.Nacro file extension – How to remove virus, Restore, Decrypt .nacro files

Cyber threat analysts has received multiple reports of .Nacro extension infection. It is a new variant of ransomware that infects a machine, restricts user access to files, by encrypting them, until a ransom is paid to unlock (decrypt) them.

Similar to other ransomware, it is able to lock files such as documents, web application-related files, archives, movies, databases, drawings, including common as:

.xlsx, .wp6, .snx, .wsc, .wmf, .ff, .pdf, .itl, .esm, .apk, .p7b, .lvl, .wps, .iwi, .asset, .zip, .epk, .xyp, .wpd, .zip, .wbd, .ybk, .sie, .docm, .hvpl, .wm, .pptx, .wdb, .sav, .wp5, .wgz, .p7c, .sis, .crt, .xmmap, .pst, .css, .xbplate, .mef, .svg, .csv, .sql, .docx, .txt, .x3f, .big, .d3dbsp, .cfr, .xyw, .forge, .mdb, .vdf, .xmind, .odp, .wsh, .sb, .ysp, .xy3, .wpg, .xls, .py, .dba, .sidn, .kdc, .rofl, .sr2, .indd, .vfs0, .wma, .gdb, .odt, .webdoc, .ai, .xlgc, .cer, .ppt, .desc, .menu, .zabw, .dazip, .flv, .xar, .xlsb, .wot, .blob, .dmp, .zw, .wpa, .xxx, .rw2, .zdb, .hplg, .yml, .bc7, .vpk, .fsh, .ncf, .mddata, .3dm, .vpp_pc, .xlk, .sum, .eps, .accdb, .pak, .ltx, .0, .kf, .rim, .dng, .ws, .fos, .wmd, .der, .raw, .wp7, .wp4, .fpk, .rgss3a, .wbc, .kdb, .x3f, .ztmp, .y, .psd, .wmv, .wn, .xwp, .mrwref, .xbdoc, .upk, .xf, .wbmp, .qic, .t12, .tax, .db0, .pfx, .mpqge, .t13, .crw, .pem, .xld, .slm, .1, .z3d, .wma, .wsd, .odm, .1st, .itdb, .wmv, .mov, .mdbackup, .7z, .cr2, .mlx, .wav, .wbz, .jpe, .r3d, .gho, .bkf, .xlsm, .xll, .3fr, .sidd, .dxg, .p12, .rb, .nrw, .itm, .wb2, .map, .psk, .vcf, .odc, .wbk, .w3x, .mcmeta, .wcf, .cdr, .dwg, .odb, .ibank, .hkdb, .rwl, .das, .wdp, .avi, .png, .bsa, .layout, .yal, .ntl, .ptx, .arw, .zif, .vtf, .wri, .wotreplay, .2bp, .litemod, .mp4, .tor, .wpb, .dbf, .lbf, .xlsx, .x, .sid, .xls, .wpd, .m3u, .re4, .m4a, .xpm, .wpw, .bay, .xml, .wire, .3ds, .xx, .wpl, .rar, .wpe, .jpeg, wallet, .zi, .wp, .iwd, .zdc, .xdb, .orf, .qdf, .lrf, .icxs, .pef, .wps, .pdd, .srf, .dcr, .erf, .cas, .bar, .pptm, .z, .raf, .jpg, .arch00, .bik, .js

After all the documents, photos and music are encrypted and inaccessible to the victim, the Nacro virus will drop a ransom demanding message called ‘_readme.txt’ saying that if the victim want to get the data back, the user have to pay for the private and/or decryption tool.

ATTENTION!
 
Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-Hy0BJyOtwx
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
 
 
To get this software you need write on our e-mail:
gorentos@bitmessage.ch
 
Reserve e-mail address to contact us:
gorentos2@firemail.cc
 
Your personal ID:

 

Threat Summary

Name	Nacro
Type	Crypto virus, File locker, Crypto malware, Ransomware, Filecoder
Encrypted files extension	.nacro
Ransom note	_readme.txt
Contact	gorentos@bitmessage.ch, gorentos2@firemail.cc
Ransom amount	$980 in Bitcoins
Symptoms	Documents, photos and music won’t open. Your files have new extension appended at the end of the file name. Your file directories contain a ‘ransom note’ file that is usually a .txt file.
Distribution methods	Email attachments. Exploit kits (cybercriminals use ransomware packaged in an ‘exploit kit’ that can find a vulnerability in PDF reader, Web browser, Windows OS, Adobe Flash Player). Social media posts (they can be used to trick users to download malicious software with a built-in ransomware downloader or click a suspicious link). Malicious web-sites.
Removal	To remove Nacro ransomware use the removal guide
Decryption	To decrypt Nacro ransomware use the steps

 

Quick links

1. How to remove Nacro ransomware virus
2. How to decrypt .nacro files
3. How to restore .nacro files

How to remove Nacro ransomware virus

Malware removal utilities are pretty useful when you think your PC system is infected by crypto malware. Below we will discover best utilities which can search for and delete Nacro ransomware virus from your system.

How to remove Nacro with Zemana Anti-Malware

Zemana is one of the best in its class, it can search for and uninstall a ton of of different security threats, including spyware, worms, adware, ransomware virus, trojans and malware that masqueraded as legitimate computer applications. Also Zemana Free includes another utility called FRST – is a helpful application for manual removal of files and parts of the Windows registry created by ransomware.

Visit the page linked below to download the latest version of Zemana AntiMalware for Microsoft Windows. Save it to your Desktop.

After the download is finished, close all applications and windows on your personal computer. Double-click the install file named Zemana.AntiMalware.Setup. If the “User Account Control” prompt pops up like below, click the “Yes” button.

It will open the “Setup wizard” that will help you set up Zemana AntiMalware on your system. Follow the prompts and do not make any changes to default settings.

Once install is done successfully, Zemana Anti-Malware will automatically start and you can see its main screen as shown in the figure below.

Now click the “Scan” button to perform a system scan for the Nacro ransomware virus and other security threats. A system scan can take anywhere from 5 to 30 minutes, depending on your PC system. While the Zemana Free is checking, you can see how many objects it has identified either as being malware.

Once the scan get finished, you will be displayed the list of all found items on your PC. Make sure all items have ‘checkmark’ and click “Next” button. The Zemana Free will remove Nacro crypto malware related folders,files and registry keys and move threats to the program’s quarantine. After disinfection is finished, you may be prompted to reboot the PC.

Remove Nacro ransomware virus with MalwareBytes

If you’re having problems with the Nacro ransomware virus removal, then download MalwareBytes. It is free for home use, and identifies and removes various unwanted apps that attacks your computer or degrades personal computer performance. MalwareBytes Free can uninstall adware, potentially unwanted programs as well as malicious software, including ransomware and trojans.

1. Download MalwareBytes Free on your Microsoft Windows Desktop from the link below.
   
   

   Malwarebytes Anti-malware
   327226 downloads
   Author: Malwarebytes
   Category: Security tools
   Update: April 15, 2020
   
2. At the download page, click on the Download button. Your internet browser will open the “Save as” dialog box. Please save it onto your Windows desktop.
3. When the downloading process is done, please close all programs and open windows on your computer. Double-click on the icon that’s called mb3-setup.
4. This will open the “Setup wizard” of MalwareBytes Anti-Malware (MBAM) onto your PC system. Follow the prompts and don’t make any changes to default settings.
5. When the Setup wizard has finished installing, the MalwareBytes AntiMalware will start and open the main window.
6. Further, click the “Scan Now” button to scan for Nacro crypto malware and other security threats. A scan may take anywhere from 10 to 30 minutes, depending on the number of files on your PC system and the speed of your machine. While the MalwareBytes AntiMalware (MBAM) is scanning, you can see how many objects it has identified either as being malware.
7. Once the scan is finished, MalwareBytes Anti Malware will show a screen that contains a list of malicious software that has been found.
8. Make sure to check mark the items that are unsafe and then click the “Quarantine Selected” button. After finished, you may be prompted to restart the machine.
9. Close the Anti-Malware and continue with the next step.

Video instruction, which reveals in detail the steps above.

If the problem with Nacro is still remained

The KVRT utility is free and easy to use. It can scan and uninstall crypto malware like Nacro, malware, PUPs and adware in Google Chrome, Internet Explorer, Firefox and Microsoft Edge web-browsers and thereby revert back their default settings (startpage, default search engine and newtab). KVRT is powerful enough to find and remove malicious registry entries and files that are hidden on the personal computer.

Download Kaspersky virus removal tool (KVRT) on your MS Windows Desktop from the following link.

Once the downloading process is done, double-click on the KVRT icon. Once initialization process is done, you’ll see the KVRT screen as displayed in the following example.

Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to detect Nacro crypto malware . Depending on your computer, the scan may take anywhere from a few minutes to close to an hour. While the utility is scanning, you can see how many objects and files has already scanned.

As the scanning ends, Kaspersky virus removal tool will produce a list of unwanted software and crypto virus as on the image below.

Make sure to check mark the items which are unsafe and then press on Continue to begin a cleaning procedure.

How to decrypt .nacro files

With some variants of Nacro ransomware, it is possible to decrypt encrypted files using free tools listed below.

Michael Gillespie (@) released the Nacro decryption tool named STOPDecrypter. It can decrypt .Nacro files if they were locked by one of the known OFFLINE KEY’s retrieved by Michael Gillespie. Please check the twitter post for more info.

STOPDecrypter is a program that can be used for Nacro files decryption. One of the biggest advantages of using STOPDecrypter is that is free and easy to use. Also, it constantly keeps updating its ‘OFFLINE KEYs’ DB. Let’s see how to install STOPDecrypter and decrypt .Nacro files using this free tool.

1. Installing the STOPDecrypter is simple. First you will need to download STOPDecrypter on your Windows Desktop from the following link.
   download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip
2. After the downloading process is done, close all applications and windows on your machine. Open a file location. Right-click on the icon that’s named STOPDecrypter.zip.
3. Further, select ‘Extract all’ and follow the prompts.
4. Once the extraction process is finished, right click on STOPDecrypter, choose ‘Run as Admininstrator’. Select Directory and press Decrypt button.

If STOPDecrypter does not help you to decrypt .Nacro files, in some cases, you have a chance to restore your files, which were encrypted by ransomware. This is possible due to the use of the tools named ShadowExplorer and PhotoRec. An example of recovering encrypted files is given below.

How to restore .nacro files

In some cases, you can restore files encrypted by Nacro crypto virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted personal files.

Recover .nacro encrypted files using Shadow Explorer

In order to recover .nacro files encrypted by the Nacro crypto malware from Shadow Volume Copies you can run a utility called ShadowExplorer. We suggest to use this method as it is easier to find and restore the previous versions of the encrypted files you need in an easy-to-use interface.

Download ShadowExplorer from the link below. Save it to your Desktop so that you can access the file easily.

Once downloading is finished, extract the saved file to a directory on your computer. This will create the necessary files as displayed below.

Start the ShadowExplorerPortable program. Now select the date (2) that you wish to recover from and the drive (1) you want to restore files (folders) from as shown on the screen below.

On right panel navigate to the file (folder) you want to recover. Right-click to the file or folder and click the Export button like below.

And finally, specify a folder (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.

Use PhotoRec to recover .nacro files

Before a file is encrypted, the Nacro ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your files using file restore applications such as PhotoRec.

Download PhotoRec by clicking on the link below. Save it to your Desktop.

Once the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed on the screen below.

Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll open a screen as shown on the image below.

Select a drive to recover as shown on the image below.

You will see a list of available partitions. Choose a partition that holds encrypted photos, documents and music like below.

Click File Formats button and choose file types to recover. You can to enable or disable the restore of certain file types. When this is complete, click OK button.

Next, click Browse button to choose where restored files should be written, then click Search.

Count of restored files is updated in real time. All recovered documents, photos and music are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.

When the restore is finished, press on Quit button. Next, open the directory where restored personal files are stored. You will see a contents as on the image below.

All recovered photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your restored files by extension and/or date/time.