsb, .wmv, .hvpl, .js, .layout, .pkpass, .jpg, .sidn, .csv, .xyw, .vfs0, .itl, .menu, .2bp, .crt, .0, .xlsx, .vdf, .txt, .cdr, .wp6, .iwi, .mlx, .das, .vpp_pc, .sie, .vpk, .m4a, .cfr, .psd, .wgz, .x3f, .qdf, .rwl, .docm, .sidd, .rgss3a, .bar, .kdb, .3ds, .ztmp, .mef, .svg, .mpqge, .webp, .pdd, .wpb, wallet, .3fr, .tor, .wsh, .wp7, .erf, .zw, .ff, .wp

All locked files become useless and get the .nelasod extension and each folder containing the encrypted files contains a ransom demanding message informing the user about the presence of crypto malware in the PC system and its destructive impact on the target files. The fraudsters inform each user that he has the ability to restore affected files only paying a ransom. After transferring the specified amount to scammers, the user will receive a special code key from them, which will help to decrypt files affected by the Nelasod ransomware. If the money for the purchase of a key for decrypting files will be transferred to the online criminals within 72 hours, they are ready to give the user a discount of 50%.

Text presented in the ransom note (_readme.txt)

ATTENTION!
 
Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-o7ClqIH7RS
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.

 

Threat Summary

Name	Nelasod
Type	Crypto virus, Crypto malware, File locker, Ransomware, Filecoder
Encrypted files extension	.nelasod
Ransom note	_readme.txt
Contact	gorentos@bitmessage.ch
Ransom amount	$980/$490 in Bitcoins
Symptoms	All of your photos, documents and music have a different file extension appended to the filenames. Files called like ‘_readme.txt’, or ‘_readme’ in each folder with at least one encrypted file.
Distribution ways	Phishing Emails that is carefully created to trick a victim into opening an attachment or clicking on a link that contains a malicious file. Drive-by downloads (ransomware can infect the personal computer simply by visiting a web page that is running harmful code). Social media posts (they can be used to entice users to download malware with a built-in ransomware downloader or click a misleading link). Torrent websites.
Removal	To remove Nelasod ransomware use the removal guide
Decryption	To decrypt Nelasod ransomware use the steps

 

After reading this post, you will know how to deal with the Nelasod virus. It is important for you to remember that we also cannot guarantee you an absolute solution to all your Nelasod ransomware problems. We can offer you a solution that might help. Nevertheless, this solution is worth your attention because there is still a possibility that it will help you delete Nelasod ransomware virus and restore personal files that have been locked by ransomware virus.

Quick links

1. How to remove Nelasod ransomware virus
2. How to decrypt .nelasod files
3. Nelasod decryption tool
4. How to restore .nelasod files
5. How to protect your machine from Nelasod ransomware virus?
6. To sum up

How to remove Nelasod ransomware virus

Before you launch the procedure of restoring documents, photos and music that has been encrypted, make sure Nelasod crypto virus is not running. Firstly, you need to uninstall this ransomware virus permanently. Luckily, there are several malicious software removal utilities that will effectively scan for and uninstall Nelasod ransomware and other crypto virus malware from your computer.

Remove Nelasod ransomware virus with Zemana Anti-Malware

Zemana Anti-Malware is a complete package of anti malware tools that can help you remove Nelasod ransomware virus. Despite so many features, it does not reduce the performance of your system. Zemana has the ability to remove almost all the forms of ransomware, trojans, worms, adware, browser hijacker infections, potentially unwanted apps and other malware. Zemana Anti Malware has real-time protection that can defeat most malware and ransomware virus. You can use Zemana Anti-Malware (ZAM) with any other antivirus without any conflicts.

1. Click the link below to download the latest version of Zemana for MS Windows. Save it on your MS Windows desktop or in any other place.
   
   

   Zemana AntiMalware
   164987 downloads
   Author: Zemana Ltd
   Category: Security tools
   Update: July 16, 2019
   
2. Once you have downloaded the installation file, make sure to double click on the Zemana.AntiMalware.Setup. This would start the Zemana setup on your computer.
3. Select installation language and click ‘OK’ button.
4. On the next screen ‘Setup Wizard’ simply press the ‘Next’ button and follow the prompts.
   
5. Finally, once the setup is done, Zemana Anti Malware (ZAM) will open automatically. Else, if does not then double-click on the Zemana Anti-Malware icon on your desktop.
6. Now that you have successfully install Zemana Free, let’s see How to use Zemana Free to remove Nelasod virus from your computer.
7. After you have opened the Zemana Free, you’ll see a window as shown below, just click ‘Scan’ button . Zemana Anti-Malware (ZAM) utility will start scanning the whole computer to find out ransomware.
   
8. Now pay attention to the screen while Zemana scans your computer.
   
9. After the system scan is done, Zemana Anti-Malware (ZAM) will open a list of detected threats. Review the report and then click ‘Next’ button.
   
10. Zemana may require a reboot computer in order to complete the Nelasod virus removal procedure.
11. If you want to permanently remove ransomware from your computer, then click ‘Quarantine’ icon, select all malware, adware, PUPs and other items and click Delete.
12. Restart your system to complete the ransomware removal procedure.

Automatically remove Nelasod ransomware with MalwareBytes Free

We suggest using the MalwareBytes AntiMalware (MBAM). You can download and install MalwareBytes AntiMalware (MBAM) to locate and remove Nelasod virus from your computer. When installed and updated, this free malware remover automatically identifies and deletes all threats present on the PC.

1. MalwareBytes Anti-Malware (MBAM) can be downloaded from the following link. Save it on your Desktop.
   
   

   Malwarebytes Anti-malware
   327226 downloads
   Author: Malwarebytes
   Category: Security tools
   Update: April 15, 2020
   
2. At the download page, click on the Download button. Your browser will show the “Save as” dialog box. Please save it onto your Windows desktop.
3. Once the downloading process is complete, please close all applications and open windows on your PC. Double-click on the icon that’s called mb3-setup.
4. This will open the “Setup wizard” of MalwareBytes Free onto your PC. Follow the prompts and don’t make any changes to default settings.
5. When the Setup wizard has finished installing, the MalwareBytes Free will run and display the main window.
6. Further, click the “Scan Now” button to begin checking your PC system for the Nelasod crypto virus and other security threats. This procedure may take quite a while, so please be patient. While the utility is checking, you may see count of objects and files has already scanned.
7. When MalwareBytes has completed scanning, the results are displayed in the scan report.
8. Make sure all threats have ‘checkmark’ and press the “Quarantine Selected” button. After the cleaning procedure is finished, you may be prompted to reboot the system.
9. Close the Anti-Malware and continue with the next step.

Video instruction, which reveals in detail the steps above.

Run KVRT to delete Nelasod ransomware

KVRT is a free removal tool that may be downloaded and run to uninstall crypto viruss, adware software, malicious software, PUPs, toolbars and other threats from your PC. You can use this utility to look for threats even if you have an antivirus or any other security program.

Download Kaspersky virus removal tool (KVRT) from the following link. Save it on your MS Windows desktop or in any other place.

When the downloading process is done, double-click on the KVRT icon. Once initialization process is finished, you’ll see the Kaspersky virus removal tool screen as displayed below.

Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to begin scanning your personal computer for the Nelasod crypto malware and other trojans and malicious programs. A scan may take anywhere from 10 to 30 minutes, depending on the number of files on your PC and the speed of your computer. During the scan KVRT will locate threats exist on your PC.

After finished, KVRT will open a scan report as shown below.

All detected threats will be marked. You can delete them all by simply click on Continue to start a cleaning procedure.

How to decrypt .nelasod files

To date, there is no other method to recover the affected personal files, but only to pay the ransom payment to scammers. Developers of free Nelasod decryption tools which can recover these files are working on creating them, but the result is not yet, and it is not known when it will be.

Never pay the ransom! However, the victim who will pay the ransom payment to creators of the Nelasod ransomware virus cannot be completely sure of obtaining a special code key, because he is dealing with unscrupulous and dishonest people who are ready to commit any immoral actions, including hiding after receiving the money from the user, and not providing a decryption utility (key) to restore access to blocked personal files.

It is not necessary to pay the attackers a large amount of money, the best option in case of infection of this ransomware virus is to archive the files that were encrypted by it, until the moment of obtaining the Nelasod decryption utility. On this post below you will find useful tutorial on how to recover encrypted files for free.

Nelasod decryption tool

With some variants of Nelasod file virus, it is possible to decrypt encrypted files using free tools listed below.

Michael Gillespie (@) released the Nelasod decryption tool named STOPDecrypter. It can decrypt .Nelasod files if they were locked by one of the known OFFLINE KEY’s retrieved by Michael Gillespie. Please check the twitter post for more info.

STOPDecrypter is a program that can be used for Nelasod files decryption. One of the biggest advantages of using STOPDecrypter is that is free and easy to use. Also, it constantly keeps updating its ‘OFFLINE KEYs’ DB. Let’s see how to install STOPDecrypter and decrypt .Nelasod files using this free tool.

1. Installing the STOPDecrypter is simple. First you will need to download STOPDecrypter on your Windows Desktop from the following link.
   download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip
2. After the downloading process is done, close all applications and windows on your machine. Open a file location. Right-click on the icon that’s named STOPDecrypter.zip.
3. Further, select ‘Extract all’ and follow the prompts.
4. Once the extraction process is finished, run STOPDecrypter. Select Directory and press Decrypt button.

If STOPDecrypter does not help you to decrypt .Nelasod files, in some cases, you have a chance to restore your files, which were encrypted by ransomware. This is possible due to the use of the tools named ShadowExplorer and PhotoRec. An example of recovering encrypted files is given below.

How to restore .nelasod files

In some cases, you can restore files encrypted by Nelasod crypto virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted files.

Use ShadowExplorer to recover .nelasod files

A free utility named ShadowExplorer is a simple solution to use the ‘Previous Versions’ feature of MS Windows 10 (8, 7 , Vista). You can recover .nelasod documents, photos and music encrypted by the Nelasod crypto virus from Shadow Copies for free.

Visit the following page to download the latest version of ShadowExplorer for Windows. Save it on your Desktop.

After the download is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder like the one below.

Run the ShadowExplorer tool and then select the disk (1) and the date (2) that you want to restore the shadow copy of file(s) encrypted by the Nelasod ransomware like the one below.

Now navigate to the file or folder that you wish to restore. When ready right-click on it and press ‘Export’ button like the one below.

Run PhotoRec to recover .nelasod files

Before a file is encrypted, the Nelasod ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your personal files using file recover software such as PhotoRec.

Download PhotoRec on your Microsoft Windows Desktop from the link below.

Once the download is done, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed on the screen below.

Double click on qphotorec_win to run PhotoRec for Windows. It’ll show a screen as displayed below.

Select a drive to recover as on the image below.

You will see a list of available partitions. Choose a partition that holds encrypted photos, documents and music as shown in the figure below.

Click File Formats button and specify file types to recover. You can to enable or disable the restore of certain file types. When this is done, press OK button.

Next, press Browse button to select where restored personal files should be written, then click Search.

Count of recovered files is updated in real time. All recovered photos, documents and music are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.

When the restore is done, press on Quit button. Next, open the directory where recovered documents, photos and music are stored. You will see a contents as displayed in the following example.

All recovered documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your restored files by extension and/or date/time.

How to protect your machine from Nelasod ransomware virus?

Most antivirus programs already have built-in protection system against the ransomware. Therefore, if your PC system does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert.

Run HitmanPro.Alert to protect your PC system from Nelasod ransomware

HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.

Installing the HitmanPro Alert is simple. First you will need to download HitmanPro Alert on your Microsoft Windows Desktop by clicking on the link below.

When the downloading process is complete, open the directory in which you saved it. You will see an icon like below.

Double click the HitmanPro.Alert desktop icon. After the tool is started, you’ll be displayed a window where you can select a level of protection, as displayed in the figure below.

Now click the Install button to activate the protection.

To sum up

Now your PC system should be clean of the Nelasod crypto virus. Delete MalwareBytes Anti Malware (MBAM) and Kaspersky virus removal tool. We recommend that you keep Zemana Anti Malware (to periodically scan your personal computer for new malware). Moreover, to prevent crypto virus, please stay clear of unknown and third party applications, make sure that your antivirus application, turn on the option to block or locate ransomware.

If you need more help with Nelasod ransomware virus related issues, go to here.