Severity scale:  
  (99/100)

NoobCrypt ransomware virus. How to remove? (Uninstall guide)

removal by Julie Splinters - - | Type: Ransomware
12

NoobCrypt revival brings out new virus versions

NoobCrypt virus is one of those ransomware [1] viruses which seem destructive at first but turn out to be not as malicious under further investigation. The initial virus version appeared in September, but it was quickly taken down by the virus researchers.

Unfortunately, that did not stop the criminals. After a brief period of silence, the virus came back with a new force. The latest malware version has changed its ransom note design and demand 100 dollar-ransom to be sent to their account in Bitcoin crypto-currency. The virus encrypts files with RSA-2048 and AES-128 ciphers and threaten that if the ransom is not paid in time, the hackers will corrupt user's personal files beyond recovery. 

However, while the new ransomware variant is causing most of the upsurge at the moment, its previous version has not gone obsolete either. It is demanding 299 USD in return for the locked data.

Regarding its ransom message, one might suspect that this virus is the misdeed of amateur hackers. However, the original version still has managed to encode personal information with the help of a complex mathematically interrelated set of codes, specifically AES algorithm.

If we believe the content of the message, the virus was generated in Romania [2]. Thus, the residents of the latter country should be extremely cautious. On the other hand, it does not mean that if you live in the country far from this European state, you can escape this threat. That is why it is important to arm up with the knowledge about effective NoobCrypt removal.

Reviewing this ransomware, it does not present any extraordinary nor unusual features. As usual, hackers attempt to persuade you into remitting the payment for the locked personal files. Certainly, without the private key, decoding your files is not an easy task to do.

Thus, the cyber criminals employ psychological pressure [3] to urge you with the payment. They threaten to delete some files every two hours. The standard amount of the ransom equals 299 dollars. The victims of NoobCrypt ransomware are expected to purchase Bitcoins and then enter the unique verification code in the provided bar in the ransom message.

At first glance, the virus is ordinary file-encrypting malware. Users who are befallen by this menace might panic while searching for a way to retrieve the files.

However, IT experts have discovered that there are several significant flaws in the source code of the malware. It creates only one registry entry — HKEY_CURRENT_USER\k1j3jk153kj153. Thus, it is unlikely to re-launch itself after the reboot of the operating system.

The ransomware behaves more like a lock-screen virus. Luckily, there is no need to pay the money, because malware specialist, Jakub Knoustek, discovered a key. Enter ZdZ8EcvP95ki6NWR2 code into the bar which requires the verification code. After that, you will be able to decrypt the files for free. After that, remove NoobCrypt right away. Reimage is one of the security programs which quickly and effectively deal with the ransomware.

September 2016 update: NoobCrypt uses the same decryption password for all of its victims

Just recently Noob Crypt virus researchers have made a breakthrough with this ransomware by disclosing another huge flaw in the program's source code.

Iakub Knoustek, who initially came up with NoobCrypt decryption key, continued to inspect the virus even further and found that this key is only suitable for some computers, while the others remain undecryptable. The main problem is that there are several versions of the NoobCrypt malware and each of the version feature a different decryption code.

Luckily, the same code unlocks all computers infected with the same version of the virus. So, to decrypt your data, you only need to find out what particular version of the virus has infected your PC.

To do that, pay attention to the ransom note details such as the amount of ransom and the Bitcoin wallet address. For instance, the code “ZdZ8EcvP95ki6NWR2” only works for the virus versions demanding the highest ransom — 299 USD.

The virus version demanding 100 dollars for the data decryption can be decontaminated with a code “RedStarPenis”, while the ones asking for 50 USD can be unlocked using lsakhBVLIKAHg. Good luck decrypting your data! Just do not forget to eliminate the virus from your computer when you do!

Experts detect improved virus versions

After the IT professionals have shattered the hackers' ambitions mercifully, it seems that there is going to be one virus less in the virtual world. Nonetheless, the authors have proved not be so “noob” and decided to counterattack the IT specialists.

Consequently, an improved version of the ransomware was detected. The renewed edition contains several improvements, such as C+ evaluation copy.

However, to big disappointment of the crooks and the joy of the virtual community, the improvements made the virus worse. In other words, the hackers included obfuscating elements, but in the end they resulted in the version of the virus which does not require any decryption key!

However, such improvements reveal that crooks, whether they are member of organized cyber rime gang or just hacker-wannabes, still create significant problems for the users. Though rarely the virus updates mess up the virus itself, such

Principles of system infiltration

Since the hackers behind NoobCrypt seem to be amateur hackers yet, it is likely that the malware is distributed via P2P file sharing websites or other questionable advertising, gaming, or pornographic domains. Such domains often contain various hyperlinks.

After a user clicks on such link, he unintentionally downloads the file with the ransomware. Alternatively, it is a matter of time when cyber criminals decide to shift to another, a more profitable method of distributing the malware.

It is a common tendency to transmit file-encrypting viruses via spam emails. In the case of some previous ransomware, cyber criminals have manifested real mastery by creating fake letters which can be easily mistaken for the official emails received by governmental institutions.

Thus, if you receive an invitation to fill the form for a tax refund or customs declaration, do not open any attachments. They might contain NoobCrypt hijack within. In order to block any malware, which might disguise the virus, and decrease the number of spam emails, install an anti-spyware application.

NoobCrypt removal and recovery

Since this virus is not a mere PUP, we highly advise you to opt for the automatic elimination. The security application, Reimage or Malwarebytes Anti Malware, will remove NoobCrypt virus properly.

If you update the application regularly, it will safeguard your PC from all kinds of threats. However, you might encounter some problems related to NoobCrypt removal because the virus locks your screen and you cannot operate your device properly.

If after entering the above-provided code, the computer still remains unusable, use the recovery instructions below. After the threat is completely eliminated, you should focus on developing several plans in case ransomware targets your system again:

  • Update security applications daily
  • Store your private information in several locations
  • Employ portable data keeping devices, such as USB sticks or DVDs to secure your data copies

 

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove NoobCrypt ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall NoobCrypt ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.

More information about this program can be found in Reimage review.

Manual NoobCrypt virus Removal Guide:

Remove NoobCrypt using Safe Mode with Networking

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove NoobCrypt

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete NoobCrypt removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove NoobCrypt using System Restore

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of NoobCrypt. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that NoobCrypt removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove NoobCrypt from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by NoobCrypt, you can use several methods to restore them:

Data Recovery Pro – the aid for the encrypted files

In case you happened to get infected with a modified NoobCrypt version and some of your files are still locked, run the application to regain access to the affected data.

ShadowExplorer – another alternative

Upon encountering a more damaging ransomware virus, this utility may prove to be effective in restoring the files.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from NoobCrypt and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Julie Splinters
Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions

References


  • Raymond

    Eventually, the hackers turn out to be noobs. Still, nice try!

  • Kirk5008

    That guy saved us. I thought about paying the money because those damn hackers encrypted a very important document.

  • Danny.Elf4

    Still we should not underestimate these hackers. They might strike again.

  • Corney

    Im glad that I do not need to worry. I have an anti-virus and anti-malware programs working and perform regular scans. No serious virus for years!