Nosu file extension
.Nosu file extension is a file extension that is appended to the name of files affected by the latest version of STOP (djvu) ransomware. Ransomware is a malware that encrypts victims’ files and thus locks up the information contained in them. Ransomware developers demand a ransom in exchange for a decryptor and a key, which are necessary for decrypting the files. Fortunately, since Nosu is one of the variants of STOP (djvu), in some cases you can use the free STOP (Nosu) decryptor to decrypt files affected by it. More details about this decryptor, as well as other ways of recovering encrypted files, will be discussed in this article.
Nosu virus
Nosu virus is malware that is 197 version of STOP (DJVU) ransomware. Like other versions of this ransomware, it is distributed through key generators, cracked software, adware and torrents web-sites. Upon execution, Nosu creates a folder in the Windows system directory and copies itself there. Then the virus changes some Windows OS settings so that it starts automatically every time the PC is turned on or restarted.
Having collected information about the victim’s computer, Nosu virus tries to establish a connection with its command-and-control server (C&C). If the connection has been established, the virus receives a key (so called ‘online key’) from the command server that will be used to encrypt files. In addition, Nosu virus may receive additional commands and files that will be executed on the victim’s computer. If the virus could not connect to the command server, then it uses a fixed key, which the security researchers called ‘offline key’.
There is a significant difference between ‘online key’ and ‘offline key’. The online key is unique for each victim, that is, the key from one victim will not help decrypt the files of the other victim. The offline key is the same for all victims. Thus, it can be used to decrypt files regardless of where they were encrypted.
Having a key to encrypt files, Nosu virus proceeds directly to the process of encrypting files. It encrypts file-by-file, so that all files of the victim will be encrypted. It doesn’t matter where the files are located, on the internal drive, flash drive, external media, cloud storage, all of them can be encrypted. There is a small exception, the virus does not encrypt files located in the Windows system directories, files with the extension from the list ‘.lnk, .bat, ini, .sys, .dll’ and files with the name ‘_readme.txt’. Thus, almost all of the victim’s data will be encrypted, including documents, pictures, databases, archives and other types of files, such as:
.3fr, .sis, .mef, .vdf, .xar, .hkx, .wmv, .lrf, .dwg, .xlsm, .db0, .crt, .xll, .svg, .rgss3a, .wpd, .dba, .wpb, .wgz, .mrwref, .dng, .wpl, .map, .xbplate, .gdb, .wbm, .zabw, .zi, .ibank, .qic, .wri, .bay, .ztmp, .wcf, .srf, .zdb, .mpqge, .mdbackup, .wotreplay, .zip, .jpg, .mdf, .doc, .pef, .fos, .cas, .bc7, .mp4, .desc, .kf, .jpe, .bsa, .wps, .xld, .mddata, .xmmap, .re4, .p7c, .wsc, .arch00, .w3x, .pkpass, .hkdb, .mlx, .odc, .p12, .wpd, .wma, .ws, .wbc, .m3u, .1, .apk, .eps, .blob, .epk, .raf, .wmv, .xy3, .2bp, .xx, .xlgc, .xyw, .wb2, .qdf, .psd, .bkf, .css, .wdp, .big, .x3d, .csv, .sr2, .wn, .fpk, .ods, .3dm, .xlsx, .webdoc, .mcmeta, .vpp_pc, .dcr, .png, .bkp, .zif, .ppt, .wpw, .x, .upk, .zw, .xlsm, .1st, .js, .der, .pdd, .m4a, .dxg, .xls, .odt, .mdb, .xlsb, .bar, .xwp, .wp6, .arw, .flv, .sav, .docm, .gho, .r3d, .cfr, .rw2, .xxx, .kdb, .vfs0, .wire, .3ds, .iwi, .fsh, .ncf, .wp4, .wmd, .xmind, .zdc, .pak, .xdl, .lvl, .wps, .ff, .xlk, .wpe, .wbz, .wsd, .pem, .xlsx, .wm, .pptm, .y, .cer, .0, .bc6, .indd, .wdb, .lbf, .wbd, wallet, .bik, .accdb, .crw, .das, .wpt, .webp, .esm, .wma, .mov, .sidd, .txt, .xbdoc, .7z, .py, .rofl, .sie, .wmf, .iwd, .odp, .vpk, .pdf, .wp, .forge, .wav, .icxs, .ptx, .t12, .z, .docx, .wot, .wbmp, .wpg, .wp7, .xml, .slm, .yal, .snx, .xdb, .psk, .orf, .cdr, .itl, .kdc, .pst, .pfx, .vtf, .d3dbsp, .rb, .asset, .xyp, .jpeg, .wpa, .pptx, .wmo, .hvpl
Each file that has been encrypted by Nosu virus will be renamed. It will append the extension ‘.nosu’ at the end of the name of the affected file. Thus, a file named ‘image.jpg’, after it is encrypted, will receive the name ‘image.jpg.nosu’. To encrypt as many files as possible in the minimum time, the virus does not encrypt the entire file, but only its initial part in the amount of 154 kb. Nosu virus encrypts files sequentially, when all files in the directory are encrypted, it places a new file in it. This file is called ‘_readme.txt’ and its contents are shown below.
This file is a ransom note that is a message from Nosu creators. In this message, the criminals report that the victim’s files are encrypted and there is only one way to decrypt them – buy the key and the decryptor from them. Attackers set the price for the key and decryptor at $980. If the victim pays the ransom within 72 hours, then Nosu authors agree to make a discount of half the ransom, that is, reduce the size of the ransom to $490. Criminals offer to decrypt one file for free. To do this, the victim needs to send this file to one of the email addresses listed in the ransom demand message. But successful decryption of one file does not guarantee the possibility of decryption of files even after payment of the ransom.
Threat Summary
Name | Nosu |
Type | Crypto malware, Ransomware, File locker, Crypto virus, Filecoder |
Encrypted files extension | .nosu |
Ransom note | _readme.txt |
Contact | helpmanager@firemail.cc, helpmanager@iran.ir |
Ransom amount | $490/$980 in Bitcoins |
Detection Names | Trojan.Win32.Razy, Trojan/Win32.MalPe, Gen:Variant.Razy, Trojan.Siggen9.4539, Win32/Kryptik, W32/Kryptik.HAIP, Trojan.Stop.cg, Trojan-Ransom.Win32.Stop.if, Trojan.MalPack.GS, Ransom:Win32/STOP.BS, Win32/Trojan.fc8, Win32.Trojan.Stop.Ajlu |
Symptoms | Files won’t open. Your documents, photos and music now have an odd extension. Files named such as ‘_readme.txt’, or ‘_readme’ in each folder with at least one encrypted file. Ransom demanding message on your desktop. |
Distribution methods | Spam mails that contain malicious links. Cracked games. Drive-by downloads from a compromised web page. Torrents websites. Social media posts (they can be used to entice users to download malware with a built-in ransomware downloader or click a malicious link). |
Removal | Nosu virus removal guide |
Decryption | Free Nosu decryptor |
In the ransom note, the authors of Nosu virus report that it is impossible to decrypt files without a key and a decryptor. In general, this is true; to decrypt .nosu files, you must use the key and the decryptor. This is confirmed by the security researchers.
As we reported at the very beginning of this article, there is a free decryptor, which in some cases can decrypt .nosu files. In the case when it could not decrypt the files, there are several more methods, each of which can help the victim restore the files encrypted by Nosu virus. These methods do not require the use of a key and decryptor, and therefore are suitable for all victims.
How to remove Nosu virus, Recover, Decrypt .nosu files
If you are a victim of ransomware, your files have been encrypted, then we recommend that you follow the simple steps described above. These steps will help you remove Nosu virus, and decrypt .nosu files that were affected by it. Moreover, we will also show you how to recover encrypted files if the decryption of the files was unsuccessful. Read the entire manual carefully. To make it easier for you to follow the instructions, we recommend that you print it or open it on your smartphone.
- How to remove Nosu virus
- How to decrypt .nosu files
- How to restore .nosu files
- How to protect your personal computer from Nosu crypto malware
How to remove Nosu virus
The first thing you need to do before decrypting .nosu files is to make sure that Nosu virus is no longer active, as well as find all its components and remove them. An active ransomware is very dangerous because it can encrypt all files that were recovered during decryption. Therefore, you need to check your computer for ransomware and other malware. To do this, we recommend using free malware removal tools that will find Nosu virus and remove it for free.
Remove Nosu ransomware with Zemana
Zemana is one of the best in its class, it can search for and remove lots of of different security threats, including trojans, spyware, worms, crypto viruses, adware and malware that masqueraded as legitimate computer programs. Also Zemana Anti Malware includes another utility called FRST – is a helpful application for manual removal of files and parts of the Windows registry created by ransomware.
Now you can set up and use Zemana Free to delete Nosu from your internet browser by following the steps below:
Please go to the link below to download Zemana Anti-Malware (ZAM) setup file called Zemana.AntiMalware.Setup on your computer. Save it on your Microsoft Windows desktop.
163872 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Launch the installer after it has been downloaded successfully and then follow the prompts to install this utility on your PC.
During installation you can change certain settings, but we suggest you don’t make any changes to default settings.
When install is done, this malicious software removal utility will automatically launch and update itself. You will see its main window such as the one below.
Now click the “Scan” button to start scanning your system for the Nosu ransomware related folders,files and registry keys. A system scan may take anywhere from 5 to 30 minutes, depending on your PC. While the Zemana Free program is checking, you can see how many objects it has identified as threat.
When Zemana Free is done scanning your machine, the results are displayed in the scan report. Once you have selected what you wish to remove from your PC system click “Next” button.
The Zemana Anti Malware (ZAM) will remove Nosu ransomware virus related folders,files and registry keys and move items to the program’s quarantine. After that process is done, you can be prompted to reboot your computer to make the change take effect.
Use MalwareBytes Free to remove Nosu ransomware virus
You can remove Nosu automatically with a help of MalwareBytes AntiMalware (MBAM). We recommend this free malicious software removal tool because it can easily remove ransomware, adware, malicious software and other unwanted apps with all their components such as files, folders and registry entries.
- Download MalwareBytes Anti Malware (MBAM) from the link below.
Malwarebytes Anti-malware
326196 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- Once downloading is done, close all applications and windows on your personal computer. Open a folder in which you saved it. Double-click on the icon that’s named mb3-setup.
- Further, click Next button and follow the prompts.
- Once installation is finished, press the “Scan Now” button for checking your system for the Nosu ransomware and other security threats. This procedure can take quite a while, so please be patient. When a threat is detected, the count of the security threats will change accordingly. Wait until the the scanning is finished.
- After that process is complete, MalwareBytes will display you the results. Review the report and then click “Quarantine Selected”. After that process is complete, you can be prompted to restart your computer.
The following video offers a steps on how to uninstall hijackers, adware and other malicious software with MalwareBytes Free.
Use Kaspersky virus removal tool to remove Nosu ransomware from the system
Kaspersky virus removal tool (KVRT) is a free portable program that scans your computer for spyware, trojans, worms, and ransomware like Nosu virus and helps remove them easily. Moreover, it’ll also help you remove any other malicious software.
Download Kaspersky virus removal tool (KVRT) from the following link. Save it to your Desktop so that you can access the file easily.
128995 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When downloading is finished, double-click on the KVRT icon. Once initialization process is done, you will see the Kaspersky virus removal tool screen like the one below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button to perform a system scan with this utility for the Nosu crypto virus and other trojans and harmful programs. A system scan can take anywhere from 5 to 30 minutes, depending on your computer. While the Kaspersky virus removal tool program is checking, you can see number of objects it has identified as threat.
When finished, Kaspersky virus removal tool will show a scan report as displayed on the image below.
You may remove threats (move to Quarantine) by simply click on Continue to start a cleaning process.
How to decrypt .nosu files
To decrypt .nosu files, you need to use a unique key and decryptor. Security researchers confirm that it is impossible to access the contents of encrypted files without decryption. Renaming the affected files, changing their extension cannot help the victim, the files will still remain encrypted. Fortunately, Emsisoft created a free decryptor, which in some cases can decrypt .nosu files.
To decrypt .nosu files, use free STOP (Nosu) decryptor
- Download STOP (Nosu) decryptor from the following link.
STOP Djvu decryptor - Scroll down to ‘New Djvu ransomware’ section.
- Click the download link and save the decrypt_STOPDjvu.exe file to your desktop.
- Run decrypt_STOPDjvu.exe, read the license terms and instructions.
- On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
- Click the ‘Decrypt’ button.
As we have said several times, this decryptor can decrypt files only in some cases, when the files were encrypted with an ‘offline key’. If the files were encrypted with an ‘online key’, then they cannot be decrypted. The reason for this is that the decryption key is in the hands of criminals and this key can not be determined. But even in this case, there is a chance to restore the contents of encrypted files, we will talk about how to do this a little later.
How to find out which key was used to encrypt files
Since STOP (Nosu) decryptor only decrypts files encrypted with the offline key, each Nosu’s victim needs to find out which key was used to encrypt the files. Determining the type of key used is not difficult. Below we give two ways. Use any of them.
Find out the type of key using ‘_readme.txt’ file
- Open the ransom demand message (‘_readme.txt’ file).
- Scroll down to the end of the file.
- There you will see a line with the text ‘Your personal ID’.
- Below is a line of characters that starts with ‘0195’ – this is your personal id.
Find out the type of key using ‘PersonalID.txt’ file
- Open disk C.
- Open directory ‘SystemID’.
- Open file named ‘PersonalID.txt’. This file lists ‘Personal ID’s that match the keys that the virus used to encrypt files.
The ‘Personal ID’ is not a key, it is an identifier related to a key that was used to encrypt files. If the ID ends with ‘t1’, then the files are encrypted with an offline key. If the ID does not end with ‘t1’, Nosu virus used an online key. If you could not figure out how to determine which key was used to encrypt files, then we can help. Just write a request here or in the comments below.
What to do if STOP (Nosu) decryptor says “Error: Unable to decrypt file with ID”
If during decryption of .nosu files the decryptor reports ‘Error: Unable to decrypt file with ID’, skips files without decrypting them, then two cases are possible why this happens:
- files are encrypted with an ‘online key’, in this case, you need to use alternative methods to restore the contents of encrypted files;
- files are encrypted with an ‘offline key’, but the key itself has not yet been found by security researchers, in this case, you need to be patient and wait a while, in addition, you can also use alternative ways for recovering encrypted data;
How to restore .nosu files
If the free decryptor did not help you, or your files are encrypted using an online key, then there is no need to panic! There are several other alternative methods that may allow you to restore the contents of encrypted files. Once again, remember to be sure to check your computer for ransomware and malware using free malware removal tools. You must be sure that Nosu virus is completely removed.
Each of the methods presented below uses a different mechanism for recovering encrypted files. So try each one. It often happens that if the first method did not help, then the second helped.
Recover .nosu encrypted files using Shadow Explorer
First of all, try to recover .nosu files from Shadow Volume Copies, which are automatically created by Windows OS. In order to recover photos, documents and music encrypted by Nosu virus from Shadow Volume Copies you can use a tool called ShadowExplorer. We recommend using this free utility because it is small in size, has a simple interface and does not require installation on a computer. Unfortunately, ransomware often removes all Shadow copies. Therefore, if Shadow Explorer cannot help you, then immediately proceed to the second method, which is given below.
Installing the ShadowExplorer is simple. First you will need to download ShadowExplorer on your Windows Desktop by clicking on the following link.
438221 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After downloading is finished, extract the saved file to a directory on your PC. This will create the necessary files as displayed below.
Run the ShadowExplorerPortable program. Now choose the date (2) that you want to recover from and the drive (1) you wish to recover files (folders) from as shown in the following example.
On right panel navigate to the file (folder) you want to restore. Right-click to the file or folder and click the Export button as displayed in the following example.
And finally, specify a folder (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Use PhotoRec to restore .nosu files
Another alternative way to recover .nosu files is to use data recovery software. This method requires a lot of time, but in most cases it allows you to recover part, and sometimes all, encrypted files. To restore .nosu files, use a free tool called Photo Rec. It has a simple interface and does not require installation.
Download PhotoRec by clicking on the link below. Save it on your Windows desktop or in any other place.
When the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown in the figure below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It will display a screen as shown below.
Select a drive to recover like the one below.
You will see a list of available partitions. Select a partition that holds encrypted personal files as shown below.
Press File Formats button and specify file types to restore. You can to enable or disable the restore of certain file types. When this is complete, press OK button.
Next, press Browse button to select where recovered documents, photos and music should be written, then click Search.
Count of restored files is updated in real time. All restored personal files are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is complete, click on Quit button. Next, open the directory where recovered files are stored. You will see a contents as displayed in the figure below.
All restored photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your personal computer from Nosu crypto malware
Most antivirus software already have built-in protection system against the ransomware. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert. All-in-all, HitmanPro.Alert is a fantastic utility to protect your PC system from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Microsoft Windows OS from MS Windows XP to Windows 10.
First, visit the page linked below, then click the ‘Download’ button in order to download the latest version of HitmanPro Alert.
After the download is complete, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. Once the tool is started, you will be shown a window where you can choose a level of protection, as displayed below.
Now click the Install button to activate the protection.
Finish words
This guide was created to help all victims of Nosu ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .nosu files; how to recover files, if STOP (Nosu) decryptor does not help; what is an online key and what is an offline key. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Nosu related issues, go to here.