How to remove NW24 ransomware

Discovered by Jakub Kroustek, NW24 ransomware is file-encrypting malware that belongs to the Dharma ransomware family. The malware encrypts files and adds the a long file extension consisting of the victim’s ID and [newhelper24@protonmail.ch].NW24.

NW24 ransomware is file-encrypting malware that belongs to the notorious Dharma malware family. It’s a serious malware infection that can leave files encrypted permanently. Once it’s initiated, it will target documents, videos, photos, etc., encrypt them, add the [newhelper24@protonmail.ch].NW24 extension and drop a FILES ENCRYPTED.txt ransom note. Once files are encrypted, users will be unable to open them until they use a specific decryptor, which will be sold to victims by the operators of this ransomware. The note does not specify the ransom sum victims need to pay to get the decryptor but it will likely range between $100 and $1000. However, whatever the sum is, paying the ransom is never recommended.

First of all, users need to keep in mind that they are dealing with cyber criminals who are not likely to feel any kind of obligation to help victims recover files. Many users in the past sent their money but received a faulty decryptor , or didn’t receive one at all. Furthermore, when users pay, they’re essentially encouraging cyber crooks to continue their criminal activity because they get profits from it.

The only certain way to get files back is via backup. Ransomware is one of the reasons why regularly backing up files is so important. Had victims backed up files prior to file encryption, they could simply delete NW24 ransomware and then recover files without issues.

Malware researchers do release free decryptors to help victims recover files but it does not happen for every ransomware. And users should be very careful about decryptors because there are many fake ones that would infect the computer with even more malware. NoMoreRansom is one reliable source for decryptors. For example, it has a decryptor for the Dharma ransomware.

Ransomware distribution

In many cases, users pick up malware infections because of bad habits, such as carelessly opening email attachments, pirating via torrents, clicking on unsafe ads on high-risk websites, not installing updates, etc.

Spam emails are one of the most common ways users pick up ransomware. All they need to do is open a malicious attachment, enable macros, and the malware can initiate. In most cases, the emails carrying malware are fairly obvious because they’re full of grammar and spelling mistakes, are sent from nonsense email addresses while claiming to contain important documents, and strongly pressure users to open the attachment. In general, users should be very careful with unsolicited emails and not rush into opening the attachments before making sure they are safe. Users should first scan email attachments with anti-malware software or VirusTotal before opening them.

All kinds of malware could also be encountered on torrent sites and forums offering software cracks. Because many torrent sites are not regulated properly, cyber criminals can easily disguise their malware as legitimate content, such as a popular movie or game. Users are discouraged from pirating because that is essentially stealing copyrighted content, but if they insist on doing it, they should at least be very careful about it.

Installing updates on a regular basis is also very important because those updates patch known vulnerabilities that malware can use to get into a computer. Users should enable automatic updates whenever possible.

What does the ransomware do?

As soon as the ransomware is initiated, it will start encrypting files. Like we said above, the malware mostly targets important files that users would be most willing to pay for. Once the encryption process is complete, affected files will have an extension added to them. The extension would contain the victim’s ID and [newhelper24@protonmail.ch].NW24. For example, photo.jpg would become photo.jpg.victim id.[newhelper24@protonmail.ch].NW24. All files with this extension will be unopenable until they are decrypted. A ransom note FILES ENCRYPTED.txt will also be dropped. There is also a pop-up ransom note that explains that files have been encrypted and that the only way to decrypt them is to use their decryption tool.

The note asks that victims send an email to newhelper24@protonmail.ch with their ID. Their answer would likely contain how much victims need to pay to get the decryptor. However, as we mentioned above, paying is not recommended.

Here is one of the ransom notes:

YOUR FILES ARE ENCRYPTED
Don’t worry,you can return all your files!
If you want to restore them, follow this link:email newhelper24@protonmail.ch YOUR ID –
If you have not been answered via the link within 12 hours, write to us by e-mail:newhelper@cock.li
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

For victims who do not have backup, an option would be to backup encrypted files and wait for malware researchers to release a free decryptor. While it’s not a guarantee that one will be released, it could happen. However, users should be very careful about where they get their decryptors from as there are many fake ones.

NW24 ransomware removal

It is strongly recommended to use anti-malware software to remove NW24 ransomware. Ransomware is a complicated treat and users should not attempt to get rid of it manually unless they are sure about what they’re doing. Otherwise, they could end up doing even more damage.

Once users delete NW24 ransomware, they can start file recovery from backup. Users should not access the backup while the ransomware is still present because files in backup could become encrypted as well.