Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Aug 2019

How to remove Nasoh ransomware

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Julie Splinters · Anti-malware specialist

Nasoh ransomware is malware that enters host computers to encrypt all personal files

Nasoh ransomware

Nasoh ransomware is a cyberthreat that users can get infected with after opening a malicious spam email attachment, getting tricked by a fake update, using cracks/keygens or other ways. Soon after the installation, the malicious software engages in heavy Windows system modification to enable its full potential.

After that, Nasoh ransomware begins the file encryption process with the help of AES or another sophisticated cipher and appends .nasoh extension to every picture, video, music, document, etc. For that point, victims are unable to open and use any data on their PCs. Cybercriminals behind the malware want to make it clear to users of what happened, so a ransom note _readme.txt is dropped into every single affected folder where the locked files are located.

Hackers explain to users that all personal files on their computers have been locked, and the only way to retrieve them is by paying Nasoh virus developers $980/$490 in Bitcoin. Crooks also leave contact information – gorentos@bitmessage.ch, gorentos2@bitmessage.ch – these emails have been unchanged for the past few versions (Nacro, Krusop, Mogranos, and others) of the STOP/Djvu ransomware family.

Name Nasoh
Type Rasnomware
Infection Spam email attachments or links, fake updates, software cracks, web injects, exploits, etc.
Symptoms Files appended with an extension and unusable, a ransom note displayed which asks to pay a particular sum of money
File extension .nasoh
Ransom note _readme.txt
Contact gorentos@bitmessage.ch, gorentos2@bitmessage.ch, @datarestore (Telegram)
Termination Use anti-malware such as FortectIntego or SpyHunterCombo Cleaner
File recovery STOPDecrypter [download link] might be able to retrieve some of the files.

Note that Nasoh ransomware might be capable of bringing secondary payloads into the infected machine. In the past, some STOP variants like Promorad or Kroput were noticed to drop a banking trojan AZORult. Therefore, Nasoh ransomware removal is vital to ensure that no other threats are also present on your device.

As soon as the virus locks all files, it drops the following ransom note for victims. Looking at the message, it seems that crooks are trying to encourage Nasoh ransomware victims to pay the ransom in Bitcoin as soon as possible – they even offer a 50% discount:

ATTENTION!

Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
hxxps://we.tl/t-dIIHZji8hl
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don't get answer more than 6 hours.

To get this software you need write on our e-mail:
gorentos@bitmessage.ch

Reserve e-mail address to contact us:
gorentos2@firemail.cc

While there is no universal Nasoh ransomware decryption tool that would work for every victim, recovering data without having backups or paying criminals is still possible. STOPDecrypter is a specially-crafted software by independent security researcher Michael Gillespie that allows victims to recover files for free if:

  • Nasoh did not manage to contact its Command & Control server – the malware then encrypts data using a hard-coded key;
  • The host computer was not connected to the internet during file encryption process.

Nasoh ransomware virus

However, in most of the cases, the malware manages to perform the encryption as intended and also deletes Shadow Volume Copies,[1] preventing easy recovery. In such a case, restoring data becomes a difficult task, although third-party recovery solutions might help some users. Nevertheless, before proceeding to use these tools, users should first remove Nasoh ransomware from their computers in order to prevent the reoccuring encryption.

To get rid of Nasoh ransomware, you will have to employ an anti-malware tool. We recommend using FortectIntego or SpyHunterCombo Cleaner, although you can choose another software, as long is it is reputable (do not download cracked versions of security applications – they might be infested with malware!).

Do not download software cracks and be wary of email attachments

There are multiple ways of how ransomware can enter the machine. In most of the cases, hackers try to infect as many users as possible – these infections are mostly random. Nevertheless, some malware samples are known to first check for the keyboard layout before proceeding. Most of the time the ex-Soviet and Russian-speaking languages are excluded (for example, Sigrun), although the same principle is used to perform targeted attacks. If the virus detects the predetermined list of the keyboard layouts, it exists without causing any harm. Nevertheless, those who do get affected might suffer significant losses.

The most common ransomware infection methods include exploits, spam email, fake updates, software cracks, hacked sites, repacked installers, etc. Security experts[2] recommend following these simple security guidelines to avoid the devastating consequences of ransomware infection:

  • Pick reputable sources for your downloads – even when it comes to free software;
  • Do not download pirated software or cracks/keygens;[3]
  • Before opening any type of questionable executable, check it with anti-malware software or tools like Virus Total;
  • Patch your operating system and the installed software with security updates;
  • Enable ad-blocking application or extension;
  • Turn off Adobe Flash auto-run feature;
  • Only download software updates from official sites and never trust random pop-ups claiming your software is outdated;
  • Use strong passwords for all your accounts and never reuse them;
  • Backup your files regularly!

Get rid of Nasoh ransomware and only then proceed with file recovery

Nasoh virus might modify Windows hosts file to prevent users from visit predetermined sites that relate to computer security as well as websites that host links to anti-malware tools downloads. In such a case, performing Nasoh ransomware removal is only possible by accessing Safe Mode with Networking – a secure environment where the operation of malware would be temporarily disabled. Then, perform a full system scan using anti-malware software like FortectIntego or another tool.

Nasoh ransomware encrypted files

Once you remove Nasoh ransomware, you can retrieve your data via backups, try out STOPDecrypter or make use of third-party recovery software. Please find all the detailed instructions on how to perform all these steps below.

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.