NoMoneyNoHoney Ransomware Delete It and Decrypt Files

Review

Danger Level

Mantsu-RSA-cryptorA virus that encrypts files adding nomoneynohoney@india.com as a file extension to them and then asks a ransom payoff for the decryption of the files upon contacting the e-mail has been reported to be out in the wild. The virus has been dubbed by malware researchers as the NoMoneyNoHoney ransomware and also be what appears to be a part of the notorious XTBL ransomware variants. The malware is very specific in it’s methods of encryption, attacking only critical files that are often used. Anyone who was infected by the NoMoneyNoHoney ransomware should read this article to learn how to remove NoMoneyNoHoney after which decrypt the files for free.

Infection Methods of NoMoneyNoHoney Ransomware

This interesting variant of this malware has the ability to infect user PCs via either a malicious URL or an e-mail attachment that has a malicious character. Not only this, but the malware also has the ability to spread in social media, on suspicious websites and posing as a fake key generator or other fake software.

After you have opened the malicious files belonging to NoMoneyNoHoney ransomware, the infection may proceed, depending on the infection malware. This type of malware is heavily obfuscated intermediary malicious file that has the ability to be executed in an obfuscated manner. Once the file has been executed, it begins to immediately either extract the malicious payload of NoMoneyNoHoney or download the payload from a distribution website.

After the payload has been downloaded, it may be located in one of the below-mentioned websites:

  • %Roaming%
  • %Common%
  • %Startup%
  • %AppData%
  • %Local%

Then, NoMoneyNoHoney deletes the shadow copies of the infected computer and it may perform that without the user noticing by executing the vssadmin command in “/quiet” mode, for example:

vssadmin delete shadows /for=C: /oldest /all /quiet

In addition to this, the ransomware also has support for widely used file types which if it detects, encrypts immediately. The exact number of file types it may encrypt is huge, but most likely the following often used files are encrypted:

  • Videos.
  • Microsoft Word Files.
  • Microsoft Excel spreadsheets.
  • Images.
  • Databases.
  • Power Point presentations.

After the files are encrypted the malware appends it’s distinctive file extension including the e-mail address to hint that the users must contact it for file decryption. Here is the format by which the encrypted files may appear:

{Filename}{original extension}{unique identification numbers and letters}{nomoneynohoney@india.com}.{xtbl}

After the files that have been enciphered by nomoneynohoney ransomware the virus may perform other activities like leave a ransom notifications asking to contact the e-mail on the files or even change the wallpaper. Either way, you will know, you have been infected.

What to Do If I Am Infected by NoMoneyNoHoney Ransomware

In case you have seen your files encrypted with the extension displayed above, malware researchers recommend to seek your own solution and not pay the ransom. Fortunately, for this specific threat, there is a decryption tool available for free. This is why it is advisable to first remove the NoMoneyNoHoney ransomware from your computer. It is strongly advisable to remove this virus via an advanced anti-malware program for maximum effectiveness.

After having removed the malware, we advise you to download a free decryptor and follow the instructions on how to install the decryptor and decrypt your files for free.