Nobu ransomware is file-encrypting malware that belongs to the Djvu/STOP ransomware family. It’s a notorious family of ransomware that release new ransomware versions on a regular basis. This one adds the .nobu extension to encrypted files, hence why it’s known as Nobu ransomware.
Nobu ransomware is malware that encrypts files. It comes from the notorious malware family Djvu/STOP, which has released countless versions, such as Weui, Lisp, Sglh, Epor, Vvoa, Agho, and Vpsh. The ransomware will encrypt files that users find most valuable, including photos, videos, and documents. All encrypted files will have .nobu file extension added to them, and users will be unable to open them unless they are first decrypted. The ransom note _readme.txt dropped by the ransomware will explain how users can get the decryptor, and that includes paying a $980 (or $490 if contact is made within 72 hours) ransom. However, users are often discouraged from paying the ransom because there are no guarantees that a decryptor will actually be sent to users. There’s nothing stopping cyber crooks from simply taking the money and not sending a decryptor. And this has happened many times in the past, with users left with both encrypted files and lost money.
To avoid potentially serious consequences, users are encouraged to back up files on a regular basis. If users do have backup for encrypted files, they can start file recovery as soon as they remove Nobu ransomware from their computers. Users should ensure that they fully get rid of the ransomware, as otherwise backed up files may become encrypted as well.
If users don’t have backup, they should back up the encrypted files and wait for a free decryptor to be released. Malware researchers are sometimes able to release free decryptor but it’s not always possible. Because Nobu ransomware uses online keys to encrypt files, a free decryptor cannot be developed at this time. There is a free decryptor for many past Djvu/STOP ransomware versions by Emsisoft but it will not work on new versions that use online keys for file encryption. Nonetheless, one may be released in the future, and it would be posted on NoMoreRansom.
How does ransomware infect computers?
Users who have bad browsing habits are at much higher risk of picking up ransomware or some other malware. Something as simple as opening an unsolicited email attachment or downloading a torrent could lead to an infection. Thus, users who wish to avoid malware should develop better browsing habits.
Opening malspam is one of the most common ways users infect their computers with ransomware. Spammers buy email addresses from hacker forums and use them to send malicious emails containing attachments. Fortunately, those emails are often easy to identify, as long as users don’t rush to open any unsolicited attachments. The first thing users should check is the sender’s email address. If it looks random, it’s probably spam. Grammar and spelling mistakes are also incredibly common in malicious emails, as is the sender pressuring the user to open the attachment. As a precaution, we strongly recommend scanning all unsolicited email attachments with anti-virus software or VirusTotal before opening them in order to make sure they’re safe.
Users who pirate via torrents are risking a malware infection. Cyber crooks take advantage of the fact that the majority of torrent sites are not properly regulated and insert malware into torrents for popular content, including movies, games, TV series, software, etc. The more popular something is, the more likely that a torrent for it will contain malware. Thus, pirating is not only stealing, it’s also dangerous for the computer.
Can Nobu ransomware encrypted files be decrypted?
When ransomware enters the computer and starts encrypting files, it will show a fake Windows Update window to distract users. In the meantime, it will encrypt photos, videos, documents, etc., essentially all files that users value the most. When it’s done, all encrypted files will have .nobu attached to them. For example, image.jpg would become image.jpg.nobu. The ransomware will also drop the standard _readme.txt ransom note, which will explain how users can decrypt files. They are asked to pay $980 for the decryptor, or $490 if they make contact within the first 72 hours. Whether or not they actually offer a 50% discount for the decryptor, paying is not recommended. There are no guarantees that a decryptor will actually be sent to users, as there is nothing obligating them to help users. Furthermore, paying also encourages cyber crooks to continue their malicious activities.
Below is the text from the Nobu ransom note:
Don’t worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.
To get this software you need write on our e-mail:
Reserve e-mail address to contact us:
Your personal ID:
Currently, only users who have backup can recover files for free.
Nobu ransomware removal
It’s strongly recommended that users use anti-virus software to delete Nobu ransomware from their computers. Trying to manually remove Nobu ransomware could lead to even more damage. Users who have backup can start file recovery as soon as the ransomware is no longer present.