What is Npsk file extension
.Npsk file extension is a file extension that is associated with the newest version of widespread ransomware called STOP (Djvu). Researchers discovered ‘Npsk’ variant just a week after discovering the previous one, which is called Remk. Like all previous versions of STOP ransomware, Npsk encrypts files and makes them unreadable. Ransomware authors demand ransom from their victims for restoring access to encrypted data. Fortunately, a group of security professionals has created a free Npsk File Decrypt tool that helps Npsk’s victims to decrypt encrypted files. You can find all information about this decryptor below, just scroll this article down.
What is Npsk ransomware virus
Npsk ransomware is really a nasty program. It infects a computer when a victim downloads or runs malware infected files. Criminals lure unwary users into downloading ransomware by hiding malicious code within freeware, cracked versions of paid software, key generators, and so on. Upon execution, an instance of ransomware is installed on victim’s computer.
Once installed on a computer, Npsk encrypts victim’s files using a strong encryption algorithm and a long key. If, before encrypting the files, the virus was able to establish a connection with its command-and-control (C&C) server, then it uses so called ‘online key’ that is unique to each victim. There is another variant, when the virus could not establish a connection to its C&C server. In this case, Npsk uses so-called ‘offline key’. This key is the same for everyone and can be determined by security researchers (it has already been found for many previous versions of STOP ransomware).
Npsk ransomware tries to encrypt as many files as possible, therefore it encrypts files quickly. Even files located on external drives and cloud storage are not safe. If at the time of file encryption these disks are connected to the computer, then all data on them will also be encrypted. Of course, it does not encrypt Windows system files, as this will cause the computer to stop working. In addition to files located in system directories, Npsk virus does not encrypt files with the extension ‘.bat, .sys, .dll, .lnk, .ini’ and the filename ‘_readme.txt’. All other files on the victim’s computer will be encrypted. So files of the following types can be encrypted:
.m4a, .cdr, .dazip, .xpm, .mef, .wgz, .srf, .esm, .odc, .epk, .layout, .wp5, .py, .p7b, .vtf, .2bp, .wpe, .t12, .x, .rb, .zi, .odm, .ybk, .ws, .big, .xyw, .xlgc, .eps, .xlsm, .webp, .wmd, .1st, .wdb, .crw, .cfr, .dng, .itdb, .wbm, .fsh, .snx, .ibank, .doc, .pdf, .zdc, .itm, .pef, .xlsx, .db0, .wps, .sr2, .xlsb, .wdp, .sav, .kdb, .svg, .hkdb, .rgss3a, .xll, .sidn, .xdb, .xdl, .rofl, .zip, .xlsm, .cr2, .wpg, .jpe, .xy3, .docx, .pfx, .psk, .zdb, .accdb, .wpd, .xar, .3fr, .slm, .bkf, .mp4, .raf, .upk, .webdoc, .wire, .wsh, .bkp, .pptm, .xmmap, .wsd, .wbd, .mpqge, .xls, .arw, .mdbackup, .xxx, .wpa, .xf, .crt, .sum, .der, .xbplate, .forge, .wmo, .yml, .wn, .txt, .1, .menu, .gdb, .wav, .vpk, .xlk, .odb, .pem, .png, .sis, .ysp, .m2, .d3dbsp, .asset, .yal, .kf, .xls, .zabw, .wmv, .p12, .zw, .rar, .re4, .wpw, .bik, .zif, .ncf, .ptx, .wm, .css, .lvl, .x3f, .lbf, .js, .map, .vcf, .x3d, .litemod, .wbk, .gho, .bc7, .jpg, .icxs, .mrwref, .zip, .pst, .arch00, .xbdoc, .ff, .jpeg, .ltx, .tax, .wmf, .x3f, .wma, .dmp, .wri, .sql, .dbf, .mdb, .ods, .mcmeta, .kdc, .mddata, .bar, .itl, .wbmp, wallet, .psd, .pak, .iwi, .blob, .srw, .nrw, .wpb, .wp6, .ntl, .mov, .wp7, .xmind, .wcf, .cas, .wbc, .apk, .y, .mlx, .bc6, .raw, .lrf, .rwl, .qdf, .0, .wb2, .wot, .iwd, .wmv, .qic, .w3x, .ai, .pptx, .flv, .wpd, .ztmp, .wsc, .docm, .p7c, .avi, .rim, .rtf, .fpk, .bay, .pkpass, .wma, .vfs0, .xld, .rw2, .xlsx, .z, .wpt, .vdf, .xwp, .3ds, .dxg, .hkx, .xml, .wp4, .syncdb, .3dm, .cer, .sie
The filename of each encrypted file will be changed, the virus will append ‘.npsk’ at the end of its filename. This means the following, if the file was called ‘document.doc’, then after encryption it will be renamed to ‘document.doc.npsk’. In each folder where the virus encrypted one or more files, it drops a file with the name ‘_readme.txt’.
This file contains a message from Npsk authors, in which they report that the files on the victim’s computer were encrypted and the only possible way to decrypt them is to buy a key and a decryptor. Criminals demand $490 from the victim, if the victim does not pay the ransom within 72 hours, then the size of the ransom doubles to $980. Attackers offer the victim to decrypt one small file for free to confirm the possibility of decrypting .npsk files. Obviously, if the criminals were able to decrypt one file, then this does not guarantee that after receiving the ransom they will give the victim the key and the decryptor.
Threat Summary
Name | Npsk ransomware |
Type | Filecoder, Crypto virus, Crypto malware, File locker, Ransomware |
Encrypted files extension | .npsk |
Ransom note | _readme.txt |
Contact | helpdatarestore@firemail.cc, helpmanager@mail.ch |
Ransom amount | $490/$980 in Bitcoins |
Detection Names | Trojan.GenericKD.42870227 (B), Win32/Kryptik.HCDO, Win32.Trojan.Kryptik.GXB5PG, Ransom.Stop, BehavesLike.Win32.Generic.bc, Ransom:Win32/STOP.BS!MTB, Ransom.STOP!8.10810 (CLOUD), Trojan.Win32.Z.Stop.726016, UDS:DangerousObject.Multi.Generic |
Symptoms | Your files fail to open. Your personal files have a wrong name, suffix or extension, or don’t look right when you open them. Files named such as ‘_readme.txt’, ‘READ-ME’, ‘_open me’, _DECRYPT YOUR FILES’ or ‘_Your files have been encrypted” in every folder with an encrypted file. Ransom note displayed on your desktop. |
Distribution methods | Phishing email scam that attempts to scare users into acting impulsively. Drive-by downloads (ransomware virus can infect the PC system simply by visiting a web page that is running malicious code). Social media posts (they can be used to trick users to download malware with a built-in ransomware downloader or click a misleading link). Malicious web pages. |
Removal | To remove Npsk ransomware use the Npsk virus removal guide |
Decryption | Npsk File Decrypt Tool |
Criminals scare every victim saying that the files cannot be decrypted without a key and decryptor. Unfortunately this is true, the contents of the files cannot be unlocked otherwise. In any case, a key and a decryptor are needed.
But we have good news, there is a free Npsk File Decrypt Tool. This decryptor is created by Emsisoft and allows everyone to decrypt files that were encrypted with any version of STOP (Djvu) ransomware. Since Npsk is one of the variants of this ransomware, this decryptor is also suitable for decrypting .npsk files. Unfortunately, so far you can decrypt files only in those cases when they were encrypted with an offline key.
How to remove Npsk and Decrypt .npsk files
If you find that your computer is infected with Npsk ransomware virus and your files are encrypted, then you need to perform certain actions that will allow you to remove the ransomware and decrypt the affected files. Below we provide instruction that are divided into several steps that need to be completed one by one. It is important that before decrypting or recovering files, you must be sure that Npsk ransomware is completely removed. In order not to miss anything, we recommend that you open this instruction on your smartphone or print it.
How to remove Npsk ransomware
The first thing you should do before decrypting or recovering files is to scan your computer for malware. This step cannot be skipped, because if Npsk virus is not completely removed from the computer, it will continue its malicious actions. In order to find all malware components and remove them from the computer, we recommend using free malware removal tools. The best option is to first update your antivirus and perform a full scan, then use the free malware removal tools listed below to check your computer and remove the found malware. It is advisable to use not one malware removal tool, but two or more, so you will significantly increase the chance of malware detection.
Run Zemana Free to remove Npsk ransomware
Zemana Anti-Malware (ZAM) can locate all kinds of malicious software, including ransomware, as well as a variety of Trojans, viruses and rootkits. After the detection of the Npsk crypto virus, you can easily and quickly uninstall it.
- Zemana Anti Malware (ZAM) can be downloaded from the following link. Save it to your Desktop so that you can access the file easily.
Zemana AntiMalware
164107 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- Once you have downloaded the installation file, make sure to double click on the Zemana.AntiMalware.Setup. This would start the Zemana AntiMalware (ZAM) installation on your personal computer.
- Select install language and click ‘OK’ button.
- On the next screen ‘Setup Wizard’ simply click the ‘Next’ button and follow the prompts.
- Finally, once the installation is finished, Zemana will open automatically. Else, if doesn’t then double-click on the Zemana Anti Malware (ZAM) icon on your desktop.
- Now that you have successfully install Zemana Free, let’s see How to use Zemana Anti Malware (ZAM) to remove Npsk virus from your computer.
- After you have started the Zemana, you’ll see a window similar to the one below, just click ‘Scan’ button to detect crypto malware.
- Now pay attention to the screen while Zemana scans your computer.
- After finished, Zemana AntiMalware will open a list of found items. Once you have selected what you want to remove from your PC system click ‘Next’ button.
- Zemana AntiMalware (ZAM) may require a reboot system in order to complete the Npsk ransomware virus removal process.
- If you want to permanently delete ransomware from your computer, then click ‘Quarantine’ icon, select all malware, adware, potentially unwanted software and other threats and press Delete.
- Restart your personal computer to complete the ransomware virus removal procedure.
Remove Npsk with MalwareBytes Anti Malware
If you are having problems with the Npsk removal, then download MalwareBytes AntiMalware (MBAM). It is free for home use, and scans for and removes various unwanted software that attacks your PC or degrades computer performance. MalwareBytes Anti-Malware can remove adware, PUPs as well as malware, including ransomware and trojans.
- MalwareBytes can be downloaded from the following link. Save it directly to your Microsoft Windows Desktop.
Malwarebytes Anti-malware
326460 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- At the download page, click on the Download button. Your internet browser will display the “Save as” dialog box. Please save it onto your Windows desktop.
- After downloading is done, please close all apps and open windows on your computer. Double-click on the icon that’s named mb3-setup.
- This will start the “Setup wizard” of MalwareBytes AntiMalware onto your computer. Follow the prompts and do not make any changes to default settings.
- When the Setup wizard has finished installing, the MalwareBytes Free will run and show the main window.
- Further, click the “Scan Now” button to perform a system scan with this utility for the Npsk ransomware virus and other security threats. This process can take some time, so please be patient. While the utility is checking, you can see count of objects and files has already scanned.
- When the scan get finished, a list of all items found is created.
- Make sure to check mark the threats which are unsafe and then click the “Quarantine Selected” button. Once disinfection is finished, you may be prompted to restart the personal computer.
- Close the AntiMalware and continue with the next step.
Video instruction, which reveals in detail the steps above.
If the problem with Npsk is still remained
The Kaspersky virus removal tool (KVRT) is free and easy to use. It can detect and remove ransomware virus such as Npsk, malware, spyware, trojans, worms, PUPs and adware. KVRT is powerful enough to find and remove malicious registry entries and files that are hidden on the computer.
Download Kaspersky virus removal tool (KVRT) by clicking on the following link.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the download is complete, double-click on the KVRT icon. Once initialization procedure is done, you will see the Kaspersky virus removal tool screen as shown in the figure below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button . Kaspersky virus removal tool application will scan through the whole PC for the Npsk ransomware and other malware. This task can take some time, so please be patient.
After the system scan is complete, you may check all items found on your system as shown below.
Next, you need to click on Continue to start a cleaning process.
How to decrypt .npsk files
Files with the extension .npsk are encrypted files. The only way to decrypt them is to have a pair – the key and the decryptor. Criminals demand a ransom for the key and decryptor. But there is absolutely no guarantee that upon receiving a ransom, the attackers will allow the victim to unlock the encrypted files. Therefore, security experts do not recommend paying a ransom. Moreover, payment of ransom pushes criminals to create new variants of rasomware.
Fortunately, a group of security experts who investigated STOP (Djvu) ransomware created a free decryptor. And since Npsk virus is part of STOP (Djvu) family, this decryptor can be used to decrypt .npsk files.
To decrypt .npsk files, use “Npsk File Decrypt tool”:
- Go to the following link to download Npsk File Decrypt tool.
STOP Djvu decryptor - Scroll down to ‘New Djvu ransomware’ section.
- Click the download link and save the ‘decrypt_STOPDjvu.exe’ file to your desktop.
- Run decrypt_STOPDjvu.exe, read the license terms and instructions.
- On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
- Click the ‘Decrypt’ button.
So far, this decryptor can only decrypt files encrypted with an offline key. If files are encrypted with an online key, then they cannot be decrypted. The reason for this is that the so-called ‘online keys’ are in the hands of criminals.
This does not mean that if your files are encrypted with an online key, then their contents are lost forever. Fortunately, there are several ways to recover encrypted files. These methods do not involve the use of decryption and therefore can be used in any case, regardless of what type of key the files were encrypted.
How to find out which key was used to encrypt files
Below we show two ways to help you determine what type of key was used to encrypt your files. This is very important, since the type of key determines whether it is possible to decrypt .npsk files. We recommend using the second method, as it is more accurate.
Find out the type of key using ‘_readme.txt’ file
- Open the ransom demand message (‘_readme.txt’ file).
- Scroll down to the end of the file.
- There you will see a line with the text ‘Your personal ID’.
- Below is a line of characters – this is your personal id.
Find out the type of key using ‘PersonalID.txt’ file
- Open disk C.
- Open directory ‘SystemID’.
- Open file named ‘PersonalID.txt’. This file lists ‘Personal ID’s that match the keys that the Npsk virus used to encrypt files.
The ‘Personal ID’ is not a key, it is an identifier related to a key that was used to encrypt files. If the ID ends with ‘t1’, then the files are encrypted with an offline key. If the ID does not end with ‘t1’, Npsk ransomware virus used an online key. If you could not figure out how to determine which key was used to encrypt files, then we can help. Just write a request here or in the comments below.
What to do if STOP (Npsk) decryptor says “No key for New Variant offline ID”
If during decryption of .npsk files the decryptor reports No key for New Variant offline ID, then this means the following: your files are encrypted with an ‘offline key’, but the key itself has not yet been found by security researchers, in this case, you need to be patient and wait a while, in addition, you can also use alternative ways for recovering encrypted data. It is impossible to say exactly when the ‘offline key’ will be determined. Sometimes it takes several days, sometimes more. We recommend that you try to decrypt .npsk files from time to time. You can also use alternative ways listed below for recovering encrypted data.
What to do if STOP (Npsk) decryptor says “No key for New Variant online ID”
If, when you try to decrypt .npsk files, the decryptor reports No key for New Variant online ID, then this means that your files are encrypted with an ‘online key’ and their decryption is impossible, since only the Npsk authors have the key necessary for decryption. In this case, you need to use alternative methods listed below to restore the contents of encrypted files.
How to restore .npsk files
Fortunately, there are several simple ways that give everyone a chance to recover the contents of encrypted files. The methods presented below can help in cases when a free decryptor cannot decrypt .npsk files or when files are encrypted with an online key. We want to remind everyone, if you have not completed step 1, then return to it. Before you start recovering encrypted files, you should check your computer for malware, find and remove all Npsk components. We recommend using free malware removal tools.
Recover .npsk files with ShadowExplorer
An alternative to decrypting files is to recover encrypted files from their Shadow copies. Shadow Volume Copies are copies of files and folders that Windows 10 (8, 7 and Vista) automatically saved as part of system protection. This feature is fantastic at rescuing photos, documents and music that were encrypted by Npsk virus. The guide below will give you all the details.
Download ShadowExplorer by clicking on the link below.
438809 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After downloading is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown on the image below.
Double click ShadowExplorerPortable to start it. You will see the a window similar to the one below.
In top left corner, choose a Drive where encrypted files are stored and a latest restore point like below (1 – drive, 2 – restore point).
On right panel look for a file that you wish to restore, right click to it and select Export as on the image below.
Restore .npsk files with PhotoRec
Another alternative method is to use data recovery programs. We suggest you pay attention to the program called PhotoRec. This program has all the necessary features for searching and restoring files and it is free.
Download PhotoRec from the following link.
After the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed on the screen below.
Double click on qphotorec_win to run PhotoRec for Windows. It will show a screen as displayed on the image below.
Choose a drive to recover as displayed in the figure below.
You will see a list of available partitions. Choose a partition that holds encrypted files as displayed below.
Click File Formats button and select file types to recover. You can to enable or disable the recovery of certain file types. When this is done, click OK button.
Next, press Browse button to choose where restored files should be written, then press Search.
Count of restored files is updated in real time. All recovered photos, documents and music are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is complete, press on Quit button. Next, open the directory where recovered personal files are stored. You will see a contents as shown on the screen below.
All recovered personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your personal computer from Npsk ransomware
Most antivirus programs already have built-in protection system against the ransomware. Therefore, if your system does not have an antivirus application, make sure you install it. As an extra protection, run the HitmanPro.Alert. HitmanPro.Alert is a small security tool. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Installing the HitmanPro.Alert is simple. First you will need to download HitmanPro Alert on your Windows Desktop by clicking on the link below.
Once the download is done, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. After the tool is launched, you’ll be shown a window where you can select a level of protection, such as the one below.
Now press the Install button to activate the protection.
Finish words
This article was created to help all victims of Npsk virus. We tried to give answers to the following questions: how to remove ransomware; is there a Free Npsk File Decrypt tool; how to decrypt .npsk files; how to recover files, if the decryptor does not help; what is an online key and what is an offline key. We hope that the information presented in this article has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Npsk related issues, go to here.