Severity scale:  
  (97/100)

Remove Nakw ransomware (Removal Instructions) - Oct 2019 update

removal by Lucia Danes - - | Type: Ransomware

Nakw ransomware – the 177th version of Djvu ransomware that mainly spreads via software cracks

Nakw ransomware

Nakw ransomware is a file-locking virus that employs the RSA encryption algorithm to lock all data on the host machine and marks it with .nakw appendix. First spotted by security researcher Michael Gillespie,[1] the threat appears to be 177th version of the notorious Djvu ransomware – one of the most prevalent file locking malware strains in the wild currently.

Nakw virus, just as the previous variants, mostly employs software cracks placed on torrent sites to spread – this is why it is so effective (Djvu accounts for more than 55% of worldwide ransomware infections among regular computer users). After the infiltration, it engages in the manipulation of some Windows registry files, deletion of Shadow Volume Copies, and other necessary preparations for the file encryption process.

After that, Nakw ransomware places _readme.txt file into all folders where the affected data is located – it serves as a note from the attackers. Unlike other malware, ransomware does not hide its presence post-infection and instead tries to convince victims to pay a ransom of $490 or, later, $980 in Bitcoin for software that could decrypt all the .nakw files. For communication purposes, hackers provide email addresses gorentos@bitmessage.ch and gerentosrestore@firemail.cc.

Name Nakw ransomware
Type Cryptovirus, ransomware
Spotted by This malware was first discovered by a cybersecurity researcher named Michael Gillespie who posted his findings on social network Twitter
Family Nakw virus belongs to the Djvu ransomware and STOP ransomware families
Extension Once files are locked, the ransomware virus appends the .nakw extension to each video, audio, text and other file types
Cipher Cybercriminals employ RSA encryption cipher to lock up all data that is found on the infected Windows computer and all the connected networks/external devices
Ransom note The _readme.txt ransom message is placed in each folder that holds encrypted data
Ransom Hackers ask for $490 if the ransom is transferred within 72 hours. After that, decryption software price goes up to $980
File decryption

There are few methods that might be able to help you recover your data without paying criminals:

Unfortunately, STOPDecrypter no longer works

Termination Use robust anti-virus software to detect all malicious malware components on your Windows computer
Virus damage recovery solution Quite often, AV engines get rid of malware but fail to fix corrupted system files. Due to this, you might start experiencing various issues or even have to reinstall Windows. To prevent that, use PC repair tool Reimage Reimage Cleaner

Nakw ransomware tries to scare people that their data files have been locked with a strong encryption cipher, and the only way to recover them is by purchasing the decryption tool directly from the developers. For a convincing look, the hackers provide a video link regarding the decryption key's existence and also encourage users to send them one small file for free decryption in order to provide proof that the decryptor truly works and can be purchased from them.

Continuously, Nakw ransomware provides a 50% discount offer from $980 if the victim transfers the money in three days. However, if money is transferred later than in 72 hours, the user has to pay a full price. Also, the criminals provide two email addresses through which they can be reached: salesrestoresoftware@firemail.cc and salesrestoresoftware@gmail.com:

ATTENTION!

Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-IbdGyCKhdr
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:
salesrestoresoftware@firemail.cc

Reserve e-mail address to contact us:
salesrestoresoftware@gmail.com

Nakw ransomware uses a module that allows the cyber threat to launch whenever the computer is turned on automatically. Most of the files that have been injected by this malware end up in these locations on the Windows computer:

  1. %Temp%.
  2. %AppData%.
  3. %Local%.
  4. %LocalLow%.
  5. %Roaming%.

Nevertheless, Nakw ransomware might launch specific processes that scan the computer system at regular intervals (for example, 30 minutes) and search for a file that could be encrypted, i.e., added anew. Furthermore, the ransomware virus will try to complicate the decryption process for victims by deleting Shadow Volume Copies by using Power Shell commands.

Also, the ransomware will damage the hosts file on your Windows PC to prevent you from entering security-related websites. So, once you complete Nakw ransomware removal, do not forget to eliminate the hosts file. Otherwise, the access might still remain blocked. Use security software to eliminate the threat and then try employing Reimage Reimage Cleaner , which might help you to fix the damage that was done during the malware attack.

Nakw ransomware virus
Nakw ransomware is a notorious malware string that uses the RSA cipher to lock up files with the .nakw appendix

However, Nakw ransomware might be capable of much more. This malicious infection makes the system vulnerable to other cyberattacks and might result in the infiltration of other viruses. For example, STOP ransomware versions are known for distributing the AZORult trojan horse, so this variant might also not be an exception. Receiving a trojan on your PC would result in data theft, monetary losses, software damage, and similar negative effects.

You should remove Nakw ransomware from your Windows system if you want to succeed in data recovery in the upcoming future. There is a chance of retrieving your files with the help of Emsisoft's tool for offline decryption cases; additionally, you can also try using data recovery software, as it might be successful in some cases.

The distribution process of ransomware

Ransomware infections sneak into the system by tricking users or abusing a lack of sufficient security precautions when it comes to passwords and other configuration settings used in Remote Desktop connections (RDP).

This means that cybercriminals hack RDPs such as the TCP port 3389 that include weak passwords or no protection at all. Afterward, they remotely connect to the targeted computer system and can execute the malicious payload. However, this is not the only technique used by cybercriminals.

Continuously, hackers are very likely to distribute ransomware via email spam campaigns. They camouflage as reliable shipping (FedEx/DHL) companies and claim to provide “order information.” Afterward, these people might try to encourage you to click on an infected link or open a malicious attachment.

Also, the crooks might place the malicious payload in P2P networks such as The Pirate Bay, eMule, or other torrent services. This way, the ransomware gets delivered through software cracks that are downloaded from third-party links. 

Other ransomware distribution sources might include exploit kits, fake software updates, outdated software, trojans, and other methods.

Security tips for avoiding ransomware and data encryption

You always have to be aware of your computer and online security, as dangerous cyber threats can be lurking anywhere in the Internet sphere. You should practice the following safety precautions if you want to avoid as much computer infections as possible:

  1. Install reliable antivirus protection that includes as many safety features as possible.
  2. Keeping all of your products and services regularly updated.
  3. Avoiding third-party networks that are flagged as unsafe ones.
  4. Downloading products/services only from reliable developers and websites.
  5. Sorting out all of your email messages and instantly deleting all suspicious-looking ones.
  6. Scanning every suspicious email attachment with and AV tool.

File security is also a thing to be concerned about. You should make sure that you always hold backups of important documents in case a ransomware strikes. Purchase a portable USB drive or another remote device any copy data to it. Furthermore, ensure that you keep it unplugged from your machine when it is out of usage, otherwise, the ransomware virus might target the data inside the device if it is connected to the infected computer during the malware attack.

Data recovery possibilities for .nakw files

Nakw virus
Nakw virus - ransomware that might use vulnerable RDP configuration to enter the targeted machine

Even though Emsisoft has released a decryption tool for various Djvu/STOP ransomware variants, it positively affects only those versions that were released before the start of August this year.[2] Nakw ransomware is a cyberthreat that uses the RSA encryption cipher and has been released at the end of October, so it can only be sometimes decrypted with Emsisoft Decryptor for STOP Djvu which works only if the hardcoded key was used for the encryption process, i.e., the virus failed to contact its C&C server.

However, there is still no need to pay the ransom as you might spend a lot of money on a tool that might not even be sent to you. Cybercriminals only care about their own needs, and some of them are very likely to scam the victims and provide them with no decryptor even after the payment.

Rather than risk paying Nakw ransomware developers, you should try some other data recovery methods. We have provided three possible options at the end of this article. Also, you can try using DrWeb's offered Rescue Pack that includes decryption software (works for only certain file types) and 2 years of anti-malware protection.[3]

Removal tips for Nakw ransomware virus

The best way to get rid of the Nakw virus is to use automated removal tools. Employing reliable anti-malware is a necessary step here if you want to proceed with the process correctly and safely.

Manual Nakw ransomware removal is something that should not be practiced by regular users, as the malware heavily modifies various system files and settings – recovering them to the original state manually is rather difficult. Thus, use anti-malware software and perform a full system scan. Be aware that some Djvu virus variants also dropped additional modules or payloads on the system, so there is a chance that Nakw ransomware is not the only malware present on your computer.

According to experts from Virusai.lt,[4], it is important to remove Nakw ransomware first before looking for data recovery possibilities. If you leave any malicious objects on the computer system, the malware might launch itself within every computer startup process, and the encryption will be repeated all over again.

Offer
do it now!
Download
Reimage Happiness
Guarantee
Download
Reimage Cleaner Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Reimage Cleaner, submit a question to our support team and provide as much details as possible.
Reimage Reimage Cleaner has a free limited scanner. Reimage Reimage Cleaner offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage Cleaner, try running Combo Cleaner.

To remove Nakw virus, follow these steps:

Remove Nakw using Safe Mode with Networking

Activate Safe Mode with Networking to disable the ransomware virus.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Nakw

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Nakw removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Nakw using System Restore

Turn on System Restore to deactivate the malware. Use the below-provided steps to succeed in this task.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Nakw. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner and make sure that Nakw removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Nakw from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Nakw, you can use several methods to restore them:

Use Data Recovery Pro to restore some data.

If your files and documents were locked with this suspicious tool, you can try recovering some of them with the help of this software.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Nakw ransomware;
  • Restore them.

Employ Windows Previous Versions feature to recover some files/documents.

Use this product to recover some encrypted data. However, check if you have enabled system restore in the past.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Using Shadow Explorer might allow you to reverse some files back to their previous states.

Employ this software to recover some encrypted data. However, keep in mind that this tool might not work if the ransomware virus eliminated Shadow Volume Copies of encrypted documents/files.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Try Emsisoft's decrypter for Nakw ransomware

Recovery software might not be helpful in quite a few ransomware cases. Nevertheless, Djvu variants known to fail to contact the remote server relatively often, and then perform the encryption using an offline key. If that is the case, you might be successful in recovering data with Emsisoft Decryptor for STOP Djvu.

Additionally, if you are willing to pay, Dr.Web offers decryption service – you can check the offer of Rescue Pack here.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Nakw and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner , SpyHunter 5Combo Cleaner or Malwarebytes

About the author

Lucia Danes
Lucia Danes - Virus researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Lucia Danes
About the company Esolutions

References


Your opinion regarding Nakw ransomware