Nols ransomware – a recently-discovered file-encrypting threat that appears to be the 173d Djvu ransomware variant

Nols ransomware, found and announced by Michael Gillespie on Twitter,[1] is a ransom-demanding malware that is included as the 173d version of the Djvu ransomware family. The acting principle of this malware is the exact same one as used by its previous siblings: infecting > encrypting > ransom-demanding. Once Nols ransomware infects a particular Windows-based computer, all files, and documents that have been placed on the machine are locked by using unique algorithms such as AES, RSA, or SHA.[2] Afterward, every component ends up with the .nols appendix near to its filename and the _readme.txt ransom message shows up and urges users to transfer a price of $490-$980. If the victim fails to pay the $490 ransom in 72 hours, the price doubles up and people have to empty their pockets even more.
The creators of Nols virus claim that purchasing the decryption tool from them is the only way to properly recover files and any other options are not available and these people even offer to send them 1 small file for free decryption as evidence that the decryption software truly exists. For this purpose, the victims can make contact via gorentos@bitmessage.ch, gorentos2@firemail.cc, or @datarestore Telegram account.
| Name | Nols ransomware |
|---|---|
| Type | Ransomware virus |
| Family | This notorious cyber threat is the 173d version of the Djvu ransomware family that has been releasing new versions in a very fast speed |
| Appendix | Once files and documents on the victim's computer system are locked by this malware strain, the filenames end up with the .nols appendix added |
| Encryption | Hackers use unique encryption algorithms such as AES, SHA, or RSA to lock up files that are found on the infected computer system |
| Ransom note | The dangerous malware places the _readme.txt ransom message on the Windows computer desktop and also adds the message to every folder that includes encrypted files and documents |
| Money demands | Criminals demand $490 as the starter price if the money is transferred in a 3-day time limit. However, if users fail to follow this condition, they will have to pay a doubled price to receive the decryption key |
| Altered locations | Malicious payload can be found in the Windows Task Manager and Registry sections. Besides, the ransomware virus can damage the Windows hosts file to prevent users from accessing security-based forums |
| Additional features | .nols file virus might be capable of eliminating Shadow Volume Copies of encrypted data. Also, the malware can carry AZORult trojan as an additional malicious payload |
| Deletion tip | Use FortectIntego to detect all infected places on your Windows computer. Afterward, continue with the automatical Nols ransomware removal process that is explained at the end of this article |
Nols ransomware can carry a complex module in order to succeed in its tasks at the highest level possible. The malware supposedly damages the Windows hosts file to prevent victims from accessing security-related networks where they might discover handy tips of the malware elimination process or even data recovery. Note that once you have completed the Nols ransomware removal, ensure that you delete the hosts file too or the access will remain blocked.
Continuously, Nols ransomware possibly alters the Windows Registry and Task Manager and fills these locations with bogus files, keys, and processes. Some of them allow the malware to boot itself automatically within each computer startup process, other entries execute the encryption module, and some might allow the ransomware virus to run suspicious processes in the background, e.g. inject other malicious threats.

It is known that STOP/Djvu ransomware viruses carry the AZORult trojan virus. The same thing is valid for Nols ransomware. Be extremely careful while dealing with this threat and do not postpone its removal process as you might end up with additional malware on your computer system. Trojan horses are capable of stealing credentials, private data, corrupting software, and damaging the entire machine and its components.
Remove Nols ransomware as soon as possible once this malware has been spotted operating on your Windows computer system. FortectIntego software should help you to detect all malware-laden strings on your machine. If you want to search for infection signs on your own, they are very accurate. All of your filenames will be slightly modified and the components will remain properly inaccessible. Additionally, you will definitely see this ransom note on your computer screen and also placed in every folder that holds encrypted data:
ATTENTION!
Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-514KtsAKtH
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.To get this software you need write on our e-mail:
gorentos@bitmessage.chReserve e-mail address to contact us:
gorentos2@firemail.ccOur Telegram account:
@datarestoreYour personal ID:
Nols ransomware is a very dangerous malware to deal with and needs to be removed instantly. Afterward, you can start thinking about possible data recovery options. Even though no official decryption key has been yet released, you can try purchasing DrWeb's Rescue Pack that offers a decryptor and two years of computer protection. Try out the free decryption tool offered by DrWeb experts and if it works for you, you can buy the whole package for $150.
Do not pay the Nols ransomware developers as you take a big risk of getting scammed. These people urge for huge prices even up to $1000 for the decryption software that you might lose for absolutely nothing. Nevertheless, the malware might delete Shadow Volume Copies of encrypted files by executing Power Shell commands and hardening the data recovery process for victims themselves.
Besides, if you want to prevent possible future attacks from malware such as Nols ransomware, you should take a look at the below-provided paragraphs on malware distribution and prevention. Besides, thinking of ways to secure valuable files also is a necessity here. You can purchase a portable drive such as USB and store copies of important data there. You can also use services that are provided by iCloud or Dropbox.

Ransomware payload can be spread via multiple sources
Malicious payload mostly comes camouflaged, however, in different types of ways regarding the situation and technique promoted to infect potential victims. According to research, cybercriminals usually use these types of methods to infect random people with malware:
- Hacked RDPs. Ransomware developers are known for their ability to hack vulnerable RDP and forcibly enter the administrative password into the computer system. Also, TCP Port 3389 is known as one of the most vulnerable ports.
- Phishing emails. Hackers often pretend to be from reliable shipping companies such as FedEx or DHL and send users messages that include “order confirmation” in the form of a link or attachment but truly is the malicious payload.
- Infected files. Criminals usually use executables, word documents, or similar files to hide the malware in. These components can end up placed on p2p networks,[3] gambling websites, online dating, porn sources, etc. For example, The Pirate Bay that includes proxies worldwide often has the chance of being hacked and filled with malware.
- Other ransomware distribution sources include exploit kits, outdated software, or just fake program updates. The name of Adobe Flash Player is often used for creating fake software updates and tends to trick a big number of users.
Protection possibilities from ransomware viruses
Due to the increasing number of ransomware infections worldwide, it is very important to know how to protect yourself, your computer system and valuable documents from these dangerous malware attacks. So, let's get started.
First of all, ensure that you always have a reliable antimalware product installed on your computer system. Purchase only a reliable tool that includes multiple protective features and will ensure your safety 24/7. Additionally, do not forget to update this program when new upgrades are released or the AV tool might not operate properly without proper updating.
Second, manage all of your emails carefully. Delete everything that falls in the spam section and even erase messages from the inbox place if you were not respecting to receive anything similar recently. Besides, do not open any attached files/documents without scanning them with reputable antimalware software.
Furthermore, avoid visiting unprotected sources that might contain malicious data. If you are ever ready to proceed to some type of third-party page but it gives you a concerning feeling, better close the window and never try it again. The same goes for clicking on ads and links – if they look questionable to you, do not enter them.
Last but not least, you should always keep your software and services updated. Hackers aim to release fake product updates and trick users by pushing upgrades through various third-party sources. If you are ever provided with a program update that you were expecting to receive, look it up on the Web and find some user reviews.
Removal instructions for Nols ransomware + file decryption possibilities
Nols ransomware removal can be performed only by employing automatical software. In addition, you can use the help of FortectIntego, SpyHunterCombo Cleaner, or MalwarebytesMalwarebytes for completing a thorough system scan and identifying all malicious strains and activities. After you receive the malware checkup results, you will get a view on what type of locations need ultimate cleaning.
Do not try to remove Nols ransomware on your own as you might miss some crucial objects. According to experts from NoVirus.uk,[4] if you skip any malicious file or process, the ransomware virus might easily renew itself within the next computer boot process. Complete the elimination before you try to restore data, otherwise, files might get repeatedly encrypted.
Even though .nols files virus is currently undecryptable with official software, there are other alternatives that you can try. For example, the DrWeb Rescue Pack that includes file decryption software and two years of antimalware protection. Continuously, below you will also find a few methods that might appear handy to you.
Was this guide helpful?
Be the first to comment