The first victims of a new version of the STOP ransomware were discovered by Michael Gillespie (link). STOP newest variant has a few minor changes and appends the .Nols file extension to the files it encrypts.
The new variant has version number 173 (v0173) and continues the series of ransomware, which includes Leto, Bora, Reco and many others. Unfortunately, like the other latest versions of this ransomware, there is still no universal way to decrypt encrypted files. However, in some cases it will be possible to decrypt the encrypted files or restore them to their original state. About this, as well as how to remove Nols and protect your computer from ransomware in the article below.
What is Nols ransomware
Nols ransomware is the newest version of the STOP ransomware, which appends the .nols extension to each file that it encrypts using a complex encryption mechanism. As its previous variants, it uses the same distribution methods (adware, cracks, key generators and so on). Upon execution, Nols starts working in the background immediately. First of all, the ransomware creates a new directory in which it places its copy, and then configures the Windows so that it starts automatically every time the computer is turned on. The ransomware uses this mechanism to continue encrypting files if it was interrupted by turning off or restarting the computer. Further, Nols contacts the control server to send information about the infected computer and receive additional commands. The ransomware can also download other malware and execute it.
After all the preparatory steps are completed, Nols proceeds to the main thing, it begins to encrypt files. During the encryption process, the ransomware skips files that have the following extension or file name: .sys, .bat, .dll, .lnk, .ini, _readme.txt. In addition to the fact that the ransomware does not encrypt files with some extensions, it also does not encrypt files that are located in some important system folders, for example: %AppDataLocal%, %Application Data%, %Windows%, %Program Files%. Almost all remaining files will be encrypted.
All files will be encrypted, regardless of where they are located, on the local disk or on a network-connected disk. Nols encrypts the data file by file, after the file is encrypted, it changes its name, adding the ‘.nols’ extension. This means that the file that had been named ‘photo.jpg’ before encryption, after being encrypted, will be renamed to ‘photo.jpg.nols’. The ransomware encrypts files directory by directory. In each directory where the files were encrypted, it places a file with the name ‘_readme.txt’. The contents of such a file are shown below.
This file is a ransom demand message. In this message, the criminals report that the user’s files were encrypted and the only way to decrypt them is to pay a ransom of $980. If the ransom is paid within 72 hours, the attackers give a 50% discount. To remain as anonymous as possible, Nols authors do not provide any information on how to pay the ransom. The only thing they say is that in order to decrypt the files, the victim must write them an email letter. This email must contain the Personal ID. Although the attackers offer to send them one small file to check the possibility of decryption, this does not automatically mean that after receiving the ransom, they will send a working key that will decrypt all encrypted files.
Threat Summary
Name | Nols |
Type | Ransomware, Filecoder, File locker, Crypto malware, Crypto virus |
Encrypted files extension | .nols |
Ransom note | _readme.txt |
Contact | gorentos@bitmessage.ch |
Ransom amount | $980, 50% discount if paid within 72 hours |
Detection Names | Trojan.TR:Crypt, Ransom/Win32/STOP, W32.Kryptik, Trojan.Ransom/Win32.Stop |
Symptoms | Unable to open documents, photos and music. You get an error message like ‘Windows can’t open this file’, ‘How do you want to open this file’. Files named like ‘_readme.txt’, or ‘_readme’ in each folder with at least one encrypted file. Files encrypted with .nols file extension. |
Distribution methods | Cracks, Adware, key generators, unsolicited emails, drive-by downloads, torrent websites. |
Removal | To remove Nols ransomware use the removal guide |
Decryption | To decrypt Nols ransomware use the steps |
At the moment, victims of STOP’s “.nols” variant or any of its previous versions will not be able to decrypt their files using the free decryptor. There is a slight exception, decryption is possible in cases where files were encrypted using an offline key. Below we will talk about this in more detail. Another option to return locked data is to use data recovery tools. Details to how to remove ransomware, how to decrypt or recover encrypted files in the next part of this article.
Quick links
- How to remove Nols ransomware
- How to decrypt .nols files
- How to restore .nols files
- How to protect your PC from Nols ransomware
How to remove Nols ransomware
Before you start recovering or decrypting files, you must be sure that Nols is completely removed. Although security experts, knowing all the signs of this ransomware infection, can find and remove it manually, we advise you to still use malware removal tools to search for and remove ransomware. Is it enough to just check the computer with an installed antivirus or Windows Defender? No, this is not enough! Of course, an antivirus check needs to be performed, but this is not enough. You need to use several tools specifically aimed at searching for ransomware, and it is desirable that these malware removal tools use different anti-virus engines. Below, we will give several utilities that are worthy of your attention, each of them is known among security experts and worthy of respect.
Remove Nols ransomware with Zemana
To find and remove ransomware, scan your computer with Zemana AntiMalware. It is a good malware removal tool to start with. Zemana has a small size, simple interface, fast scanner and most importantly, good ability to find and remove ransomware, trojans, worms, adware and other malware. In addition to these advantages, this tool has one more, you can remove the found malware for free. Installing Zemana AntiMalware (ZAM) is simple. First you’ll need to download Zemana AntiMalware (ZAM) on your personal computer by clicking on the link below.
164108 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Once downloading is done, close all apps and windows on your computer. Open a directory in which you saved it. Double-click on the icon that’s called Zemana.AntiMalware.Setup as shown on the screen below.
When the setup begins, you will see the “Setup wizard” that will help you setup Zemana Free on your machine.
Once installation is done, you will see window as displayed on the image below.
Now click the “Scan” button . Zemana AntiMalware (ZAM) tool will begin scanning the whole PC system to find out Nols ransomware virus related folders, files and registry keys. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your personal computer and the speed of your PC. When a threat is detected, the count of the security threats will change accordingly. Wait until the the checking is complete.
After Zemana Anti Malware (ZAM) has finished scanning, Zemana Free will display a list of all security threats detected by the scan. Make sure all items have ‘checkmark’ and click “Next” button.
Zemana Free will uninstall Nols ransomware and move the found malware to the program’s quarantine.
Remove Nols with Hitman Pro
Hitman Pro is another utility that can help you remove ransomware. It will be able to detect hidden folders and files related to Nols virus, after which it will be able to delete them for free. Like Zemana, this malware removal tool is small and easy to use. In addition, the utility has another big plus, it does not require installation on a computer, you just need to download and run it. Visit the page linked below to download Hitman Pro. Save it to your Desktop so that you can access the file easily.
Once the downloading process is finished, open the directory in which you saved it. You will see an icon like below.
Double click the Hitman Pro desktop icon. Once the tool is opened, you will see a screen similar to the one below.
Further, click “Next” button to start checking your PC for ransomware. A scan may take anywhere from 10 to 30 minutes, depending on the count of files on your machine and the speed of your system. Once the scan get completed, the results are displayed in the scan report as on the image below.
In order to remove the found malicious software, simply press “Next” button. It will show a prompt, click the “Activate free license” button.
Remove Nols with Kaspersky virus removal tool
The last program we want to offer you to use for free ransomware removal is Kaspersky virus removal tool (KVRT). It is an utility that uses the most powerful anti-virus engine from Kaspersky antivirus. This program has all the necessary features, it can perform a full computer scan, find and remove ransomware and other malicious software. Download Kaspersky virus removal tool (KVRT) on your Desktop from the link below.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After the downloading process is complete, double-click on the KVRT icon. Once initialization procedure is complete, you’ll see the KVRT screen as shown on the screen below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button for scanning your computer for Nols virus and other known infections. A scan may take anywhere from 10 to 30 minutes, depending on the count of files on your personal computer and the speed of your computer. When malware or ransomware is detected, the count of the security threats will change accordingly. Wait until the the scanning is done.
When that process is complete, a list of all threats found is created. Review the report and then click on Continue button.
How to decrypt .nols files
As we already said, files with extension ‘.nols’ are files that have been encrypted by ransomware. Unfortunately, at the moment there is no way to decrypt files, although there is a small chance that you will be able to unlock your files. In some cases, you can decrypt or restore encrypted files to their original state.
In Nols description, which is at the beginning of this article, we reported that in some cases the ransomware encrypts files using an offline key. What does it mean ‘offline key’? Researchers who investigated this ransomware found that it uses two types of keys, the so-called ‘online key’ and ‘offline key’. The ransomware encrypts files with the ‘online key’ when it has a connection to the control server, and uses the offline key when there is no such connection. In the first case, the key is always new, it is unique for each case of ransomware infection. In the second case, the key is not unique, and can be used to decrypt files that were encrypted on different computers. Based on the fact that offline keys were found for most of the previous versions of this ransomware, it is hoped that soon, an offline key for decrypting .nols files will also be found.
How to determine which key Nols used to encrypt your files. First of all, you can look at the Personal ID that is given in the ‘_readme.txt’ file (ransom note). Another way, look on disk ‘C’ for ‘SystemID\PersonalID.txt’ file. This is a file in which Nols stores the Personal IDs used for encryption.
If there is an ID ending in ‘t1’, then you are lucky, your files are encrypted using an offline key, and when researchers find this key, you can decrypt your files. In this case, to decrypt the files, you need to use Emsisoft STOP Djvu Ransomware Decryptor. If your Personal ID does not end with ‘t1’, then the ransomware used an online key. Even so, there is little chance of recovering encrypted files. This method will be discussed in the next part of the article.
How to restore .nols files
If your files were encrypted with an online key, or for one reason or another, the free decryptor, the link to which we posted above, cannot decrypt the encrypted files, then you still have one more chance. We highly recommend trying the two methods below. The first method was suitable for some users, the second one for others, but both methods have already helped many victims of ransomware attack to restore encrypted files to their original state. Before you start recovering files, please make sure that Nols ransomware is completely removed, this is very important. Ransomware activity can block file recovery, or cause you to never be able to restore encrypted files.
Use shadow copies to recover .nols files
Windows has a feature called ‘Shadow Volume Copies’ that can help you to restore .nols files to a state before encryption. This method involves using a free program called ShadowExplorer. Unfortunately, in most cases, the ransomware deletes the Shadow Volume Copies, thus preventing file recovery. But we still recommend trying this method. In some cases, it gives a fantastic result.
Click the link below to download ShadowExplorer. Save it on your Desktop.
438814 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When downloading is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed in the following example.
Double click ShadowExplorerPortable to start it. You will see the a window as shown on the image below.
In top left corner, choose a Drive where encrypted files are stored and a latest restore point such as the one below (1 – drive, 2 – restore point).
On right panel look for a file that you wish to recover, right click to it and select Export as shown below.
Use PhotoRec to recover .nols files
Another opportunity to restore files to the state they had before encryption is to use a program called PhotoRec. This program is a data recovery utility. According to its capabilities, it is no worse than paid data recovery software, but at the same time it is free and has many advantages. Why such a program can recover your files. The answer is how the Windows OS deletes files. When files are deleted, these files do not disappear anywhere, the OS simply marks them as deleted and hides them from the user. Data recovery programs look for such files and restore access to them. This allows you to restore part and all encrypted files to their original state.
Download PhotoRec on your computer from the following link.
Once the download is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It will display a screen as displayed in the following example.
Choose a drive to recover as displayed on the screen below.
You will see a list of available partitions. Select a partition that holds encrypted documents, photos and music as displayed below.
Press File Formats button and specify file types to restore. You can to enable or disable the recovery of certain file types. When this is finished, click OK button.
Next, click Browse button to choose where restored files should be written, then click Search.
Count of restored files is updated in real time. All restored files are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is complete, click on Quit button. Next, open the directory where restored files are stored. You will see a contents like below.
All restored photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your PC from Nols ransomware
Although most antiviruses have ransomware protection, this often does not help. Perhaps in your case, the antivirus did not have this ability or the ransomware was able to get around it. Therefore, for extra protection, we recommend using HitmanPro.Alert. It is a small security utility that can check the system integrity and alerts you when critical system functions are affected by ransomware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Download HitmanPro.Alert on your PC by clicking on the following link.
Once the downloading process is finished, open the file location. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. After the utility is opened, you’ll be shown a window where you can choose a level of protection, as on the image below.
Now click the Install button to activate the protection.
To sum up
We hope that this guide helped you remove ransomware and restore or decrypt .nols files. If your files were encrypted with an online key, or the free decryptor cannot decrypt them, we recommend that you follow the news on our facebook page or here.