.Nakw file extension is an extension that uses the latest version of the STOP ransomware to mark files that have been encrypted. Ransomware is malware created by criminals that encrypts files on the victim’s computer and demands a ransom to unlock them. Files encrypted with .nakw extension cannot be opened, their contents cannot be read without a unique decryption key, which is in the hands of attackers.
Nakw is the latest version of STOP (DJVU) ransomware, which was discovered by researchers recently. This is already the 177 version (v0177) of STOP ransomware. Like previous versions, it encrypts the data and then demands a ransom for decryption. The ransomware encrypts files using a strong encryption algorithm, which eliminates the possibility of finding a key in any way. For each victim, Nakw uses a unique key with a small exception. If the ransomware cannot establish a connection with a command and control server (C&C) before starting the encryption process, then it uses an offline key. This key is the same for different victims, which makes it possible in some cases to decrypt files that were encrypted during the ransomware attack.
Nakw can encrypt files regardless of what is in them, but it skips files with the extension: .lnk, .ini, .bat, .sys, .dll and the name _readme.txt. For example, files with the following extensions may be encrypted:
.txt, .dcr, .wot, .wmv, .iwi, .raw, .upk, .rtf, .ptx, .xml, .mlx, .sidd, .mpqge, .dbf, .wmv, .xyw, .svg, .pst, .mdf, .wpl, .bkf, .x3f, .m4a, .wdb, .yml, .nrw, .wmd, .mrwref, .xy3, .zdb, .fos, .0, .xls, .jpeg, .wri, .wav, .wm, .cas, .zi, .ncf, .pptx, .wotreplay, .wp6, .bay, .hplg, .dmp, .m2, .pem, .epk, .wsc, .sb, .wbk, .itm, .sidn, .xll, .sis, .ysp, .das, .ztmp, .ff, .xbplate, .wma, .bkp, .snx, .3fr, .mdbackup, .t12, .psd, .apk, .tor, .zip, .esm, .ltx, .xld, .xlsx, .wps, .png, .wpw, .dwg, .wire, .fsh, .flv, .m3u, .tax, .srf, .py, .raf, .wma, .pptm, .wpd, .r3d, .xdb, .arw, .bc7, .3dm, .desc, .d3dbsp, .qic, .pdf, .kf, .1st, .pfx, .hkx, .xx, .ibank, .xdl, .1, .layout, .xyp, .cfr, .odt, .wmf, .map, .avi, .arch00, .wpb, .y, .rb, .syncdb, .doc, .bsa, .vfs0, .wbmp, .fpk, .webdoc, .p7b, .x, .zif, .wcf, .ods, .wgz, .pef, .zw, .crw, .xar, .re4, .pkpass, .wbc, .sav, .hkdb, .erf, .p7c, .p12, .xf, .css, .wdp, .xlk, .rar, .kdc, .accdb, .qdf, .eps, .xlsm, .gdb, .ws, .wbd, .forge, .itl, .xlsx, .t13, .wbm, .rw2, .psk, .itdb, .lbf, .7z, .zdc, .z, .wps, .crt, .xpm, .vcf, .mddata, .der, .xxx, .w3x, .srw, .mov, .2bp, .odb, .wbz, .bc6, .odm, .pdd, .rwl, .litemod, .xlsb, .wp4, .wpe, .z3d, .xwp, .menu, .cdr, .rim, .kdb, .lvl, .wn, .wpt, .3ds, .xlsm, .x3d, .odp, .zip, .mcmeta, .vpp_pc, .wsd, .webp, .sum, .csv, .bar, .sql, .rofl, .xls, .cr2, .docx, .vdf, .lrf, .icxs, .ntl, .xmmap, .wpd, .gho, .cer, .db0, .wp7, .zabw, .dazip, .odc, .indd, .docm, .dng, .wp
Once the file is encrypted, it will be immediately renamed. This means literally the following. A file named ‘document.doc’, after it is encrypted, will be called ”document.doc.nakw’. It encrypts file by file in all directories on all available disks. When all the files in the directory are encrypted, the ransomware drops a file named ‘_readme.txt’. The following is an example of the contents of this file.
Each directory with encrypted files will have the ‘_readme.txt’ file. This file contains a message from Nakw creators. In this message, the attackers report that all the files were encrypted and the only way to decrypt them is to buy a unique key and decryptor. Criminals demand a ransom of $490, if the victim does not pay the ransom within 72 hours, then the ransom will double. The attackers left two email addresses that the victim must use to contact them. To confirm the possibility of decryption, criminals offer to decrypt one small file for free. But it’s obvious that there is no guarantee that even by paying the ransom, the victim will be able to decrypt the encrypted files.
Threat Summary
Name | Nakw |
Type | Ransomware, Crypto malware, Crypto virus, File locker, Filecoder |
Encrypted files extension | .nakw |
Ransom note | _readme.txt |
Contact | salesrestoresoftware@firemail.cc, salesrestoresoftware@gmail.com |
Ransom amount | $490,$980 after 72 hours from the time of the ransomware attack |
Detection Names | W32/Kryptik, Trojan.Ransom-Win32/Stop, RansomWin32/STOP, Trojan.TR-Crypt |
Symptoms | Files encrypted with .nakw extension. You get an error message like ‘Windows can’t open this file’, ‘How do you want to open this file’. Files named such as ‘_readme.txt’, or ‘_readme’ in each folder with at least one encrypted file. |
Distribution methods | Torrents web-sites, Malicious links in emails, Adware, Exploit kits, Key generators, Social media posts, cracks |
Removal | Nakw ransomware removal guide |
Decryption | Free Nakw Decryptor |
Criminals claim that it is impossible to decrypt files that have been encrypted. Until recently, this was so. At the moment, with the advent of STOP (DJVU) decryptor, in some cases you can decrypt files. This means that files can be decrypted if they are encrypted with the offline key that we talked about earlier. In all remaining cases, decryption is not yet possible. But there are several alternative methods that can allow everyone to recover the contents of encrypted files. In the next part of the article, we will tell you how to find and remove Nakw ransomware, how to decrypt files and how to restore encrypted files to their unencrypted state.
Quick links
- How to remove Nakw ransomware
- How to decrypt .nakw files
- How to restore .nakw files
- How to protect computer from Nakw ransomware
How to remove Nakw ransomware
If you want to immediately start decrypting files, then this will be your mistake. This way is wrong. You should use the following way: scan your computer for malware, find and remove ransomware, decrypt (restore) files. To search for ransomware, you need to use malware removal tools. It is very important to use several different utilities to identify and remove Nakw. Each of the used tools should be based on a different anti-malware (anti-virus) engine. This is the only way to make sure that the ransomware was found and completely removed.
How to remove Nakw ransomware virus with Zemana Anti-Malware
The process of finding and removing the ransomware, we recommend that you start by using a program called Zemana Anti-Malware. It is a malware removal tool, which is widely known among experts and is often recommended by them. Zemana Anti-Malware is small in size, easy to use and can quickly scan your computer, find and remove ransomware, adware, trojans, worms, and other security threats. Immediately after the end of the system scan, you can remove all malware found for free by simply clicking one button.
- Download Zemana by clicking on the following link. Save it to your Desktop.
Zemana AntiMalware
164113 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- After the downloading process is done, close all apps and windows on your PC system. Open a directory in which you saved it. Double-click on the icon that’s named Zemana.AntiMalware.Setup.
- Further, press Next button and follow the prompts.
- Once install is done, click the “Scan” button to perform a system scan for Nakw ransomware, other kinds of potential threats such as malicious software and trojans. This task can take some time, so please be patient. While the Zemana Free application is checking, you can see count of objects it has identified as threat.
- After the system scan is done, Zemana Anti Malware (ZAM) will produce a list of malware. Review the report and then click “Next”. Once that process is complete, you can be prompted to reboot your computer.
Remove Nakw ransomware with HitmanPro
Another malware removal tool that we recommend using to remove Nakw is Hitman Pro. It does not require installation, you just need to download and run it. After that, you can immediately check the computer, find and remove ransomware. As with Zemana Anti-Malware, HitmanPro allows you to remove all malware found for free.
Visit the following page to download HitmanPro. Save it to your Desktop.
After the download is finished, open the file location. You will see an icon like below.
Double click the Hitman Pro desktop icon. When the utility is started, you will see a screen like below.
Further, click “Next” button to perform a system scan with this utility for Nakw ransomware and other security threats. This procedure can take quite a while, so please be patient. After the scan get completed, it will display the Scan Results as shown in the figure below.
Make sure to check mark the items that are unsafe and then press “Next” button. It will display a prompt, click the “Activate free license” button.
Remove Nakw ransomware with Kaspersky virus removal tool
The third utility that we recommend using to check your computer and make sure that Nakw ransomware is removed is Kaspersky virus removal tool (KVRT). It is a completely free utility that is based on the core of the famous antivirus created by Kaspersky Lab. KVRT can detect and remove a variety of malware, including ransomware, trojans, worms, adware, spyware, browser hijackers and so on.
Download Kaspersky virus removal tool (KVRT) by clicking on the following link. Save it on your MS Windows desktop.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When downloading is complete, double-click on the Kaspersky virus removal tool icon. Once initialization process is complete, you’ll see the KVRT screen as displayed in the following example.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button for scanning your personal computer for Nakw ransomware virus and other trojans and harmful apps. When a threat is found, the number of the security threats will change accordingly. Wait until the the checking is finished.
After the scan get completed, KVRT will display a scan report like below.
All found threats will be marked. You can delete them all by simply press on Continue to start a cleaning procedure.
How to decrypt .nakw files
All files with the ‘.nakw’ extension are encrypted. Their contents cannot be unlocked simply by removing this extension or completely changing the name. To decrypt files, you need a decryptor. Fortunately, Emsisoft has created a free decryptor called STOP Djvu decryptor.
To decrypt .nakw files with free decryptor, use the following steps:
- Open the STOP Djvu decryptor page in a new tab/window.
- Scroll down to ‘New Djvu ransomware’ section.
- Click the download link and save the ‘decrypt_STOPDjvu.exe’ file to your desktop.
- Run decrypt_STOPDjvu.exe, read the license terms and instructions.
- On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
- Click the ‘Decrypt’ button.
At the moment, STOP/Djvu decryptor can only decrypt files that have been encrypted with an offline key. Unfortunately, if the files were encrypted with an online key, then the free decryptor is completely useless. What is the offline key, is written here.
How to determine which key was used by Nakw ransomware to encrypt files
First of all, you can look at the Personal ID that is given in the ‘_readme.txt’ file (ransom demand message). Another way, look on disk ‘C’ for ‘SystemID\PersonalID.txt’ file. This is a file in which Nakw ransomware stores the Personal IDs used for encryption.
If there is an ID ending in ‘t1’, then you are lucky, your files are encrypted using an offline key, and when researchers find this key, you can decrypt your files. In this case, to decrypt the files, you need to use the STOP Djvu Decryptor linked above. If your Personal ID does not end with ‘t1’, then the ransomware used an online key. Even so, there is little chance of recovering encrypted files. This method will be discussed in the next part of the article.
How to restore .nakw files
As we already said, a free decryptor can only decrypt files encrypted using an offline key. What to do when files were encrypted with an online key. Even in this case, everyone has a chance to recover the contents of encrypted files. This is possible due to the existence of several alternative ways to restore files. Each of these methods does not require a decryptor and a unique key, which is in the hands of criminals. The only thing we strongly recommend that you perform (if you have not already done so) is to perform a full scan of the computer. You must be 100% sure that Nakw ransomware has been removed. To find and remove ransomware, use the free malware removal tools.
Use shadow copies to restore .nakw files
The Windows OS (10, 8, 7 , Vista) has one very useful feature, it makes copies of all files that have been modified or deleted. This is done so that the user can recover, if necessary, the previous version of accidentally deleted or damaged files. These copies of the files are called ‘Shadow copies’. One tool that can help you recover files from the Shadow copies is ShadowExplorer. It is very small tool and easy to use. Unfortunately, ransomware often delete Shadow copies, thus blocking this method of recovering encrypted files. Nevertheless, be sure to try this method.
First you’ll need to download ShadowExplorer by clicking on the link below. Save it on your Desktop.
438827 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When the downloading process is done, extract the saved file to a directory on your computer. This will create the necessary files as shown in the figure below.
Start the ShadowExplorerPortable program. Now select the date (2) that you wish to recover from and the drive (1) you wish to restore files (folders) from as displayed in the following example.
On right panel navigate to the file (folder) you wish to recover. Right-click to the file or folder and press the Export button as shown in the figure below.
And finally, specify a folder (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Recover .nakw files with PhotoRec
Another alternative way to recover encrypted files is to use data recovery tools. We recommend using a program called PhotoRec. This tool is free and does not require installation. Below we will show in detail how to use it to restore encrypted files.
Download PhotoRec on your machine from the following link.
Once downloading is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown on the image below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It will show a screen as shown on the image below.
Choose a drive to recover as on the image below.
You will see a list of available partitions. Select a partition that holds encrypted photos, documents and music as displayed on the image below.
Click File Formats button and select file types to restore. You can to enable or disable the restore of certain file types. When this is complete, click OK button.
Next, click Browse button to choose where restored files should be written, then click Search.
Count of recovered files is updated in real time. All restored files are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is complete, press on Quit button. Next, open the directory where restored files are stored. You will see a contents like below.
All recovered files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your computer from Nakw ransomware
Despite the fact that most modern antivirus software provide protection against ransomware, often this is not enough. We recommend using HitmanPro.Alert as an additional layer of protection. All-in-all, HitmanPro.Alert is a fantastic tool to protect your personal computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Windows OS from Windows XP to Windows 10.
HitmanPro Alert can be downloaded from the following link. Save it directly to your Microsoft Windows Desktop.
Once the downloading process is finished, open the directory in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. After the utility is launched, you will be displayed a window where you can select a level of protection, as on the image below.
Now click the Install button to activate the protection.
To sum up
This article is for everyone who has become a victim of Nakw ransomware. The article contains answers to questions about how to remove ransomware, how to decrypt files, and what alternative methods exist to restore the contents of encrypted files. If you have any questions or comments, then write to us.