What is a Nasoh file? A file with the .nasoh extension is a file that has been locked by Nasoh ransomware which similar to other ransomware (such as Coharos and Mtogas). These security threats are also known as crypto viruses that use a strong encryption method in order to lock users’ files. It’s not possible to open the files by simply changing the file extension. The documents, photos and music will be unlocked only if victims pay for the special code key that will unlock these files.
The Nasoh virus was developed by attackers to lock various files on the user’s computer, using a hybrid encryption mode, that makes it impossible for the user to independently unlock the locked personal files that have received .nasoh extension. The files that will be encrypted include the following file extensions:
.csv, .xxx, .crw, .ztmp, .gho, .wbc, .ods, .rofl, .das, .txt, .1, .wmf, .rar, .psk, .p7b, .rwl, .m2, .apk, .lvl, .wsc, .snx, .webp, .pfx, .xlsx, .bc6, .rim, .sid, .svg, .2bp, .3fr, .wps, .lbf, .wbk, .ysp, .xlsm, .litemod, .avi, .ntl, .wmv, .dwg, .wbd, .odt, .orf, .wotreplay, .qic, .7z, .wb2, .vtf, .dmp, .arw, .cas, .wot, .xmind, .docx, .wsh, .odp, .itdb, .pptx, .sidd, .vpp_pc, .fsh, .d3dbsp, .xy3, .xlsm, .sis, .wpb, .jpg, .wpa, .z3d, .forge, .ai, .pdd, .ltx, .bkp, .mpqge, .wps, .webdoc, .xx, .desc, .pst, .xmmap, .wp, .cr2, .wsd, .x3f, .xlsb, .wbmp, .raw, .mrwref, .mp4, .pem, .sav, .vfs0, .xdb, .xpm, .ibank, .cer, .blob, .1st, .slm, .nrw, .wpl, .odm, .xls, .xlk, .hkx, .sidn, .mdb, .xlsx, .xml, .xyp, .re4, .kdb, .xyw, .wgz, .cdr, .erf, .pkpass, .xll, .itm, .wbm, wallet, .m4a, .xlgc, .flv, .sb, .dazip, .vpk, .yml, .m3u, .srw, .wmo, .zif, .ncf, .accdb, .bar, .zdc, .qdf, .lrf, .x3f, .x, .fpk, .der, .ybk, .dba, .rb, .wpw, .bay, .zip, .mcmeta, .ff, .syncdb, .wmd, .pdf, .mef, .ppt, .wma, .r3d, .docm, .rw2, .y, .layout, .0, .icxs, .wp4, .xf, .kdc, .wdp, .wpg, .dxg, .xwp, .vcf, .yal, .dng, .xbplate, .indd, .tax, .gdb, .zdb, .rtf, .wp5, .p12, .wcf, .bik, .srf, .rgss3a, .upk, .3ds, .cfr, .raf, .wp7, .wdb, .wpd, .pptm, .odb, .itl, .big, .xld, .menu, .dbf, .css, .mlx, .wma, .mddata, .wpd, .wn, .psd, .sie, .wri, .xbdoc, .doc, .wire, .sql, .epk, .esm, .mov, .wm, .ws, .jpeg, .pef, .wpt
All encrypted files become useless and get the .nasoh extension and each directory containing the affected files contains a ransom demanding message informing the user about the presence of crypto malware in the PC and its destructive impact on the target files. The online criminals inform each victim that he has the ability to decrypt locked files only paying a ransom. After transferring the specified amount to cyber criminals, the user will receive a unique code key from them, which will allow to unlock files affected by the Nasoh ransomware virus. If the money for the purchase of a key for decrypting files will be transferred to the cyber criminals within 72 (48) hours, they are ready to give the user a discount of 50%.
Threat Summary
Name | Nasoh |
Type | File locker, Ransomware, Filecoder, Crypto virus, Crypto malware |
Encrypted files extension | .nasoh |
Ransom note | _readme.txt |
Contact | gorentos@bitmessage.ch |
Ransom amount | $980,$490 in Bitcoins |
Symptoms | Encrypted photos, documents and music. Your documents, photos and music have odd extension appended at the end of the file name. Files named such as ‘_readme.txt’, or ‘_readme” in every folder with an encrypted file. |
Distribution methods | Spam mails that contain malicious links. Drive-by downloads from a compromised web page. Social media, such as web-based instant messaging programs. Remote desktop protocol (RDP) hacking. |
Removal | To remove Nasoh ransomware use the removal guide |
Decryption | To decrypt Nasoh ransomware use the steps |
In the steps below, I have outlined few methods that you can use to remove Nasoh from your machine and restore (decrypt) .nasoh files from a shadow volume copies or using file recover software.
Quick links
- How to remove Nasoh ransomware
- How to decrypt .nasoh files
- How to restore .nasoh files
- How to protect your personal computer from Nasoh ransomware?
How to remove Nasoh ransomware
Malware removal utilities are pretty effective when you think your system is infected by ransomware virus. Below we will discover best tools which be able to search for and uninstall Nasoh crypto virus from your personal computer.
Remove Nasoh ransomware virus with Zemana Anti Malware
Zemana Free is a program that is used for malicious software, worms, spyware, ransomware, adware software, trojans and other security threats removal. The program is one of the most efficient antimalware utilities. It helps in crypto virus removal and and defends all other types of malicious software. One of the biggest advantages of using Zemana is that is easy to use and is free. Also, it constantly keeps updating its virus/malware signatures DB. Let’s see how to install and scan your computer with Zemana in order to remove Nasoh ransomware virus from your computer.
Download Zemana Free on your system from the link below.
164112 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When the download is complete, close all windows on your computer. Further, open the install file called Zemana.AntiMalware.Setup. If the “User Account Control” prompt pops up as displayed in the following example, click the “Yes” button.
It will display the “Setup wizard” which will allow you install Zemana Free on the computer. Follow the prompts and do not make any changes to default settings.
Once install is done successfully, Zemana Free will automatically start and you can see its main window like below.
Next, press the “Scan” button . Zemana AntiMalware (ZAM) application will scan through the whole computer for the Nasoh ransomware virus related folders,files and registry keys. While the Zemana Free program is scanning, you can see count of objects it has identified as threat.
When Zemana Anti-Malware has finished scanning your system, you’ll be shown the list of all detected items on your computer. You may remove threats (move to Quarantine) by simply press “Next” button.
The Zemana Free will delete Nasoh crypto virus, other kinds of potential threats like malware and trojans and move threats to the program’s quarantine. When finished, you can be prompted to restart your system.
How to automatically remove Nasoh with MalwareBytes
Manual Nasoh ransomware removal requires some computer skills. Some files and registry entries that created by the crypto virus can be not fully removed. We advise that run the MalwareBytes Anti-Malware (MBAM) that are completely clean your PC of ransomware virus. Moreover, this free application will allow you to uninstall malware, PUPs, adware software and toolbars that your PC may be infected too.
- MalwareBytes can be downloaded from the following link. Save it on your Microsoft Windows desktop or in any other place.
Malwarebytes Anti-malware
326462 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- When downloading is done, close all apps and windows on your PC. Open a directory in which you saved it. Double-click on the icon that’s named mb3-setup.
- Further, press Next button and follow the prompts.
- Once setup is complete, press the “Scan Now” button . MalwareBytes Anti-Malware (MBAM) program will scan through the whole personal computer for the Nasoh crypto virus, other kinds of potential threats such as malicious software and trojans. Depending on your PC system, the scan may take anywhere from a few minutes to close to an hour. While the utility is scanning, you can see how many objects and files has already scanned.
- Once the scan get finished, MalwareBytes will show you the results. Review the report and then press “Quarantine Selected”. After disinfection is done, you can be prompted to restart your computer.
The following video offers a guide on how to delete browser hijacker infections, adware software and other malware with MalwareBytes Anti-Malware (MBAM).
Scan your PC and uninstall Nasoh ransomware with KVRT
KVRT is a free portable application that scans your computer for adware, potentially unwanted apps and crypto malwares like Nasoh and allows delete them easily. Moreover, it’ll also help you remove any harmful web-browser extensions and add-ons.
Download Kaspersky virus removal tool (KVRT) from the link below.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the downloading process is done, double-click on the KVRT icon. Once initialization procedure is done, you will see the KVRT screen as displayed in the figure below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to perform a system scan for the Nasoh ransomware and other malware. A system scan can take anywhere from 5 to 30 minutes, depending on your machine. When a malicious software, adware or PUPs are detected, the number of the security threats will change accordingly. Wait until the the checking is finished.
Once KVRT has completed scanning your PC, the results are displayed in the scan report like the one below.
In order to delete all items, simply click on Continue to start a cleaning task.
How to decrypt .nasoh files
With some variants of Nasoh ransomware virus, it is possible to decrypt encrypted files using free tools listed below.
Michael Gillespie (@) released the Nasoh decryption tool named STOPDecrypter. It can decrypt .Nasoh files if they were locked by one of the known OFFLINE KEY’s retrieved by Michael Gillespie. Please check the twitter post for more info.
STOPDecrypter is a program that can be used for Nasoh files decryption. One of the biggest advantages of using STOPDecrypter is that is free and easy to use. Also, it constantly keeps updating its ‘OFFLINE KEYs’ DB. Let’s see how to install STOPDecrypter and decrypt .Nasoh files using this free tool.
- Installing the STOPDecrypter is simple. First you will need to download STOPDecrypter on your Windows Desktop from the following link.
download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip - After the downloading process is done, close all applications and windows on your machine. Open a file location. Right-click on the icon that’s named STOPDecrypter.zip.
- Further, select ‘Extract all’ and follow the prompts.
- Once the extraction process is finished, right click on STOPDecrypter, choose ‘Run as Admininstrator’. Select Directory and press Decrypt button.
If STOPDecrypter does not help you to decrypt .Nasoh files, in some cases, you have a chance to restore your files, which were encrypted by ransomware. This is possible due to the use of the tools named ShadowExplorer and PhotoRec. An example of recovering encrypted files is given below.
How to restore .nasoh files
In some cases, you can restore files encrypted by Nasoh ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted photos, documents and music.
Use shadow copies to restore .nasoh files
In order to restore .nasoh files encrypted by the Nasoh crypto virus from Shadow Volume Copies you can use a tool called ShadowExplorer. We recommend to use this solution as it is easier to find and recover the previous versions of the encrypted files you need in an easy-to-use interface.
Installing the ShadowExplorer is simple. First you will need to download ShadowExplorer by clicking on the following link. Save it to your Desktop so that you can access the file easily.
438819 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When the download is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder like below.
Run the ShadowExplorer utility and then select the disk (1) and the date (2) that you want to recover the shadow copy of file(s) encrypted by the Nasoh ransomware virus as shown in the figure below.
Now navigate to the file or folder that you want to recover. When ready right-click on it and press ‘Export’ button as shown in the following example.
Recover .nasoh files with PhotoRec
Before a file is encrypted, the Nasoh crypto virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your personal files using file recover software like PhotoRec.
Download PhotoRec on your Windows Desktop from the link below.
Once the download is done, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the figure below.
Double click on qphotorec_win to run PhotoRec for Windows. It will display a screen like the one below.
Select a drive to recover such as the one below.
You will see a list of available partitions. Select a partition that holds encrypted photos, documents and music as on the image below.
Click File Formats button and specify file types to restore. You can to enable or disable the restore of certain file types. When this is done, click OK button.
Next, press Browse button to select where recovered documents, photos and music should be written, then click Search.
Count of recovered files is updated in real time. All recovered photos, documents and music are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the restore is finished, click on Quit button. Next, open the directory where restored photos, documents and music are stored. You will see a contents such as the one below.
All recovered photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your personal computer from Nasoh ransomware?
Most antivirus applications already have built-in protection system against the ransomware virus. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Run HitmanPro.Alert to protect your system from Nasoh crypto malware
HitmanPro.Alert is a small security tool. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
First, visit the page linked below, then press the ‘Download’ button in order to download the latest version of HitmanPro.Alert.
When the downloading process is finished, open the file location. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. Once the tool is opened, you will be shown a window where you can choose a level of protection, as displayed in the figure below.
Now press the Install button to activate the protection.
To sum up
Now your personal computer should be clean of the Nasoh crypto malware. Remove MalwareBytes Free and Kaspersky virus removal tool. We suggest that you keep Zemana (to periodically scan your PC for new malicious software). Moreover, to prevent crypto virus, please stay clear of unknown and third party software, make sure that your antivirus program, turn on the option to block or look for ransomware.
If you need more help with Nasoh crypto malware related issues, go to here.
No keys were found for the following IDs: [*] ID: zWjJfBbOOI18hC5PG4UupND2E80pCXLmj6Y0Z2Y7 (.nasoh ) Please archive these IDs and the following MAC addresses in case of future decryption: [*] MACs: 50:46:5D:09:A8:A5 ————————————————-THIS IS WHAT SAY MY STOPdescrypter !! P.s – i have 1 original file too if it will help with something.. i sent to them and they descrypted this 1 file.. so i can send if need. << write to me answer somebody