If computer files have turned to .npph format, it signifies that computer is infected with a malware from the DJVU or Stop family. Malware researchers dubbed this threat as Npph ransomware. Obviously, the identification was derived from the appended extension. Attacker’s motive for this infection was simply to extort money from computer users by offering the Npph decryption tool and corresponding private key.
Npph Ransomware Spread Campaign
As stated, Npph ransomware have emerges from DJVU family of malware. This new threat is just a remake of previous editions like Geno, Ogdo, and Boop. The spread techniques were adapted from the old releases where attackers are deploying the Npph ransomware code via spam email method. Typically, the virus code is attached to email and masking as usual documents. In order to persuade recipients from opening the attachment file, attackers makes it an appealing one like for example Inquiry, Business Proposal, Price Quotation, and similar. Because majority of email recipients were deceived with this tactic, they ended up executing the Npph ransomware and infecting their precious files.
One more scheme of hackers to successfully deploy Npph ransomware is via pirated software. On this method, the virus is attached to a small file that usually unlocks the limitation of the unregistered apps. It can be key generator, cracking software, or simply serial number archive. Similarly, execution of the said harmful file triggers Npph ransomware to start the attack.
Npph Encryption and Decryption
When this crypto-virus starts the attack, it searches the computer for common user files like documents, spreadsheets, presentations, archives, photos, videos, drawings, databases, and so on. It encrypts them with sophisticated algorithm to be able to deny user’s access. In addition, all infected files will transform into .npph file format, which also disassociates it from the related application. For example, common file abc.docx will become abc.docx.npph after it was encrypted by the virus.
After encrypting the entire targeted files, Npph ransomware informs the victims about the attack through the ransom note _readme.txt. It is stated on the document how user may be able to restore their data including all necessary steps and required payment.
Malware researchers do not propose to pay the attackers as it may only worsen the current situation because they will continue to produce similar viruses and carry on with the attack. According to security experts, archiving the data is the best thing to do while waiting for the official Npph decryption tool.
How to Remove Npph Ransomware
Ransomware files are placed deeply into the system and on various locations, thus, thorough scanning is vital to totally remove Npph virus. Aside from our suggested tool, you may also run your own security program.
Though affected files may be impossible to decrypt due to complexity of the encryption, you can still try recovery method like alternative tool, Shadow Explorer or Previous Version as described below.
To remove Npph automatically, scanning the computer with this efficient anti-malware tool is suggested. This scanner does not just uncover known threats like viruses or malware, it is also effective in discovering hazardous ransomware like Npph.
Step 1 : Scan the Computer with Anti-Malware Tool
1. Download free anti-malware scanner called MalwareBytes Anti-Malware.
2. After downloading, install the program. It may run automatically or you have to double-click on the downloaded file MBSetup.exe.
3. Carry out the installation with default setup process.
4. After the installation process, click the Get Started button to launch the program.
5. Continue with the prompts until the main program opens.
6. On the main console, click on Scan to run most complete detection method to find hidden objects associated to Npph ransomware.
7. Scanning may take a while. Please wait until the anti-malware tool is done with the checking.
8. Once the scan has completed, the tool will display the list of detected threats. Remove all identified malicious items and restart the computer if necessary.
Step 2 : Double-check for Npph's leftover with Microsoft's Malicious Software Removal Tool
1. Download the free scanner called Malicious Software Removal Tool.
2. The tool automatically checks the operating system and suggest appropriate download version. Click on Download button to begin. Save the file to a convenient location, preferably on Desktop.
3. After downloading the file, Windows will prompt that download has completed. Click Run to start scanning for Npph ransomware. Another option is to browse the location folder and double click on the file to run.
4. The tool will display Welcome screen, click Next. Please note the message "This tool is not a replacement for an antivirus product." You must understand that this program is made specifically to find and remove malware, viruses, Trojans, and other harmful elements on the computer. It was not designed to protect the computer.
5. Next, you will see Scan Type. Please choose Full Scan to ensure that all Npph ransom virus entities and other harmful files left on the computer will be found and removed. For advanced computer user, you can opt for Customized Scan, if there are other drives or folders you wanted to include in this scan.
6. Full scan may take a while, please wait for Malicious Software Removal Tool to complete the tasks. However, you may cancel the scan anytime by clicking on the Cancel button.
7. After scanning, the tool will reveal all identified threats. There may be other threats that our first scan fails to detect. Please remove/delete all detected items.
8. When removal procedure is complete, you may now close Malicious Software Removal Tool. We hope that Npph ransomware have been completely deleted from the computer. Please restart Windows to proceed with the normal operation.
Stage 3 : Unlocking files with Npph Decryption Tool
Emsisoft Decryptor for STOP Djvu will work only if affected files were encrypted using Offline Keys. Npph ransomware uses the alternate Offline Keys during encryption if there is a problem encountered while communicating to a remote command-and-control server. Follow the guide to start recovering .npph encrypted files.
1. As precautionary measures, we suggest to BACKUP all your .npph encrypted files first on a separate media (USB Drive, Flash Drive, DVD Discs, etc…).
2. Download Emsisoft Decryptor for STOP Djvu from this archive page.
3. Right-click on decrypt_STOPDjvu.exe and click "Run as Administrator". Windows may prompt "Do you want to allow this app…" just click Yes to continue.
4. By default, the tool will pre-populate the locations where encrypted files were identified. To include other directories, simply click Add Folder button.
5. To start recovering files infected by Npph ransomware, click on Decrypt button to start the procedure. The interface will display status of the current decryption process.
We will update this section once the full decryption tool is on hand. In the meantime, please try other options below if the above procedure is not not effective.
Option 1 : Windows Previous Version Tool
Windows Vista and Windows 7 have a feature called Previous Versions. However, this tool is only usable if restore point was made prior to Npph ransomware infection. To use this tool and recover files affected by the virus, please follow these steps:
1. Open My Computer or Windows Explorer.
2. Right-click on the affected files or folders. From the drop-down list, please click on Restore previous versions.
3. New window will open display all backup copy of files and folders you wanted to recover. Choose the appropriate file and click on Open, Copy, or Restore. Restoring selected files overwrites the current encrypted files on the computer.
Option 2 : Use ShadowExplorer to restore files encrypted by Npph Ransomware
Just like Previous Version tool, ShadowExplorer is taking advantage of shadow copy created by Windows. This tool allows you to retrieve older version of files before it was encrypted by Npph ransomware.
1. Download ShadowExplorer from the official web site.
2. Install the program with the default settings.
3. The program should run automatically after installation. If not, double-click on ShadowExplorer icon.
4. You can see the drop-down list on top of the console. Please select proper drive and the most recent point-in-time shadow copies of files you wish to restore prior to Npph ransomware infection.
5. Right-click on the Drive, Folder, or File you wish to restore and click Export…
6. Lastly, ShadowExplorer will prompt for location where you want to save the copy of recovered files.