Security professionals discovered a new variant of Vengisto@firemail.cc ransomware, which called ‘Norvas ransomware‘. It appends the .norvas file extension to encrypted file names. This post will provide you a brief summary of information related to this ransomware virus and how to recover (decrypt) encrypted photos, documents and music for free.
Norvas ransomware is a variant of crypto viruses. It affects all current versions of Microsoft Windows OS like the Windows 10, Windows 8, Windows 7, Windows Vista and Windows XP. This ransomware uses a hybrid encryption mode to eliminate the possibility of brute force a key that will allow to decrypt encrypted documents, photos and music. The .Norvas ransomware virus encrypts almost of files, including common as:
.avi, .png, .vpp_pc, .wsd, .sis, .sidn, .pak, .m2, .vdf, .2bp, .odt, .wbd, .txt, .big, .wb2, .wps, .bkf, .zip, .xar, .wp4, .wpa, .mlx, .ff, .crw, .ods, .wpw, .sie, .odm, .iwd, .ws, .xdl, .bc7, .das, .wps, .upk, .svg, .wire, .pdf, .zabw, .ztmp, .lvl, .xlsm, .y, .dazip, .xy3, .xmmap, .rb, .wpg, .pfx, .ibank, .x3f, .yml, .xyp, .hvpl, .wbk, .sql, .zdb, .raw, .xyw, .dcr, .srf, .wma, .rw2, .rtf, .erf, .dbf, .js, .odc, .ptx, .zw, .mp4, .gdb, .re4, .wmo, .webp, .arch00, .wbc, .ppt, .itdb, .wpb, .wp5, .arw, .r3d, .xml, .xlsm, .x3f, .wsh, .ybk, .esm, .flv, .tax, .jpeg, .z3d, .w3x, .3fr, .dwg, .wpd, .t13, .ai, wallet, .lbf, .mddata, .wcf, .x, .wpe, .map, .mcmeta, .icxs, .psd, .xls, .fpk, .zdc, .raf, .rar, .kf, .wmv, .pdd, .rim, .odb, .ncf, .7z, .bc6, .orf, .sav, .mdb, .m3u, .wbm, .cdr, .syncdb, .mdbackup, .jpg, .psk, .m4a, .bkp, .doc, .xls, .docx, .gho, .wsc, .wmf, .wpd, .rofl, .fsh, .crt, .wav, .wgz, .sb, .ntl, .xwp, .pkpass, .dng, .kdc, .xbdoc, .xbplate, .pem, .webdoc, .xlk, .hplg, .bsa, .p12, .xmind, .zi, .indd, .der, .vfs0, .mov, .layout, .xlgc, .dmp, .xll, .iwi, .d3dbsp, .eps, .qdf, .xx, .dxg, .wdp, .xpm, .vcf, .bik, .p7b, .wmv, .wbz, .cer, .wotreplay, .mpqge, .wbmp, .wn, .itl, .epk, .wdb, .blob, .xlsx, .apk, .kdb, .wri, .pst, .ysp, .wp7, .wpt, .sum, .litemod, .sid, .wp, .wmd, .wp6, .z
When the ransomware virus encrypts a file, it will append the .norvas extension to every encrypted file. Once the ransomware finished enciphering of all files, it will create a file called “_readme.txt” with ransom instructions on how to decrypt all documents, photos and music. An example of the ransomnote is:
Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-pPLXOv9XTI Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
The guidance will assist you to remove .Norvas ransomware. What is more, the few simple steps below will help you recover (decrypt) encrypted documents, photos and music for free.
Table of contents
- How to remove .Norvas ransomware
- How to decrypt .norvas files
- Use STOPDecrypter to decrypt .norvas files
- How to restore .norvas files
- How to protect your computer from .Norvas ransomware virus?
- To sum up
How to remove .Norvas ransomware
Before you start the process of restoring documents, photos and music that has been encrypted, make sure .Norvas ransomware virus is not running. Firstly, you need to get rid of this ransomware permanently. Thankfully, there are several malicious software removal utilities which will effectively scan for and remove .Norvas ransomware virus and other crypto virus malicious software from your machine.
Remove .Norvas ransomware with Zemana Anti-malware
Zemana Anti-Malware can detect all kinds of malicious software, including ransomware, as well as a variety of Trojans, viruses and rootkits. After the detection of the .Norvas ransomware, you can easily and quickly delete it.
Please go to the following link to download the latest version of Zemana Free for Microsoft Windows. Save it to your Desktop so that you can access the file easily.
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Once the downloading process is complete, close all software and windows on your machine. Open a directory in which you saved it. Double-click on the icon that’s called Zemana.AntiMalware.Setup as displayed below.
When the setup starts, you will see the “Setup wizard” that will help you install Zemana on your system.
Once install is finished, you will see window as on the image below.
Now press the “Scan” button . Zemana AntiMalware application will scan through the whole computer for the .Norvas ransomware and other malicious software and potentially unwanted software. Depending on your PC system, the scan can take anywhere from a few minutes to close to an hour. When a threat is found, the count of the security threats will change accordingly.
Once the system scan is finished, a list of all items found is created. In order to get rid of all threats, simply click “Next” button.
The Zemana will start to remove .Norvas ransomware virus and other kinds of potential threats such as malware and trojans.
Remove Norvas ransomware with MalwareBytes Anti-Malware (MBAM)
If you are having problems with the Norvas ransomware removal, then download MalwareBytes. It is free for home use, and identifies and deletes various unwanted software that attacks your PC system or degrades PC system performance. MalwareBytes Anti Malware can remove adware, PUPs as well as malicious software, including ransomware and trojans.
- Click the following link to download the latest version of MalwareBytes for Microsoft Windows. Save it on your Desktop.
Category: Security tools
Update: July 25, 2019
- At the download page, click on the Download button. Your internet browser will display the “Save as” prompt. Please save it onto your Windows desktop.
- When downloading is finished, please close all applications and open windows on your personal computer. Double-click on the icon that’s named mb3-setup.
- This will launch the “Setup wizard” of MalwareBytes Free onto your computer. Follow the prompts and don’t make any changes to default settings.
- When the Setup wizard has finished installing, the MalwareBytes Free will open and display the main window.
- Further, press the “Scan Now” button . MalwareBytes AntiMalware (MBAM) utility will start scanning the whole computer to find out Norvas ransomware virus related files, folders and registry keys. This task can take quite a while, so please be patient. When a malware, adware or potentially unwanted apps are detected, the count of the security threats will change accordingly.
- When the scan is complete, a list of all threats detected is created.
- All detected items will be marked. You can remove them all by simply click the “Quarantine Selected” button. Once that process is finished, you may be prompted to restart the PC system.
- Close the Anti-Malware and continue with the next step.
Video instruction, which reveals in detail the steps above.
If the problem with .Norvas ransomware virus is still remained
KVRT is a free removal tool which can scan your machine for a wide range of security threats like ransomware, worms, trojans as well as other malware. It will perform a deep scan of your computer including hard drives and Windows registry. After a malicious software is found, it will help you to get rid of all detected threats from your PC by a simple click.
Download Kaspersky virus removal tool (KVRT) on your Windows Desktop from the following link.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After downloading is done, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is done, you will see the Kaspersky virus removal tool screen as shown below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button . Kaspersky virus removal tool tool will begin scanning the whole computer to find out .Norvas ransomware virus . This process may take quite a while, so please be patient.
After the system scan is complete, KVRT will open a list of found threats as shown on the screen below.
Review the report and then click on Continue to begin a cleaning task.
How to decrypt .norvas files
The encryption algorithm is so strong that it is practically impossible to decrypt .norvas files without the actual encryption key. The bad news is that the only way to get your files back is to pay ($490 – $980 in Bitcoins) authors of the .Norvas ransomware virus for a copy of the private (encryption) key.
If your photos, documents and music have been locked by the .Norvas ransomware, We suggests: do not to pay the ransom. If this malicious software make money for its authors, then your payment will only increase attacks against you. Of course, decryption without the private key is not feasible, but that does not mean that the .Norvas ransomware must seriously disrupt your live.
Use STOPDecrypter to decrypt .norvas files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.norvas).
Please check the twitter post for more info.
How to restore .norvas files
In some cases, you can restore files encrypted by .Norvas ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted files.
Restore .norvas encrypted files using Shadow Explorer
An alternative is to recover .norvas photos, documents and music from their Shadow Copies. The Shadow Volume Copies are copies of files and folders that Windows 10 (8, 7 and Vista) automatically saved as part of system protection. This feature is fantastic at rescuing photos, documents and music that were damaged by .Norvas ransomware. The guide below will give you all the details.
Visit the page linked below to download ShadowExplorer. Save it on your Windows desktop.
Category: Security tools
Update: September 15, 2019
Once downloading is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown in the following example.
Double click ShadowExplorerPortable to start it. You will see the a window as shown in the figure below.
In top left corner, choose a Drive where encrypted photos, documents and music are stored and a latest restore point as shown below (1 – drive, 2 – restore point).
On right panel look for a file that you want to recover, right click to it and select Export as displayed on the screen below.
Restore .norvas files with PhotoRec
Before a file is encrypted, the .Norvas ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your personal files using file recover applications such as PhotoRec.
Download PhotoRec from the following link. Save it to your Desktop so that you can access the file easily.
Category: Security tools
Update: March 1, 2018
When the download is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown in the figure below.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll open a screen as shown in the figure below.
Choose a drive to recover as displayed on the image below.
You will see a list of available partitions. Select a partition that holds encrypted documents, photos and music as on the image below.
Click File Formats button and specify file types to restore. You can to enable or disable the recovery of certain file types. When this is finished, click OK button.
Next, click Browse button to choose where recovered files should be written, then press Search.
Count of restored files is updated in real time. All restored personal files are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is finished, click on Quit button. Next, open the directory where recovered personal files are stored. You will see a contents like below.
All recovered documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your computer from .Norvas ransomware virus?
Most antivirus programs already have built-in protection system against the ransomware virus. Therefore, if your PC does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert.
Run HitmanPro.Alert to protect your system from .Norvas ransomware virus
HitmanPro.Alert is a small security tool. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Installing the HitmanPro Alert is simple. First you will need to download HitmanPro Alert on your Windows Desktop from the link below.
Category: Security tools
Update: March 6, 2019
When the download is finished, open the file location. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. When the tool is started, you will be shown a window where you can select a level of protection, as displayed in the figure below.
Now click the Install button to activate the protection.
To sum up
After completing the steps outlined above, your system should be clean from .Norvas ransomware virus and other malicious software. Your computer will no longer encrypt your photos, documents and music. Unfortunately, if the step-by-step tutorial does not help you, then you have caught a new ransomware virus, and then the best way – ask for help here.