Nmode@tutanota.com is an email address that cyber criminals use to contact victims of Crysis/Dharma ransomware. Ransomware is a type of malware that blocks access to files by encrypting them, until the victim pays a ransom.
Nmode@tutanota.com virus locks up the files using AES-RSA technology, that makes it impossible to unlock the encrypted data by the victim without obtaining a key and a decryptor, which is the only way to decrypt affected files. It can be obtained only in the case of payment of the required ransom through cryptocurrency wallet. The ransomware virus encrypts almost of database, videos, documents, music, web application-related files, archives and images, including common as:
.fsh, .3ds, .wmo, .raf, .zw, .tor, .mddata, .itm, .sidn, .bar, .hvpl, .wps, .pfx, .wbc, .webdoc, .zdb, .cr2, .nrw, .mcmeta, .bkf, .js, .xwp, .hplg, .wmv, .wpl, .rwl, .xlgc, .wpg, .ysp, .tax, .zi, .mp4, .psd, .gho, .sr2, .map, .wav, .x3f, .accdb, .w3x, .kf, .snx, .jpeg, .1st, .wbm, .forge, .xxx, .wire, .3fr, .cfr, .bc6, .xld, .yal, .dba, .odm, .xml, .x3d, .upk, .7z, .arw, .xbplate, .ibank, .y, .menu, .wma, .rofl, .qic, .ybk, .xar, .xlk, .wp7, .itdb, .xyp, .erf, .ptx, .dxg, .ai, .mdb, .der, .dbf, .bkp, .mov, .wpd, .vdf, .slm, .icxs, .xdb, .mdf, .bik, .css, .wdb, .wbd, .zif, .xls, .doc, .lvl, .t13, .xlsm, .vpp_pc, .wb2, .layout, .eps, .apk, .sie, .crw, .xlsx, .wpa, .z3d, .avi, .xf, .esm, .blob, .zabw, .ff, .wm, .2bp, .sid, .kdc, .m2, .itl, .rw2, .pdd, .wbmp, .rgss3a, .wgz, .z, .odb, .wmv, .d3dbsp, .fpk, .kdb, .indd, .wp4, .ntl, .wpe, .litemod, .x3f, .cer, .flv, .p7b, .wbk, .wmf, .xyw, .sb, .wpd, .odt, .wp5, .pak, .ltx, .db0, .dcr, .x, .wdp, .iwd, .wsc, .m4a, .csv, .0, .p7c, .fos, .syncdb, .docx, .wotreplay, .desc, .xdl, .sum, .lrf, .das, .xll, .xx, .webp, .gdb, .wot, .ncf, .bay, .m3u, .rim, .wma, .pptx, .wsd, .raw, .wmd, .big, .srw, .cdr, .sis, .vfs0, .wsh, .re4, .mpqge, .dwg, .svg, .hkx, .mef, .epk, .odc, .pptm, .t12, .xmind, .jpg, .hkdb, .xlsx, .wp, .vcf, .xbdoc, .vpk, .pkpass, .sav, .vtf, .r3d, .rtf, .rb, .sidd, .rar, .asset, .odp, .wbz, .pem, .png, .pef, .jpe, .ws, .wn, .wpb, .xlsb
With the encryption process is finished, all encrypted files will now have a new extension appended to them. In every directory where there are encrypted files, Nmode@tutanota.com virus drops a file called ‘RETURN FILES.txt’. This file contains a ransom note that is written in the English. The ransom message directs victims to make payment in exchange for a key needed to unlock personal files.
Summary
| Email address | Nmode@tutanota.com |
| Related ransomware | Dharma family |
| Variants of Dharma that use this address | .[nmode@tutanota.com].bot |
| Ransom note | RETURN FILES.txt |
| Ransom amount | $300 – $1000 |
| Removal | Free Malware Removal Tools |
| Recover Encrypted files | How to recover ransomware encrypted files |
Text presented in Nmode@tutanota.com ransomware pop-up window:
All FILES ENCRYPTED “RSA1024”
All YOUR FILES HAVE BEEN ENCRYPTED!!! IF YOU WANT TO RESTORE THEM, WRITE US TO THE E-MAIL nmode@tutanota.com
IN THE LETTER WRITE YOUR ID, YOUR ID ***
IF YOU ARE NOT ANSWERED, WRITE TO EMAIL:nmodes@aol.com
YOUR SECRET KEY WILL BE STORED ON A SERVER 7 DAYS, AFTER 7 DAYS IT MAY BE OVERWRITTEN BY OTHER KEYS, DON’T PULL TIME, WAITING YOUR EMAIL
FREE DECRYPTION FOR PROOF
You can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
DECRYPTION PROCESS:
When you make sure of decryption possibility transfer the money to our bitcoin wallet. As soon as we receive the money we will send you:
1. Decryption program.
2. Detailed instruction for decryption.
3. And individual keys for decrypting your files.
!WARNING!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
How to recover .[nmode@tutanota.com].bot files
Unfortunately, at the moment it is impossible to decrypt .[nmode@tutanota.com].bot files, but do not despair. Fortunately, there are several alternative methods that can allow everyone to recover the contents of encrypted files. Each of these methods does not involve the use of special knowledge and paid programs and can be performed by everyone. We have prepared an instruction with illustrations, which describes in detail the process of data recovery. Before you begin data recovery, check your computer for malware using free malware removal tools. You must be 100% sure that admin@datastex.club virus is completely removed.
