Severity scale:  

Nozelesn ransomware. How to remove? (Uninstall guide)

removal by Alice Woods - - | Type: Ransomware

Nozelesn ransomware – cryptovirus that stealthily infiltrates the system via fake DHL emails

Nozelesn virus
Nozelesn ransomware is a virus that spreads behind DHL emails

Nozelesn ransomware is a virus that developers create for money-extortion[1] purposes. Security researchers stated that the virus spreads via spam email attachments in fake DHL invoices and targets victims located in Poland. Soon after infiltration, the malware scans the machine for video, image, audio, database and other personal files and encrypts them using AES cipher. Victims can notice that data becomes unusable, as the extension .nozelesn is added to each of the affected files. Nozelesn also drops a ransom note HOW_FIX_NOZELESN_FILES.htm which explains that users have to pay 0.1BTC via Tor web browser to get access to the data back.

Name Nozelesn
Type Ransomware
Targeted country Poland
Extension .nozelesn file extension
Ransom amount 0.1 Bitcoin
Main dangers Data encrypting can lead to permanent data or money loss.
Distribution Malicious email attachments
Elimination You should use Reimage for ransomware removal

The message from Nozelesn virus authors has more specific information about what happened to the victim's PC, as well as how to recover files that are unusable. Cybercrooks are asking users to download TOR borwser and login to payment server lyasuvlsarvrlyxz.onion using a unique personal code to receive further instructions.

Once users log in to something that is called “Nozelesn decryption cabinet,” they are presented with further instructions, namely that they need to pay 0.1 BTC  (approx. $657 at the time of the writing) and copy the transaction ID into the provided field. Hackers then guarantee that the decryptor will be sent back within ten days.  However, you should not listen to cybercrooks and remove Nozelesn virus instead, and then proceed with alternative data recovery methods.

The initial ransomware that users are exposed to states the following:

All files including videos, photos and documents on your computer are encrypted by nozelesn ransomware.
File decryption costs money.
In order to decrypt the files, you need to perform the following steps:
1. you should download and install this browser hxxp://
2. After installation, run the browser and enter the address: lyasuvlsarvrlyxz.onion
3. Follow the instruction on the web-site. We remind you that the sooner you do, the more chances are left to recover the files.
Guaranteed recovery is provided within 10 days.
You should enter the personal code on the tor site. 

As you can see in the ransom message quote, virus developers suggest you follow their instructions and pay the ransom as soon as possible so you can get your files recovered. However, many cybersecurity researchers[2] do not recommend doing that. You need to focus on the Nozelesn ransomware removal and then worry about file decryption. DO NOT pay the ransom and DO NOT contact these criminals.

It is typical for ransomware-type virus developers to use common names, company logos or other information to make users open the malicious attachments. This virus is no exception. Security experts from CERT_Polska confirmed[3] that the delivery of malware is executed via phishing emails allegedly coming from Polish DHL:

It seems that the delivery method was through a spam campaign with fake DHL invoice.

Thus, be vigilant if you still have not injected your PC with dangerous malware. If your files are locked with .nozelesn extension, do not panic. You should get rid of the ransomware by scanning your system using security software first (we recommend Reimage or Plumbytes Anti-MalwareNorton Internet Security), and then checking options for file recovery. 

At the moment, it is believed that ransomware is deleting Shadow Volume Copies of affected files by using the command “vssadmin.exe delete shadows /all /Quiet.” However, we cannot confirm that and, if files encrypted by Nozelesn, definitely try Shadow Explorer method which is provided in our Data recovery section.

Insecure emails with big names used for spreading this virus

Virus developers tend to use various widely-known company names to make their spam emails more convincing. Such emails often appear legitimate only because of the names, logos and similar content included to them. People after seeing the name of FedEx, Amazon, eBay or other company don't even think about risks and fall for downloading attachments that are filled with various infections unknowingly. 

If you want to stay safe and prevent ransomware on your computer, make sure you double-check every email message to avoid the ones that could bring the potential danger to your system. To find spam among safe emails check:

  • The sender. Typically, sender's addresses should represent the company he or she is trying to represent, so make sure you check it;
  • The content. Email can be filled with information from services or companies that you have never used or even heard. Ignore such message immediately;
  • Attachments. Word or Excel documents can be filled with macro viruses. If the document is asking to enable macros, put it into the Trash box;

If you notice something suspicious, do not open the email and do not download the attachment. You should delete the message immediately without even opening it.

Remove Nozelesn ransomware by using professional tools  

To remove Nozelesn ransomware, you should use reliable anti-malware tools. They can ensure proper elimination of the virus. To scan your system correctly and remove all malicious components, make sure you update the software before scanning to its latest version. When dealing with this ransomware, we highly recommend using Reimage, Plumbytes Anti-MalwareNorton Internet Security or d2]. They will also ensure full protection against similar viruses in the future.  

Manual Nozelesn ransomware removal is not recommended as you are dealing with cryptovirus. Follow the guide below the article if the virus is blocking the scanner to postpone its removal. Next, move to data recovery section. As we have mentioned, ransomware might try to delete Shadow Volume Copies of encrypted data. However, we still recommend trying ShadowExplorer as one of the options to recover encrypted data.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software you agree to our privacy policy and agreement of use.
do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.

If you decided to select another anti-spyware, uninstall Reimage from your computer.
Press mentions on Reimage
Alternate Software
Alternate Software

To remove Nozelesn virus, follow these steps:

Remove Nozelesn using Safe Mode with Networking

Remove ransomware with Safe Mode with Networking by using these steps:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Nozelesn

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Nozelesn removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Nozelesn using System Restore

Use System Restore feature as the second option to disable Nozelesn ransomware:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Nozelesn. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Nozelesn removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Nozelesn from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Nozelesn, you can use several methods to restore them:

Data Recovery Pro is a program specifically designed to restore lost files

If you deleted your files or if they got encrypted by ransomware try to recover them with Data Recovery Pro:

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Nozelesn ransomware;
  • Restore them.

Windows Previous Versions feature can help you restore individual files

If System Restore feature was enabled before the initial attack, you could recover your files using Windows Previous Versions feature:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer can help restore encrypted files

If Nozelesn ransomware have not touched Shadow Volume Copies you can rely on ShadowExplorer:

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Nozelesn decrypter is not available

About the author

Alice Woods
Alice Woods - Likes to teach users about virus prevention

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Alice Woods
About the company Esolutions


Removal guides in other languages