Cyber Security Center

Npph ransomware removal


Npph ransomware is yet another file-encrypting malware from the Djvu/STOP ransomware family. The group is notorious for releasing new versions on a regular basis, with 251 versions currently known. Npph encrypts files, adds the .npph file extension and drops _readme.txt ransom note.

 

Npph ransomware note

Npph ransomware is malware that locks files and demands that users pay $980 for file decryption. Ransomware is one of the most dangerous malware out there, as file encryption may be permanent in many cases. Once files have been encrypted, the only way to decrypt them is by using special decryption software, which the cyber crooks behind this ransomware will try to sell to victims. However, buying it is not recommended for users because there are no guarantees that the decryptor will work, or even that it will be sent. These are cyber crooks users are dealing with, and it’s doubtful they feel obligated to help victims, even after they have paid. Numerous times in the past have users been left with no decryptor and stolen money.

While it is possible that a free decryptor will be released in the future by malware researchers and cybersecurity specialists, backup currently is the only way to recover files for free. If users backed up files before the ransomware entered, files should be recoverable, as long as the malware is gone when users connect to their backup. If ransomware still remains, files in the backup may become encrypted as well.

Users should be cautious when searching for free decryptors on the Internet because there are many fake ones. There is also a trend to disguise malware as ransomware decryptors. Users should only trust legitimate sources like NoMoreRansom or Emsisoft to provide safe decryptors.

How does ransomware spread?

Users’ bad browsing habits usually lead to malware. Those habits include opening unsolicited email attachments without first checking them, downloading torrents/software cracks, and clicking on ads while on high-risk websites.

Opening unsolicited emails is one of the common ways victims pick up ransomware. Users open malicious email attachments without double-checking that they’re safe, and the ransomware is then initiated. Users whose email addresses have leaked in the past and sold on hacking forums usually receive these malicious emails. But if users pay attention, they should be able to easily differentiate between them and legitimate emails. The first thing users should check is who the sender is. If the sender claims to be from some legitimate company or organization but has a random email address, it’s likely that you are dealing with a scam. Random email addresses look unprofessional at the best of times, thus no legitimate company will ever have them. The second thing users should look out for is grammar and spelling mistakes. Malicious and spam emails usually have loads of mistakes, which immediately give it away. But it should be mentioned that some spam emails are more sophisticated than others, which is why it’s a good idea to always scan unsolicited email attachments with anti-virus software or VirusTotal.

Torrents and forums offering pirated copyrighted content often have malware disguised as popular movies, TV shows, games, software, etc. They are often unregulated, meaning malware distributors can easily upload their malware. Users are likely already aware that by pirating, they are not only stealing content but also putting their computers/devices in danger.

Interacting with advertisements when on high-risk websites could also easily lead to a serious infection. When visiting certain sites that are known to have low-quality, potentially dangerous ads, it’s best to have anti-virus and adblocker enabled.

What does Npph ransomware do?

When this ransomware is initiated, it will immediately start encrypting files. Like all ransomware, it mainly targets files like photos, videos, documents, etc., as those are usually the most important files for users. Files that have been encrypted will have the .npph file extension added to them. The extensions helps users identify which specific ransomware they are dealing with. As soon as the file encryption process is complete, the ransomware will drop a _readme.txt ransom note. The note look identical to the notes dropped by other Djvu/STOP ransomware versions. It explains that all encrypted files can be recovered, provided victims are willing to pay for a decryptor. The note explains that in order to purchase the decryptor, victims need to pay $980, or $490 if they make contact with cyber criminals behind this ransomware within 72 hours.

Here is the full Npph ransomware ransom note:

ATTENTION!

Don’t worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-67ue5AWKVu
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:
helpmanager@mail.ch

Reserve e-mail address to contact us:
restoremanager@airmail.cc

Your personal ID:

However, paying is not necessarily a good idea. Users should be aware that there are no guarantees that a decryptor would work, or even if it would be sent. Unfortunately, countless times in the past have users been left with no money and no decryptor. But there currently is no other way to decrypt files.

Currently, the only free way to recover files is from backup. If users have backed up files before they got encrypted, they can access their backup as soon as they remove Npph ransomware from their computers. If the ransomware is still present, this could lead to backed up files becoming encrypted as well.

Npph ransomware removal

Users should only try to delete Npph ransomware with anti-malware software. Otherwise, they could end up doing even more damage. Anti-malware software should be able to take care of everything, and users can then access their backup. And if users start using anti-malware software with ransomware protection, it would stop future ransomware attacks without files becoming encrypted.

Npph ransomware is detected as:

  • HEUR:Exploit.Win32.Shellcode.gen by Kaspersky
  • Trojan.MalPack.GS by Malwarebytes
  • A Variant Of Win32/Kryptik.HGDN by ESET
  • TROJ_GEN.R002C0GIH20 by TrendMicro
  • ML.Attribute.HighConfidence by Symantec
  • Ransom:Win32/STOP.BS!MTB by Microsoft