Remove Nusar Ransomware (.nusar Decryption)

By | Posted on June 28, 2019 |

Nusar ransomware is a hazardous virus with file-locking as its integral part of attack mechanism. The infection with this virus usually commence when user executes malicious attachment from a spam email messages. Though, users can only be blame partly because this malicious mass-mail campaign perpetuated by Nusar authors are cleverly disguising to be coming from a prominent brand or organization, which contains messages that can easily persuade users to open the attach file.

On some instances, Nusar can penetrate a computer when web users interacts with malicious advertising campaign run by cyber crooks to disseminate their ransomware codes. Pop-up advertisements, social engineering modus, deceitful banners, and fake software update are just some set of techniques that Nusar creators are utilizing to persuade users into downloading their executable file.

Once obtained and run, the malware will inject several malicious files on the computer and most of it are placed on System folder that routinely executes through a couple of registry entries. On the final stage of Nusar ransomware attack, the virus searches the computer for target file types and encrypts them with complex algorithm. Infected files can be easily distinguished due to appended .nusar extension. Keep in mind that Nusar does not just rename the data and reversing these changes will never be helpful to regain access. As stated in the ransom note, “The only method of recovering files is to purchase decrypt tool and unique key for you.” This is true especially if malware researchers have yet to create a free decryption tool for .nusar-infected files. See the screenshot image below for ransom note generated by Nusar ransom virus.

The general recommendation of security professionals is to avoid dealing with authors of Nusar ransomware, instead, temporary archive infected files while waiting for the decryption tool. They insist that paying the ransom money will never guaranteed the recovery of files because victims are dealing with cyber criminals that usually flee after receiving the payment.

How to Remove Nusar Ransomware

Ransomware files are placed deeply into the system and on various locations, thus, thorough scanning is vital to totally remove Nusar virus. Aside from our suggested tool, you may also run your own security program.

Though affected files may be impossible to decrypt due to complexity of the encryption, you can still try recovery method like alternative tool, Shadow Explorer or Previous Version as described below.

Stage 1: Scan the Computer with Anti-Malware Tool

1. Download free anti-malware scanner called MalwareBytes Anti-Malware.
Malwarebytes Anti-Malware Download Link (this will open a new window)

2. After downloading, install the program. It may run automatically or you have to double-click on the downloaded file MB3-Setup-[version].exe.

3. Carry out the installation with default setup process.

4. At the last stage of installation process, click the Finish button. The program should launch momentarily.

5. On Malwarebytes Anti-Malware console, select Scan from the menu to see available Scan Method.

6. Next, click on Threat Scan. This is the most complete scan method that will surely find any hidden malicious objects associated to Nusar ransomware.

7. Finally, click on Start Scan begin checking the computer for malware and similar threats.

MBAM-threatscan

8. Once the scan has completed, the tool will display the list of detected threats. Remove all identified malicious items and restart the computer if necessary.

Stage 2: Double-check for Nusar’s leftover with Microsoft’s Malicious Software Removal Tool

1. Download the free scanner called Malicious Software Removal Tool.
Malicious Software Removal Tool Download Link (this will open a new window)

download-msrt

2. The tool automatically checks the operating system and suggest appropriate download version. Click on Download button to begin. Save the file to a convenient location, preferably on Desktop.

3. After downloading the file, Windows will prompt that download has completed. Click Run to start scanning for Nusar ransomware. Another option is to browse the location folder and double click on the file to run.

msrt-icon

4. The tool will display Welcome screen, click Next. Please note the message “This tool is not a replacement for an antivirus product.” You must understand that this program is made specifically to find and remove malware, viruses, Trojans, and other harmful elements on the computer. It was not designed to protect the computer.

msrt1

5. Next, you will see Scan Type. Please choose Full Scan to ensure that all Nusar ransom virus entities and other harmful files left on the computer will be found and removed. For advanced computer user, you can opt for Customized Scan, if there are other drives or folders you wanted to include in this scan.

msrt2

6. Full scan may take a while, please wait for Malicious Software Removal Tool to complete the tasks. However, you may cancel the scan anytime by clicking on the Cancel button.

msrt3

7. After scanning, the tool will reveal all identified threats. There may be other threats that our first scan fails to detect. Please remove/delete all detected items.

8. When removal procedure is complete, you may now close Malicious Software Removal Tool. We hope that Nusar ransomware have been completely deleted from the computer. Please restart Windows to proceed with the normal operation.

Stage 3 : Unlocking files with Nusar Decryption Tool

So far, this Nusar decryption tool works only for files that were encrypted using offline keys. This happens sometimes if the virus is unable to communicate to remote server to obtain unique keys; instead, it will use offline keys when encrypting files. However, there is a little chance of recovering files using this tool due to limited available offline keys that were integrated with this decryption tool.

For additional information (download link, supported versions, instructions) about StopDecrypter, please proceed to ransomware decryption tool archive page.

If you received a message stating that “No keys were found for the following IDs (.nusar)”, please copy and submit the information to the official download page to include your information (log file) and have it archive in case decryption software becomes available.

StopDecrypter Information

We will update this section once the full decryption tool is on hand. In the meantime, please try other options below.

Option 1: Windows Previous Version Tool

Windows Vista and Windows 7 have a feature called Previous Versions. However, this tool is only usable if restore point was made prior to Nusar ransomware infection. To use this tool and recover files affected by the virus, please follow these steps:

1. Open My Computer or Windows Explorer.

2. Right-click on the affected files or folders. From the drop-down list, please click on Restore previous versions.

3. New window will open display all backup copy of files and folders you wanted to recover. Choose the appropriate file and click on Open, Copy, or Restore. Restoring selected files overwrites the current encrypted files on the computer.

Option 2: Use ShadowExplorer to restore files encrypted by Nusar Ransomware

Just like Previous Version tool, ShadowExplorer is taking advantage of shadow copy created by Windows. This tool allows you to retrieve older version of files before it was encrypted by Nusar ransomware.

1. Download ShadowExplorer from the official web site.

2. Install the program with the default settings.

3. The program should run automatically after installation. If not, double-click on ShadowExplorer icon.

4. You can see the drop-down list on top of the console. Please select proper drive and the most recent point-in-time shadow copies of files you wish to restore prior to Nusar ransomware infection.

shadow3

5. Right-click on the Drive, Folder, or File you wish to restore and click Export…

6. Lastly, ShadowExplorer will prompt for location where you want to save the copy of recovered files.

Leave a Reply

Your email address will not be published. Required fields are marked *