Npsg file extension
.Npsg file extension is a file extension that is associated with a new malware from STOP (djvu) ransomware family. Variant ‘Npsg’ shares the characteristics of previous versions of this ransomware. It encrypts files and then renames them. Encrypted files will have a new filename consisting of their old filename and the .npsg extension added to the right. The authors of the virus demand a ransom in exchange for a pair – a key and a decryptor, which are necessary for decrypting the files. Fortunately, a group of security researchers created a free decryptor that can help virus victims decrypt files and unlock their contents for free. Scroll down to find out more about the decryptor, where to download it and how to use it to decrypt .npsg files.
Npsg virus is a malware program created by criminals to encrypt files on a victim’s computer. It uses a long key and a strong encryption system, which virtually eliminates the possibility of decrypting files without a decryption key and decryptor. Encrypted files are useless, their contents cannot be read or used in any way.
Npsg was created to infect computers running Windows OS. Most often, victims infect their computer by downloading and installing this malware that is disguised as free software, cracks, key generators, torrents files and so on. Upon execution, the downloaded file installs a ransomware instance on the victim’s computer.
Once installed, Npsg virus collects information about the victim’s computer and then tries to establish a connection with its command-and-control (C&C) server. If the connection is successful, then the virus uses the so-called ‘online key’ to encrypt files. This key is unique to each computer. If a connection to its C&C has not been established, Npsg uses the so-called ‘offline key’. This key is the same for all victims and for all infected computers.
All files on the victim’s computer are the target of Npsg virus. Even data that is on USB drive or cloud storage can be encrypted. The virus skips and does not encrypt files that are in the Windows OS system directories, as well as files with the extension .ini, .bat, .sys, .dll, .lnk and the filename ‘_readme.txt’. All other user files will be encrypted, regardless of what is in the files. For example, files of the following types can be encrypted:
.tor, .itm, .wcf, .ysp, .wpa, .hkdb, .wmd, .orf, .kdb, .iwd, .xdl, .zip, .wdb, .dwg, .xmmap, .mdb, .vdf, .odt, .wdp, .desc, .xbplate, .pptx, .kf, .srw, .0, .re4, .sid, .x, .p7c, .m3u, .ztmp, .svg, .wpw, .cdr, .mlx, .esm, .der, .1st, .wotreplay, .jpg, .icxs, .3fr, .crt, .db0, .bay, .zdc, .kdc, .3ds, .asset, .mcmeta, .pst, .rb, .raf, .dazip, .rofl, .wb2, .eps, .zip, .psd, .itl, .wpl, .sql, .ltx, .erf, .3dm, .wmv, .dba, .rwl, .wsh, .vpk, .rar, .odb, .wp, .psk, .big, .1, .dbf, .doc, .srf, .mdf, .vcf, .wps, .pfx, .m2, .wma, .sidd, .mp4, .cer, .xll, .dng, .mpqge, .sie, .docx, .xar, .z3d, .sum, .accdb, .pdf, .wbz, .xlsb, .snx, .indd, .pak, .hplg, .csv, .wps, .wma, .pptm, .xlsx, .yml, .wp6, .zif, .lvl, .xls, .wm, .wsd, .m4a, .t13, .gdb, .webdoc, .pem, .ppt, .txt, .d3dbsp, .py, .bkf, .wbk, .rim, .wav, .lrf, .wpd, .zabw, .x3f, .dcr, .yal, .iwi, .blob, .wp7, .png, .arw, .raw, .xdb, .bik, .webp, .arch00, .odp, .wpd, .bc6, .xbdoc, .odc, .xyp, .nrw, .vfs0, .fos, .xy3, .w3x, .sav, .wpb, .js, .docm, .sr2, .forge, .ai, .crw, .wmf, .x3f, .wbm, .litemod, .map, .p7b, .pkpass, .zw, .wot, .cr2, .epk, .bsa, .xx, .xxx, .ff, .xlk, .lbf, .pef, .wgz, .z, .sb, .r3d, .cas, .xlsm, .wn, .css, .2bp, .mef, .dxg, .wbmp, .xml, .tax, .x3d, .mov, .hkx, .jpeg, .xmind, .xls, .sidn, .das, .wire, .layout, .cfr, .ibank, .rgss3a, .xwp
Npsg virus quickly encrypts files on the infected computer, and does this file by file in each directory that it finds on the drives connected to the computer. Encrypted files are easily visible, they have a new .npsg extension and a blank icon. If the user tries to open such files, the Windows OS will report that it does not know how to do this and cannot find a program that can read files of this type. In addition to encrypted files, in each directory the victim will find another file. This file is named ‘_readme.txt’ and it contains a message from the authors of Npsg virus.
The file ‘_readme.txt’ is a ransom note. In it, criminals report that the victim’s files are encrypted and the only way to decrypt them is to use a unique key and decryptor. Attackers demand a ransom in exchange for this key and decryptor. The ransom amount is $490 if the victim pays for it within 72 hours. Otherwise, the ransom is doubled, and becomes $980. Criminals do not leave any information on how to pay the ransom. They suggest that the victim write an email letter to them at one of the addresses listed in the ransom note. Npsg authors promise to decrypt one file for free, but will do so if the file is small and does not contain any important information. Even if one file is decrypted, criminals cannot be trusted, there is no guarantee that after receiving the ransom they will provide the key and decryptor necessary for decrypting the files.
|Type||File locker, Ransomware, Filecoder, Crypto virus, Crypto malware|
|Encrypted files extension||.npsg|
|Ransom amount||$490, $980 in Bitcoins|
|Detection Names||Trojan/Win32.MalPe.R322034, Win32:Trojan-gen, TR/AD.InstaBot.gcd, Gen:NN.ZexaF.34084.TO0@aSZG7MfG, W32/Trojan.WPKA-8321, Trojan.DownLoader32.52752, Generic.mg.1b29ba23050c2560, W32/Kryptik.HANB!tr, Trojan.Win32.Crypt, Trojan-Ransom.Win32.Stop.im, GenericRXJN-JO!1B29BA23050C, BehavesLike.Win32.MultiPlug.bc, Trojan.Kryptik!1.C0F7 (CLOUD), Win32.Trojan.Stop.Dxwz|
|Symptoms||Files are encrypted with a .npsg file extension. Your file directories contain a ‘ransom note’ file that is usually a .html, .jpg or .txt file. New files on your desktop, with name variants of: ‘HOW_TO_DECRYPT.txt’, ‘DECRYPT.txt’ or ‘README.txt’.|
|Distribution ways||Phishing emails that look like they come from a reliable source. Adware. Drive-by downloads (crypto virus can infect the personal computer simply by visiting a web-site that is running harmful code). Torrents. Social media posts (they can be used to entice users to download malicious software with a built-in ransomware downloader or click a misleading link). Cracked games. Malicious web-sites.|
|Removal||Npsg virus removal guide|
|Decryption||Free Npsg Decryptor|
In a ransom note, criminals report that encrypted files cannot be decrypted without a key and a decryptor. Unfortunately, this is true, the encryption algorithm that uses Npsg virus locks the contents of encrypted files. Therefore, in any case, in order to decrypt the files, the victim needs a key and a decryptor.
Fortunately for each of the victims of Npsg virus, there is a universal decryptor that can decrypt files encrypted with different versions of STOP (Djvu) ransomware. And since Npsg is one of the variants of STOP (Djvu), this decryptor can decrypt .npsg files. The only limitation of this decryptor is that it can decrypt files that were encrypted with an offline key. But even if the decryptor cannot decrypt the files, then there are several alternative ways to recover the data in the encrypted files.
How to remove Npsg virus and Decrypt .npsg files
If you find files with .npsg extension on your computer, then the computer is the victim of ransomware attack. To unlock the contents of encrypted files, you need to take several steps. First you need to make sure that the computer does not contain malicious software, and only after that proceed to decrypt the files. In case when the decryption of the files failed, you need to use step 3, try to restore the files to their original state using several alternative methods. These methods do not require a key and decryptor. In order not to miss any part of the instructions, we recommend that you print it or open it on your smartphone.
- How to remove Npsg ransomware virus
- How to decrypt .npsg files
- How to restore .npsg files
- How to protect your computer from Npsg ransomware virus
How to remove Npsg ransomware virus
The first thing we advise every victim of Npsg virus is to check the computer for ransomware and other malicious software. This step is better not to skip. The reason is simple, if you do not remove Npsg virus, then after the files are decrypted, it will encrypt them again. Moreover, do not forget that active malware is a breach in protecting your computer, criminals can access the entire computer, control your computer, or use your computer to hack into other computers.
We recommend using free malware removal tools to detect and remove Npsg virus. Moreover, it is advisable to check the computer not with one tool but with two or more. So you can be sure that the ransomware is completely removed.
Use Zemana Free to remove Npsg ransomware virus
Zemana Anti-Malware is a program that is used for malware, adware, worms, ransomware, spyware, trojans and other security threats removal. The application is one of the most efficient antimalware tools. It helps in ransomware virus removal and and defends all other types of malware. One of the biggest advantages of using Zemana Anti-Malware (ZAM) is that is easy to use and is free. Also, it constantly keeps updating its virus/malware signatures DB. Let’s see how to install and check your machine with Zemana Anti-Malware in order to delete Npsg ransomware from your machine.
- First, visit the page linked below, then click the ‘Download’ button in order to download the latest version of Zemana Anti-Malware (ZAM).
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- Once you have downloaded the setup file, make sure to double click on the Zemana.AntiMalware.Setup. This would start the Zemana Free install on your machine.
- Select setup language and click ‘OK’ button.
- On the next screen ‘Setup Wizard’ simply click the ‘Next’ button and follow the prompts.
- Finally, once the installation is finished, Zemana Free will run automatically. Else, if doesn’t then double-click on the Zemana icon on your desktop.
- Now that you have successfully install Zemana, let’s see How to use Zemana Free to remove Npsg ransomware virus from your computer.
- After you have opened the Zemana Anti-Malware (ZAM), you will see a window like the one below, just press ‘Scan’ button to detect crypto malware.
- Now pay attention to the screen while Zemana AntiMalware (ZAM) scans your personal computer.
- When Zemana has completed scanning your machine, it will show the Scan Results. Once you’ve selected what you wish to delete from your machine click ‘Next’ button.
- Zemana Free may require a reboot computer in order to complete the Npsg ransomware virus removal process.
- If you want to permanently remove crypto virus from your personal computer, then click ‘Quarantine’ icon, select all malicious software, adware software, PUPs and other items and click Delete.
- Reboot your PC to complete the ransomware virus removal process.
Run MalwareBytes AntiMalware to remove Npsg
Manual Npsg removal requires some computer skills. Some files and registry entries that created by the crypto malware can be not completely removed. We suggest that run the MalwareBytes Free that are fully free your machine of Npsg virus. Moreover, this free program will allow you to delete malware, PUPs, adware software and worms that your machine may be infected too.
MalwareBytes Anti Malware can be downloaded from the following link. Save it directly to your Windows Desktop.
Category: Security tools
Update: April 15, 2020
When downloading is done, close all programs and windows on your computer. Open a directory in which you saved it. Double-click on the icon that’s called mb3-setup similar to the one below.
When the installation begins, you’ll see the “Setup wizard” which will help you install Malwarebytes on your machine.
Once install is complete, you’ll see window as shown in the following example.
Now press the “Scan Now” button to look for Npsg ransomware, other malware, worms and trojans. Depending on your system, the scan can take anywhere from a few minutes to close to an hour. While the MalwareBytes Free is checking, you can see how many objects it has identified either as being malicious software.
As the scanning ends, a list of all items found is created. Review the scan results and then click “Quarantine Selected” button.
The Malwarebytes will now remove Npsg ransomware and other security threats and move threats to the program’s quarantine. Once disinfection is finished, you may be prompted to restart your PC system.
The following video explains step-by-step instructions on how to remove browser hijacker, adware software and other malware with MalwareBytes.
If the problem with Npsg ransomware virus is still remained
If MalwareBytes antimalware or Zemana anti malware cannot remove this crypto malware, then we suggests to run the Kaspersky virus removal tool (KVRT). Kaspersky virus removal tool is a free removal tool for crypto viruses, adware, spyware, trojans and other malware.
Download Kaspersky virus removal tool (KVRT) on your Microsoft Windows Desktop by clicking on the following link.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the download is finished, double-click on the KVRT icon. Once initialization process is complete, you will see the KVRT screen like below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next press Start scan button . Kaspersky virus removal tool program will scan through the whole system for the Npsg ransomware virus and other trojans and malicious applications. A system scan can take anywhere from 5 to 30 minutes, depending on your computer.
After the system scan is finished, Kaspersky virus removal tool will display you the results as shown below.
Review the results once the tool has done the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click on Continue to start a cleaning process.
How to decrypt .npsg files
Files with extension .npsg are encrypted files. These files can only be decrypted using a key-decryptor pair. It is not possible to decrypt files in another way. The authors of Npsg virus demand a ransom for the key and the decryptor. Of course, no one can guarantee that after paying the ransom, the victim will be able to decrypt the encrypted files. Security experts do not recommend paying a ransom, as this pushes criminals to create a new ransomware.
Fortunately for all victims of Npsg virus, there is a free decryptor. It allows each victim to decrypt files encrypted with STOP ransomware. And since Npsg is one of the variants of this ransomware, this decryptor can be used to decrypt .npsg files.
To decrypt .npsg files, use free STOP (Npsg) decryptor
- Visit the page linked below to download STOP (Djvu) decryptor.
STOP Djvu decryptor
- Scroll down to ‘New Djvu ransomware’ section.
- Click the download link and save the ‘decrypt_STOPDjvu.exe’ file to your desktop.
- Run decrypt_STOPDjvu.exe, read the license terms and instructions.
- On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
- Click the ‘Decrypt’ button.
STOP (Npsg) decryptor is a fantastic program that allows everyone to decrypt files for free. Unfortunately, at the moment, this decryptor can only decrypt files encrypted with ‘offline key’. If the files on the victim’s computer are encrypted with an online key, then they will be skipped, these files cannot yet be decrypted. Online keys are unique to each computer and cannot be determined by security researchers. Only the criminals own them.
How to find out which key was used to encrypt files
Since Npsg decryptor only decrypts files encrypted with the offline key, each virus victim needs to find out which key was used to encrypt the files. Determining the type of key used is not difficult. Below we give two ways. Use any of them.
Find out the type of key using ‘_readme.txt’ file
- Open the ransom demand message (‘_readme.txt’ file).
- Scroll down to the end of the file.
- There you will see a line with the text ‘Your personal ID’.
- Below is a line of characters that starts with ‘0201’ – this is your personal id.
Find out the type of key using ‘PersonalID.txt’ file
- Open disk C.
- Open directory ‘SystemID’.
- Open file named ‘PersonalID.txt’. This file lists ‘Personal ID’s that match the keys that the virus used to encrypt files.
The ‘Personal ID’ is not a key, it is an identifier related to a key that was used to encrypt files. If the ID ends with ‘t1’, then the files are encrypted with an offline key. If the ID does not end with ‘t1’, Npsg virus used an online key. If you could not figure out how to determine which key was used to encrypt files, then we can help. Just write a request here or in the comments below.
If STOP (Npsg) decryptor displays message “Error: Unable to decrypt file with ID”, then two cases are possible why this happens:
- npsg files are encrypted with an ‘online key’, in this case, you need to use alternative methods to restore the contents of encrypted files;
- npsg files are encrypted with an ‘offline key’, but the key itself has not yet been found by security researchers, in this case, you need to be patient and wait a while, in addition, you can also use alternative ways for recovering encrypted data;
How to restore .npsg files
Fortunately, in addition to using STOP (Npsg) decryptor, there are several alternative ways to recover the contents of encrypted files. However, if you have not tried the decryptor, then try it first by following step 2 of this instruction, and then return here.
Alternative methods of file recovery do not use decryption, so there is no need for a key and decryptor. Before you begin, you must be 100% sure that the computer does not have active ransomware. Therefore, if you have not yet checked your computer for malware, do it right now, scan the system for Npsg virus using free malware removal tools.
Restore .npsg files with ShadowExplorer
The Microsoft Windows has a feature called ‘Shadow Volume Copies’ that can allow you to recover .npsg files encrypted by the Npsg ransomware virus. The method described below is only to recover encrypted files to previous versions from the Shadow Volume Copies using a free tool named the ShadowExplorer.
Visit the following page to download the latest version of ShadowExplorer for MS Windows. Save it to your Desktop.
Category: Security tools
Update: September 15, 2019
After the download is done, extract the saved file to a directory on your PC. This will create the necessary files like below.
Run the ShadowExplorerPortable program. Now choose the date (2) that you want to restore from and the drive (1) you wish to recover files (folders) from as shown in the figure below.
On right panel navigate to the file (folder) you want to restore. Right-click to the file or folder and click the Export button as on the image below.
And finally, specify a directory (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Run PhotoRec to restore .npsg files
Another alternative way to recover the contents of encrypted files is to use data recovery software. We suggest you pay attention to the program called PhotoRec. Photo Rec has all the necessary features for searching and restoring files and it is free.
Download PhotoRec by clicking on the following link.
Category: Security tools
Update: March 1, 2018
When downloading is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown in the following example.
Double click on qphotorec_win to run PhotoRec for MS Windows. It will open a screen as shown in the figure below.
Select a drive to recover like below.
You will see a list of available partitions. Select a partition that holds encrypted documents, photos and music as displayed below.
Click File Formats button and specify file types to restore. You can to enable or disable the restore of certain file types. When this is complete, click OK button.
Next, press Browse button to select where restored photos, documents and music should be written, then click Search.
Count of recovered files is updated in real time. All recovered documents, photos and music are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is complete, press on Quit button. Next, open the directory where recovered documents, photos and music are stored. You will see a contents as displayed below.
All recovered documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your computer from Npsg ransomware virus
Most antivirus programs already have built-in protection system against the ransomware virus. Therefore, if your machine does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert. All-in-all, HitmanPro.Alert is a fantastic tool to protect your machine from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Microsoft Windows operating system from Windows XP to Windows 10.
Please go to the link below to download HitmanPro Alert. Save it on your MS Windows desktop or in any other place.
Category: Security tools
Update: March 6, 2019
When the download is done, open the directory in which you saved it. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. Once the tool is opened, you’ll be shown a window where you can select a level of protection, like below.
Now click the Install button to activate the protection.
To sum up
This guide was created to help all victims of Npsg ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .npsg files; how to recover files, if STOP (Npsg) decryptor does not help; what is an online key and what is an offline key. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Npsg related issues, go to here.