Severity scale:  

Remove Al-Namrood ransomware / virus (updated Apr 2017) - Virus Removal Instructions

removal by Julie Splinters - - | Type: Ransomware

New versions of Al-Namrood virus strike victims in 2017

When Al-Namrood virus appeared on the Internet, few might have expected that it will remain long in the competitive race among ransomware creators. Hackers tend to name ransomware according to their interests, and this time they chose to denominate their virus using Saudi-Arabian black metal music band’s name[1]. There have been already several cases of similar file-encrypting viruses:, NoobCrypt, or Jigsaw ransomware. Speaking of Al-Namrood ransomware origins, it is believed to be developed by the same ransomware gang that created all Apocalypse ransomware variants. There are a couple of versions that were originated from Al-Namrood initial version, for example, Al-Namrood 2.0, also versions that hardly differ from each other but provide different contact details. For example, one ransomware suggested contacting criminals via Jabber XMPP messaging service –, also email addresses –,, Therefore, each new ransomware possesses more complex features making the threat more invincible. However, if this cyber menace has befallen you, no need to panic as you can remove Al-Namrood quickly. We recommend speeding up the procedure with Reimage. Before you run any malware removal programs, check out Al-Namrood removal instructions given below this post.

Questions about Al-Namrood ransomware virus

Following the tradition of typical file-encrypting malware, the current virus is suspected of using the same channels of distribution. Once it successfully infiltrates the device [2], it starts sneakily looking for a broad range of files. It tends to corrupt files with these file extensions:

1cd, dbf, dt, cf, cfu, mxl, epf, kdbx, erf, vrp, grs, geo, st, pff, mft, efd, 3dm, 3ds, rib, ma, sldasm, sldprt, max, blend, lwo, lws, m3d, mb, obj, x, x3d, movie.byu, c4d, fbx, dgn, dwg, 4db, 4dl, 4mp, abs, accdb, accdc, accde, accdr, accdt, accdw, accft, adn, a3d, adp, aft, ahd, alf, ask, awdb, azz, bdb, bib, bnd, bok, btr, bak, backup, cdb, ckp dsk, dsn, dta, dtsx, dxl, eco, ecx, edb, emd, eql, fcd, fdb, fic, fid, fil, fm5, fmp, fmp12, fmpsl, fol, fp3, fp4, fp5, fp7, fpt, fpt, fzb, fzv, gdb, gwi, hdb, his, ib.

Note by Al-Namrood ransomware virus
Researcher shows the ransom note left by Al-Namrood ransomware.

Therefore all your valuable documents, audio, video and image files are threatened by this virtual menace. With the help of traditionally employed AES encryption algorithm, the ransomware quietly encodes the files. As a result, you cannot access them, and you might spot that they bear one of the following extensions: .namrood, .access_denied, .unavailable, .disappeared. As usual in the ransom note, which can be dubbed Read_Me.txt or Decrypt_me.txt, cyber criminals instruct victims to pay the money in exchange of their locked data. However, we do not recommend paying any money to cyber criminals, at least not until you try Al-Namrood decryption tools created by malware analysts. Paying the ransom should be the very last option when dealing against ransomware attack, and only if losing the files lead to disastrous consequences at work or elsewhere. Remember that cybercriminals do not even have to provide you with the decryption software – it’s up to them, and the fact that you paid the ransom doesn’t really evoke sense of mercy for them.

Update December 2016: new version makes an appearance

Al-Namrood 2.0 ransomware virus struck the virtual world quite recently. It follows the manner of its predecessor to lock your personal data with AES-256 algorithm [3]. The essence of this encryption technique lies in running several cycles of block ciphers. Therefore, even a change of one number results in a completely different decryption key. Crooks take an advantage of this feature and threaten the victims to pay 10 BTC which equal to 6000 USD [4]. Such ridiculous demanded amount of money should ward off any considerations to transfer the money. The crooks indicate email –  – for public communication purposes. However, it is futile to hope that you will return the files even if you dear to pay 10 bitcoints. Proceed to the elimination steps. 

Update April 2017: Al-Namrood 2.0 virus uses different email, new attack vectors expected

Al-Namrood isn’t one of the most prominent viruses so far, however, it slowly evolves and every now an then we notice new versions of it. Recently, our experts spotted a ransomware that was dubbed virus. Samples of this malware were spotted in April, and they were adding a long string to filenames of encrypted data. Here is an example of what the name of the encrypted file consists of [original_filename].ID-[8 random characters+victim’s country code[].[14 random characters]. Apparently, the ransomware injects the contact email address in the new file extension and also corrupts the original filename. Just like the previous version, this one spreads via RDP attacks and spam. However, considering that ransomware distributors managed to hijack ad networks and push malware to victims via popular software such as Skype lately[5] (see – Skype virus), we strongly recommend users to be careful and not to click on suspicious ads that pop up in front of your eyes as you browse the Internet. Be extremely cautious and do not agree to install shady software updates, because that’s how ransomware distributors tricked dozens of victims into installing ransomware on their computers lately[6].

Ways of distribution 

Al-Namrood malware follows the tradition of other notorious ransomware which confirmed their status in the cyber world, therefore it spreads using traditional techniques such as spam, malvertising, and others such as RDP attacks (it tends to target servers that have remote desktop services enabled). If you’re familiar with RDP services, make sure you use strong password for them, keep all your software up-to-date and ideally, create data backups every once in a while.

Speaking of spam, we must say that hackers might be using users‘ personal data acquired from fraudulent browser hijackers and adware to address victims directly. Clearly, spotting an email with your name mentioned in it instantly boosts up your curiosity. However, reviewing the infected attachment might open the Pandora box: you might accidentally activate not only Al-Namrood hijack but also allow various smaller viruses to enter the device. In this case, exercise caution and attention while surfing through your emails. You can always verify the sender on your own by calling the company that the email allegedly comes from, or look for information about the sender online using search engines. 

How quickly can I get rid of Al-Namrood ransomware?

When it comes to this malware, we encourage victims to save time and shift to automatic Al-Namrood removal. You can perform it with the help of Reimage or Malwarebytes. Either one of another utility will help you battle the ransomware and completely eradicate it. Only when you remove Al-Namrood virus completely, you can think about the possible options of data recovery. In this regard, you can use our recommendations. Lastly, avoid using torrent sharing websites as they happen to be a frequent haven of file-encrypting malware. In addition, avoid opening the spam attachments if you are not sure if the email is fake or the real one. Reviewing new applications‘ reviews might come in handy before installing them as well.

do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with SpyHunter 5.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove Al-Namrood virus, follow these steps:

Remove Al-Namrood using Safe Mode with Networking

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Al-Namrood

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Al-Namrood removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Al-Namrood using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Al-Namrood. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Al-Namrood removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Al-Namrood from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Al-Namrood, you can use several methods to restore them:

The benefits of Data Recovery

You might use this tool to recover some of your files. It also comes in handy locating and repairing damaged files.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Al-Namrood ransomware;
  • Restore them.

How does Windows Previous Versions feature work?

This feature works only if System Restore is enabled [7]. After that, carefully go through each file and access the previous copy of your file.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Is Shadow Explorer an alternative?

It is not known whether the ransomware gets access to volume shadow copies. They are the copies of your files generated by the system. Therefore, the software helps to restore the files according to these patterns which were created by the operating system.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Use Al-Namrood decryption tool

Emsisoft researchers successfully cracked Al-Namrood ransomware and this decrypter helps to recover files locked by several Al-Namrood versions. You can find a guide on how to use it here.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Al-Namrood and other ransomwares, use a reputable anti-spyware, such as Reimage, SpyHunter 5Combo Cleaner or Malwarebytes

About the author

Julie Splinters
Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions


Removal guides in other languages

  1. CaineTroop says:
    September 30th, 2016 at 5:41 am

    Al-Namrood rocks!

  2. anonymoushacker says:
    September 30th, 2016 at 5:42 am

    Poor attempt.

  3. DiDragon says:
    September 30th, 2016 at 5:42 am

    Folks, what about the decrypter?

  4. jenniferEel says:
    September 30th, 2016 at 5:44 am

    Cyber enforcement institutions need to do something about this ransomware outbreak.

Your opinion regarding Al-Namrood ransomware virus