Cyber Security Center

Remove Nefartanulo ransomware and recover files


Nefartanulo ransomware is a file-encrypting malware that adds the .nefartanulo@protonmail.com file extension to affected files.

 

Nefartanulo rasom note

Nefartanulo ransomware, discovered by malware analyst Karsten Hahn, is file-encrypting malware based on the Hidden Tear open-source project. It is a serious infection that can cause a lot of damage. It infects via the usual methods which will be explained in detail later on, encrypts files, and adds the .nefartanulo@protonmail.com file extension, and demands that users buy a decryption tool to recover the encrypted files. It’s a fairly typical ransomware and is practically identical to many other ones.

When files are encrypted, a ransom note HOW_TO_RECOVER_ENCRYPTED_FILES.txt is dropped on the computer, and it explains that files have been encrypted and that the only way to recover them would be to use a special decryption tool offered to victims by the operators of this ransomware. The price for the decryption tool is not specified in the note but it supposedly depends on how quickly victims contact them. However, paying the ransom is rarely recommended.

Users who have backup can start recovering files as soon as they delete Nefartanulo ransomware from their computer. For users who have no backup, there is a possibility that a free decryptor will be able to decrypt the files. Ransomware researcher Michael Gillespie, who has helped many people recover files for free in the past, has asked victims of Nefartanulo ransomware to contact him for free decryption.

How does ransomware spread

Most ransomware use more or less the same distribution methods, including system vulnerabilities, torrents, software cracks and spam emails.

It’s essential that users regularly install updates in order to prevent ransomware from using vulnerabilities to infect a system. Vulnerabilities are discovered all the time and they are patched with updates, which, if not installed, could lead to a malware infection. Whenever possible, users should always enable automatic updates as that takes the hassle out of installing them manually. However, if users do update something manually, they should get the updates from legitimate sites. Many sites display fake update notifications, which could lead to malware.

Pirating via torrents and downloading software cracks are also two ways users commonly get ransomware. Torrent sites and forums are largely unregulated so it’s easy to disguise malware as a popular movie, episode of a TV series, game, software, etc. If users insist on pirating, they should at least make sure they are downloading safe content.

Spam emails remain one of the most common ways ransomware is distributed. Thousands of email addresses are purchased from hacker forums for the purpose of launching spam email campaigns that spread malware. To avoid an infection, users should be careful about which email attachments they open. Before opening any unsolicited email attachment, users should carefully inspect the email for mistakes, check the sender’s email address, and most importantly, scan the attached file with anti-malware software or VirusTotal.

Can you recover Nefartanulo ransomware files

As soon as the ransomware is initiated, it will start encrypting files. Like all ransomware, it targets files like photos, videos, documents, etc., mostly files users find most important to them. All encrypted files will have the .nefartanulo@protonmail.com file extension added to them (e.g. image.jpg.nefartanulo@protonmail.com). Once the encryption process is complete, a ransom note HOW_TO_RECOVER_ENCRYPTED_FILES.txt is dropped.

Here is the full note:

YOUR FILES ARE ENCRYPTED!

Your personal ID

All your files have been encrypted due to a security problem with your PC.
To restore all your files, you need a decryption.
If you want to restore them, write us to the e-mail nefartanulo@protonmail.com.

In a letter to send Your personal ID (see In the beginning of this document).
You have to pay for decryption in Bitcoins.
The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.

In the letter, you will receive instructions to decrypt your files!

In a response letter you will receive the address of Bitcoin-wallet, which is necessary to perform the transfer of funds.
HURRY! Your personal code for decryption stored with us only 72 HOURS!

Our tech support is available 24 \ 7
Do not delete: Your personal ID
Write on e-mail, we will help you!

Free decryption as guarantee
Before paying you can send to us up to 1 files for free decryption.
Please note that files must NOT contain valuable information and their total size must be less than 5Mb.
When the transfer is confirmed, you will receive interpreter files to your computer.
After start-interpreter program, all your files will be restored.

Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Do not attempt to remove the program or run the anti-virus tools
Attempts to self-decrypting files will result in the loss of your data
Decoders are not compatible with other users of your data, because each user’s unique encryption key

The note claims that the only way to recover files is to send the crooks behind this ransomware an email (to nefartanulo@protonmail.com) and pay the requested sum. While the ransom sum is not disclosed in the note and would only become clear if victims contact them, it will likely be at least $500. But fortunately, paying is not necessary nor would it be recommended. When it comes to ransomware, there is no way of knowing whether victims will actually be sent a decryptor, as the people behind the ransomware are cyber criminals who are unlikely to feel any kind of obligation to help.

But as we said, it appears that a free decryption is available for those who do not have backup. They should contact the above linked malware researcher to get the free Nefartanulo ransomware decryptor. Be careful about downloading it from anywhere else.

Nefartanulo ransomware removal

To remove Nefartanulo ransomware, users should use anti-malware software. This is a complex piece of malware so users should not attempt to manually delete Nefartanulo ransomware, as they could do even more damage.

Nefartanulo ransomware is detected as:

  • HEUR:Trojan-Ransom.MSIL.Agent.gen by Kaspersky
  • Ransom.FileCryptor by Malwarebytes
  • Trojan:Win32/Ymacco.AA6F by Microsoft
  • Win32:Trojan-gen by AVG
  • A Variant Of Generik.JDJPZGC by ESET