IT security specialists discovered a new variant of ransomware which called ‘Nusar file virus‘. It appends the .nusar file extension to encrypted file names. Here’s everything you need to know about this ransomware, how to remove ‘Nusar file virus’ and how to restore (decrypt) encrypted photos, documents and music for free.
Files encrypted by .nusar virus
Nusar file virus is a malware which is created in order to encrypt files. It hijack a whole machine or its data and demand a ransom in order to unlock (decrypt) them. The developers of the Nusar ransomware have a strong financial motive to infect as many computers as possible. It is known to encrypt almost all file types, including files with extensions:
.mcmeta, .arch00, .kf, .bkf, .slm, .docm, .ysp, .desc, .mdf, .xar, .wpd, .ztmp, .xpm, .pef, .wp7, .itm, .qic, .indd, .icxs, .wma, .wp5, .dwg, .0, .zw, .csv, .wmv, .3dm, .kdc, .ltx, .wpt, .yal, .wmo, .wcf, .sidd, .wpe, .xf, .sr2, .xlsm, .cdr, .wav, .wma, .arw, .xy3, .wp6, .wotreplay, .map, .y, .odt, .mef, .wpw, .apk, .pfx, .wbc, .xmind, .p7b, .avi, .cfr, .accdb, .wdb, .re4, .fos, .m2, .wsd, .ws, .wdp, .srw, .webp, .vfs0, .png, .nrw, .x3f, .ppt, .ybk, .cas, .bkp, .bsa, .xbplate, .xll, .vtf, .vcf, .xld, .wb2, .syncdb, .xdb, .fsh, .xlsx, .dxg, .epk, .wpd, .rwl, .rar, .xlsb, .odb, .zabw, .pem, .mrwref, .sid, .mddata, .mlx, .wpg, .xyp, .erf, .wn, .xlk, .ncf, .das, .r3d, .sql, .wpa, .jpe, .wm, .bik, .snx, .1st, .cer, .bay, .gho, .js, .rb, .lbf, .xmmap, .lvl, .flv, .lrf, .m3u, .orf, .dba, .doc, .xlgc, .pptm, .xlsx, .pst, .rgss3a, .7z, .wp4, .wsc, .1, .iwd, .p7c, .x3d, .mdb, .xls, .zi, .pdf, .wri, .docx, .3fr, .dng, .rim, .zdb, .ptx, .iwi, .odc, .2bp, .jpg, .sb, .wbz, .z3d, .cr2, .der, .tax, .wbmp, .pptx, .odp, .mov, .xlsm, .dcr, .hplg, .wmv, .t13, .pkpass, .raw, .w3x, .menu, .bc6, .db0, .p12, .wot, .mp4, .wpb, .x3f, .pdd, .txt, .kdb, .wpl, .xxx, .xwp, .raf, .forge, .sie, .sav, .wps, .fpk, .xyw, .sis, .xml, .wbk, .z, .dazip, .xbdoc, wallet, .big, .mdbackup, .sidn, .wire, .t12, .wsh, .webdoc, .py, .litemod, .layout, .srf, .3ds, .css, .zif, .eps, .zip, .zdc, .hvpl, .hkx, .jpeg, .crt, .qdf, .pak, .upk, .ff, .itdb
Once a file is encrypted, its extension replaced to .nusar. Next, the ransomware drops a file named ‘_readme.txt’. This file contain a guidance on how to decrypt all encrypted photos, documents and music. You can see an one of the variants of the ransomnote below:
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-xHnpiAalxT Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: gorentos@bitmessage.ch
Threat Summary
| Name | Nusar |
| Type | Filecoder, Crypto malware, Crypto virus, File locker, Ransomware |
| Encrypted files extension | .nusar |
| Ransom note | _readme.txt |
| Contact | gorentos@bitmessage.ch |
| Ransom amount | $980 in Bitcoins |
| Symptoms | Your personal files fail to open. You get an error message like ‘Windows can’t open this file’, ‘How do you want to open this file’. Your file directories contain a ‘ransom note’ file that is usually a .html, .jpg or .txt file. Ransom note displayed on your desktop. |
| Distribution ways | Phishing emails that contain malicious attachments. Drive-by downloads from a compromised web-site. Social media, such as web-based instant messaging programs. Remote desktop protocol (RDP) hacking. |
| Removal | To remove Nusar ransomware use the removal guide |
| Decryption | To decrypt Nusar ransomware use the steps |
You can use our steps below to look for and uninstall Nusar ransomware virus from your machine as well as recover (decrypt) encrypted documents, photos and music for free.
Quick links
- How to remove Nusar ransomware
- How to decrypt .nusar files
- How to restore .nusar files
- How to protect your PC from Nusar crypto virus?
- Finish words
How to remove Nusar ransomware
Using a malicious software removal tool to scan for and uninstall ransomware hiding on your computer is probably the easiest way to remove Nusar file virus. We suggests the Zemana Anti-Malware (ZAM) program for MS Windows machines. MalwareBytes Anti Malware and Kaspersky virus removal tool are other anti-malware tools for Windows that offers a free malicious software removal.
How to remove Nusar ransomware virus with Zemana Free
Zemana AntiMalware (ZAM) is a free malware removal utility. Currently, there are two versions of the tool, one of them is free and second is paid (premium). The principle difference between the free and paid version of the tool is real-time protection module. If you just need to scan your computer for malicious software, delete Nusar crypto malware and other security threats, then the free version will be enough for you.
First, click the following link, then click the ‘Download’ button in order to download the latest version of Zemana Anti-Malware (ZAM).
164099 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
After the downloading process is complete, close all applications and windows on your computer. Double-click the setup file named Zemana.AntiMalware.Setup. If the “User Account Control” dialog box pops up as on the image below, click the “Yes” button.
It will open the “Setup wizard” which will help you setup Zemana AntiMalware (ZAM) on your personal computer. Follow the prompts and do not make any changes to default settings.
Once install is finished successfully, Zemana Anti Malware (ZAM) will automatically start and you can see its main screen like below.
Now click the “Scan” button to perform a system scan for the Nusar crypto virus and other security threats. This task can take quite a while, so please be patient. When a threat is found, the count of the security threats will change accordingly.
After Zemana completes the scan, you’ll be displayed the list of all found items on your machine. Next, you need to click “Next” button. The Zemana Anti-Malware (ZAM) will begin to delete Nusar ransomware virus and other security threats. After finished, you may be prompted to reboot the system.
Automatically remove Nusar ransomware with MalwareBytes
Remove Nusar ransomware virus manually is difficult and often the crypto malware is not completely removed. Therefore, we suggest you to use the MalwareBytes that are fully clean your PC. Moreover, this free program will help you to delete malware, potentially unwanted software, worms and trojans that your personal computer may be infected too.
- Installing the MalwareBytes Anti Malware (MBAM) is simple. First you’ll need to download MalwareBytes Anti-Malware (MBAM) from the following link.
Malwarebytes Anti-malware
326454 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- At the download page, click on the Download button. Your internet browser will show the “Save as” dialog box. Please save it onto your Windows desktop.
- After the download is done, please close all programs and open windows on your computer. Double-click on the icon that’s called mb3-setup.
- This will open the “Setup wizard” of MalwareBytes Anti Malware onto your PC system. Follow the prompts and do not make any changes to default settings.
- When the Setup wizard has finished installing, the MalwareBytes AntiMalware will launch and open the main window.
- Further, click the “Scan Now” button to detect Nusar ransomware, other kinds of potential threats such as malicious software and trojans. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your system and the speed of your computer. While the tool is scanning, you can see how many objects and files has already scanned.
- As the scanning ends, MalwareBytes will produce a list of ransomware and malware.
- When you’re ready, press the “Quarantine Selected” button. Once the clean-up is complete, you may be prompted to restart the system.
- Close the AntiMalware and continue with the next step.
Video instruction, which reveals in detail the steps above.
Remove Nusar file virus with KVRT
If MalwareBytes anti malware or Zemana anti malware cannot remove this crypto virus, then we advises to run the KVRT. KVRT is a free removal utility for ransomware, adware software, trojans and worms.
Download Kaspersky virus removal tool (KVRT) from the following link.
129081 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the downloading process is finished, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is finished, you’ll see the KVRT screen like the one below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next press Start scan button to look for Nusar ransomware and other malware. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your computer and the speed of your PC. While the Kaspersky virus removal tool is checking, you may see how many objects it has identified either as being malicious software.
As the scanning ends, Kaspersky virus removal tool will display a list of detected items as displayed in the figure below.
Make sure all items have ‘checkmark’ and click on Continue to start a cleaning procedure.
How to decrypt .nusar files
The Nusar crypto virus uses a strong encryption algorithm with long key. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a solution because of the big length of the key. Therefore, unfortunately, the only payment to the makers of the Nusar crypto malware entire amount requested – the only method to try to get the decryption key and decrypt all your files.
There is absolutely no guarantee that after pay a ransom to the authors of the Nusar crypto virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware.
Files encrypted by .nusar virus
With some variants of Nusar file virus, it is possible to decrypt encrypted files using free tools.
Michael Gillespie (@) released a free decryption tool named STOPDecrypter. STOPDecrypter can decrypt files if they were encrypted by one of the known OFFLINE KEY’s retrieved by Michael Gillespie.
Nusar decryption tool (STOPDecrypter)
STOPDecrypter is a program that can be used for Nusar files decryption. One of the biggest advantages of using STOPDecrypter is that is free and easy to use. Also, it constantly keeps updating its ‘OFFLINE KEYs’ DB. Let’s see how to install STOPDecrypter and decrypt .nusar files using this free tool.
- Installing the STOPDecrypter is simple. First you will need to download STOPDecrypter on your Microsoft Windows Desktop from the following link.
download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip - After the downloading process is done, close all applications and windows on your machine. Open a file location. Right-click on the icon that’s named STOPDecrypter.zip.
- Further, select ‘Extract all’ and follow the prompts.
- Once the extraction process is finished, run STOPDecrypter. Select Directory and press Decrypt button.
If STOPDecrypter does not help you to decrypt .nusar files, in some cases, you have a chance to recover your files which were encrypted by ransomware. This is possible due to the use of the tools named ShadowExplorer and PhotoRec. An example of recovering encrypted files is given below.
How to restore .nusar files
In some cases, you can recover files encrypted by Nusar crypto virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted personal files.
Use shadow copies to recover .nusar files
In order to recover .nusar personal files encrypted by the Nusar ransomware from Shadow Volume Copies you can run a utility called ShadowExplorer. We suggest to use this solution as it is easier to find and restore the previous versions of the encrypted files you need in an easy-to-use interface.
Visit the following page to download the latest version of ShadowExplorer for Windows. Save it on your Desktop.
438801 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When the downloading process is complete, extract the saved file to a directory on your PC system. This will create the necessary files such as the one below.
Start the ShadowExplorerPortable application. Now select the date (2) that you wish to restore from and the drive (1) you wish to restore files (folders) from like below.
On right panel navigate to the file (folder) you want to recover. Right-click to the file or folder and press the Export button as shown in the figure below.
And finally, specify a directory (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Recover .nusar files with PhotoRec
Before a file is encrypted, the Nusar crypto malware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your photos, documents and music using file recover programs such as PhotoRec.
Download PhotoRec on your PC from the following link.
Once the download is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like the one below.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll display a screen as displayed in the figure below.
Choose a drive to recover similar to the one below.
You will see a list of available partitions. Select a partition that holds encrypted files similar to the one below.
Click File Formats button and specify file types to restore. You can to enable or disable the recovery of certain file types. When this is complete, click OK button.
Next, click Browse button to choose where restored photos, documents and music should be written, then click Search.
Count of recovered files is updated in real time. All recovered photos, documents and music are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is finished, click on Quit button. Next, open the directory where recovered files are stored. You will see a contents as on the image below.
All recovered photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your PC from Nusar crypto virus?
Most antivirus programs already have built-in protection system against the crypto malware. Therefore, if your PC does not have an antivirus application, make sure you install it. As an extra protection, use the HitmanPro.Alert.
Use HitmanPro.Alert to protect your machine from Nusar ransomware virus
All-in-all, HitmanPro.Alert is a fantastic tool to protect your personal computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Windows operating system from MS Windows XP to Windows 10.
Please go to the following link to download HitmanPro.Alert. Save it on your Microsoft Windows desktop.
After the downloading process is done, open the file location. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. After the utility is started, you will be displayed a window where you can choose a level of protection, like below.
Now press the Install button to activate the protection.
Finish words
Now your computer should be free of the Nusar ransomware. Delete KVRT and MalwareBytes Anti-Malware (MBAM). We suggest that you keep Zemana (to periodically scan your machine for new malware). Probably you are running an older version of Java or Adobe Flash Player. This can be a security risk, so download and install the latest version right now.
If you are still having problems while trying to delete Nusar crypto virus from your system, then ask for help here.
