Nibiru ransomware (Virus Removal Instructions) - Free Guide

by Lucia Danes - - 2020-10-13 | Type: Ransomware

Nibiru virus Removal Guide

Description Quick solution Instructions Prevention

What is Nibiru ransomware?

Nibiru ransomware – data-locking malware that threatens to crash the infected computers if ransom is not paid

Nibiru ransomware Nibiru ransomware is a file locking virus that asks for $4.5 million ransom

Nibiru ransomware is a malicious program designed to encrypt all personal data on the computer and the connected networks and then demand ransom for its return. Once inside the system, it encrypts all personal pictures, videos, documents, archives, and other files by using a combination of AES + RSA encryption algorithms, which also appends a .Nibiru extension in the process. Victims can no longer access these files and require a unique key that only cybercriminals who deployed the ransomware have access to.

Once the encryption is complete, the Nibiru virus does not provide a text-based ransom note (like it is typical for other strains) but instead locks the screen of all the infected machines. There, users can see a message from the attackers – it claims that $4.5 million ransom needs to be paid to recover the locked data. For communication purposes, malicious actors also provide an email cyberwars@protonmail.com. They also claim that the decryption key required for file recovery will be deleted after 52 hours of the infection.

Name	Nibiru ransomware
Type	Ransomware, cypro-virus, file locking virus
Malware family	Stupid ransomware
Related	Nibiru.exe, iIbj7C5GiR0xGUkk.exe
Extension	Files appended with .Nibiru extension, e.g., “picture.jpg” is turned into “picture.jpg.Nibiru”
Ransom note	There is no ransom note file delivered. Instead, users are presented with a lock-screen titled “Form2” – it prevents any interaction with the Windows operating system
Contact	cyberwars@protonmail.com
File recovery	If no backups are available, recovering data is almost impossible. Nonetheless, we suggest you try the alternative methods that could help you in some cases – we list them below
Malware removal	Perform a full system scan with powerful security software, such as SpyHunter 5Combo Cleaner. Since the infection locks the screen, you should access Safe Mode with Networking as explained below and then perform a scan from there
System fix	Malware can seriously tamper with Windows systems, causing errors, crashes, lag, and other stability issues after it is terminated. To remediate the OS and avoid its reinstallation, we recommend scanning it with the FortectIntego repair tool

Nibiru ransomware belongs to the category of data-locking malware specializing in encrypting corporate networks and servers – a tactic known as “Big Game Hunting.” These threats are typically operated by large-scale cybercriminals and focus on bigger ransoms rather than the smaller ones, unlike regular consumer-focused threats such as Foqe.

Since the malware targets companies rather than regular users, it is highly likely that the threat is propagated via the following methods:

Remote Desktop (RDP) connections that are open to the internet
Targeted phishing emails
Exploits and vulnerabilities.^[1]

Before locking data, cybercriminals snoop around the network and move laterally, obtaining the credentials of relevant Windows accounts. During this time, they also extract various sensitive information/files and transfer them to a remote server. Only then Nibiru virus is deployed.

Once inside, it modifies the Windows registry and deletes Shadow Copies to prevent a quick data recovery – it infects the whole network and encrypts all files located on the connected computers. As a result, these files obtain .Nibiru extension and can no longer be accessed.

Nibiru file virus developers have a very straightforward approach when it comes to the payment. They do everything to ensure that victims would be persuaded to pay the ransom. The lock screen contains several threats about data decryption – crooks say that trusting them is the only option to recover files, and, if the ransom is not paid on time, they will publish the collected sensitive information, which will also ruin the company's reputation and cost millions of dollars to recover from.

Nibiru ransomware is a type of computer infection that targets corporations and businesses and then locks all data on the networked computers

Malicious actors also say that if the ransom is not paid within 52 hours, the decryption key will be permanently deleted:

YOU HAVE BEEN HACKED

All your files,documents,important datas,mp4,mp3 and anything valuable
to you are encrypted with powerful military grade Ransomware/Doxware.
We can be mean,dangerous if you dont't follow our instructions on time.
We are right at the heart of your servers and we have already transfered
Terabytes of your datas to our serves.We will leak it online if your dont
pay us $4.5 Million of Bitcoin within 52 hours.

Don't let them deceive you,incase you are looking for shortcut to get
decryption key elsewhere.NO SOLUTION ELSE WHERE.If you don't
respond on time.We will cause physical damage to all your networks
by crashing your computers,Internet and power shutdown,Stuxnet
and BlackEnergy Malware included.HELP YOURSELF by following
the instructions below and contact us immediately.

Cyberwars@protonmail.com

Click to Hide Details

FOLLOW THE FOLLOWING STEPS:
1)You can contacts us first via
Cyberwars@protonmail.com
2)Look for Bitcoin services online and signup
3)Get $4.5 Million worth of Bitcoin
4)Pay within 52 hrs or you pay 3x after
5)You pay to Bitcoin Address that we will give
you through the email above
6)Once You pay,you get the KEY to decrypt files.

Enter Your Key

Click To View Content

THE FOLLOWING ARE BOUND TO HAPPEN
IF YOU TAKE THIS WITH LEVITY……….
1)Key to decrypt data/files will forever be lost
2)We are going to release your Confidential
documents,Company secrets,your shady deals
to the whole world
3)Customer info/details/contact will be leaked
4)You will loose over $ 100 million because of
downtime and total shutdown
5)Individual and Companies will sue your ASS
6)YOUR REPUTATION WILL BE OVER.

Cybersecurity experts^[2] do not recommend paying a ransom, and instead, use alternative recovery methods we provide below. However, it is important to perform Nibiru ransomware removal before the file recovery can be successful, as the virus will continue to encrypt the incoming files. Besides, if the malware is not deleted, access to a machine is impossible due to the lock screen.

It is important to note that the malware affects several parts of the Windows operating system, e.g., it disables the Task Manager. These changes might be difficult to reverse, so we recommend using FortectIntego repair software after you remove Nibiru ransomware virus from the infected computers. To do that, you should disconnect each of the machines from the network, access Safe Mode with Networking, and then launch a scan with SpyHunter 5Combo Cleaner, Malwarebytes, or another powerful security software.

Recover .Nibiru files washout paying criminals

Although cybercriminals are using scare tactics to may victims pay, it is important to note that this malware strain is relatively new, the sum that is being asked for is huge, and there is still no guarantee that .Nibiru file decryptor will be delivered once the ransom is paid.

Instead of communicating with the attackers, you should use backups to recover .Nibiru files. If no backups were retained or were encrypted during the infection process, there are very few options to retrieve all data successfully. Nonetheless, you can try the following methods:

Using third-party recovery software;
Trying built-in Windows restore points.

For the above to work, malware must fail to delete Shadow Volume Copies, however, which does not happen that often.

Since Nibiru ransomware focuses on attacking corporations and harvests sensitive details that might contain corporate secrets, some victims might be inclined to pay to remove .Nibiru extension and prevent a data breach.^[3] As noted, this is quite risky, as the ransomware developers ask for $4.5 million in Bitcoin.

.Nibiru files can not easily be recovered if the backups were locked

Use powerful anti-malware to remove Nibiru ransomware

The first issue that users might encounter during Nibiru ransomware removal is the lock screen. Since the virus disables the Task Manager, it is impossible to shut it down or use any other Windows features. To bypass this functionality, you should access Safe Mode with Networking and scan the device with SpyHunter 5Combo Cleaner, Malwarebytes, or another anti-malware to ensure that all the malicious components are deleted fully.

Before you attempt to remove Nibiru ransomware virus from each of the machines, you should disconnect them from the network to ensure that infection would not spread repeatedly. Experts also advise using PC repair tools such as FortectIntego if the infection managed to damage some Windows system files, and some of the infection damage could not be reverted with security software. Finally, recover .Nibiru files by using backups or following our recovery instructions below.

Offer

do it now!

Download
Fortect Happiness
Guarantee Download
Intego Happiness
Guarantee

Compatible with Microsoft Windows Compatible with macOS

What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.

Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.

Fortect review | Terms of Use | Privacy policy | Refund Policy | Uninstall guide

Alternative Software

Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.

Download SpyHunter 5 Review »

Malwarebytes

Alternative Software

Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Download Combo Cleaner Review »

Getting rid of Nibiru virus. Follow these steps

Manual removal using Safe Mode

Since the malware uses a lock screen which does not allow to access the PC, you should enter Safe Mode with Networking:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment.

Windows 7 / Vista / XP

Click Start > Shutdown > Restart > OK.
When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
Select Safe Mode with Networking from the list.

Windows 10 / Windows 8

Right-click on Start button and select Settings.
Scroll down to pick Update & Security.
On the left side of the window, pick Recovery.
Now scroll down to find Advanced Startup section.
Click Restart now.
Select Troubleshoot.
Go to Advanced options.
Select Startup Settings.
Press Restart.
Now press 5 or click 5) Enable Safe Mode with Networking.

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
Click on More details.
Scroll down to Background processes section, and look for anything suspicious.
Right-click and select Open file location.
Go back to the process, right-click and pick End Task.
Delete the contents of the malicious folder.

Step 3. Check program Startup

Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
Go to Startup tab.
Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

Type in Disk Cleanup in Windows search and press Enter.
Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
Scroll through the Files to delete list and select the following:

Temporary Internet Files
Downloads
Recycle Bin
Temporary files
Pick Clean up system files.
You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):

%AppData%
%LocalAppData%
%ProgramData%
%WinDir%

After you are finished, reboot the PC in normal mode.

Remove Nibiru using System Restore

System Restore can also help to delete malware from the system:

Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
1. Click Start → Shutdown → Restart → OK.
2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
3. Select Command Prompt from the list
Windows 10 / Windows 8
1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
2. Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
1. Once the Command Prompt window shows up, enter cd restore and click Enter.
2. Now type rstrui.exe and press Enter again..
3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Nibiru. After doing that, click Next.
4. Now click Yes to start system restore.
Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Nibiru removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Nibiru from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Nibiru, you can use several methods to restore them:

Recover your data

Data Recovery Pro might sometimes help your retrieve at least some of your files

In some cases, third-party recovery software can recover some files that were locked by a ransomware virus.

Download Data Recovery Pro;
Follow the steps of Data Recovery Setup and install the program on your computer;
Launch it and scan your computer for files encrypted by Nibiru ransomware;
Restore them.

Windows Previous Versions Feature can help to recover files one-by-one

If the Nibiru files virus failed to remove Shadow Copies, you might be able to recover some files.

Find an encrypted file you need to restore and right-click on it;
Select “Properties” and go to “Previous versions” tab;
Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer might help

ShadowExplorer could automate the recovery process if malware failed to operate correctly during the infection stage.

Download Shadow Explorer (http://shadowexplorer.com/);
Follow a Shadow Explorer Setup Wizard and install this application on your computer;
Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No decryptor is currently available.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Nibiru and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.

If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.

Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection.

About the author

Lucia Danes - Virus researcher

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Lucia Danes
About the company Esolutions

References

^ Vulnerability (computing). Wikipedia. The free encyclopedia.
^ Lesvirus. Lesvirus. Cybersecurity news and malware insights.
^ Ransomware incidents should be treated as data breaches and immediately disclosed. Emsisoft. Security blog.