Severity scale:  

Remove NWA ransomware (Easy Removal Guide) - Decryption Steps Included

removal by Alice Woods - - | Type: Ransomware

NWA ransomware is a file locking malware that uses explorer.exe as its main executable

NWA ransomware

NWA ransomware is a data locking malware that stems from Dharma virus family. It also belongs to a long list of other variants released at a similar time, such as ETH, KARLS, 888, and others. While there are minor differences between the versions, all of the viruses are used for money extortion purposes. To achieve that, NWA ransomware authors write up a specific code that would perform a file encryption procedure once the host gets infected. The virus mainly uses AES[1] or DES ciphers to lock up databases, pictures, videos, documents, and other personal files, which names get modified in a particular way: [filename].[original extension].id-[user ID].[].NWA. Victims are also greeted with a typical ransom note FILES ENCRYPTED.txt – it explains to users what happened to their personal data and what they should do next. However, experts do not recommend following the instructions provided by hackers and taking care of NWA ransomware removal instead.

Name NWA
Type Ransomware
Family Dharma/CrySiS
File extension [filename].[original extension].id-[user ID].[].NWA
Main executable explorer.exe
Encryption algorithm AES or DES
Ransom note FILES ENCRYPTED.txt
Elimination Use reliable security applications like Reimage Reimage Cleaner Intego or SpyHunter 5Combo Cleaner

Threats like NWA ransomware do not simply appear on users' machines out of nowhere – malware authors often tackle multiple infiltration techniques in order to make the malicious scheme successful. In most cases, however, hackers rely on victims' inexperience and lack of security measures, as well as careless behavior online. Check out the second section to find out how to avoid such threats like NWA virus infection in the future.

Once the payload of NWA ransomware is executed (it is known the main dropped comes under the name explorer.exe), it performs various system changes to perform file encryption without any interruptions. A secure encryption algorithm is used to modify files, although it does not mean that they are corrupted. Imagine it as using a password to open a document – it is merely a more complicated version of such process.

NWA virus locks up a variety of files, mostly those that are personally used by users, such as .doc, .pdf, .jpg, .rar, .mpeg, .html, .avi, and others. Nevertheless, the malware also skips system and some other files (usually .exe), as hackers' main goal is not to corrupt the system, but rather receive a ransom payment from the victims.

Ransomware developers can ask for a various ransom size, as they claim, it depends on how fast users contact the crooks. NWA malware authors ask victims to use Bitcoin as a payment method, while other hackers are more keep on such digital currency as Monero[2] or DASH.

Additionally, users are also offered a test decryption service. Allegedly, victims can upload one file (it must not contain valuable information) and hackers will decrypt it for free, simply to show that the procedure is possible. Such practice is typical among ransomware authors, as it sometimes creates a false sense of security for the NWA virus victims.

However, never contact cybercrooks. Remember, their main goal is money, and they are not obligated to send you the decryptor. Instead, remove NWA ransomware from your computer and use alternative file recovery methods. Note that not all AV engines can recognize the threat,[3] so we suggest you employ such tools as Reimage Reimage Cleaner Intego or SpyHunter 5Combo Cleaner.

Take actions to protect your computer from malware

Ransomware and similar threat actors are not your average computer users, but rather sophisticated individuals who use their knowledge in coding for malicious deeds. Therefore, these people are using a variety of infection methods to spread malware around the world. It includes brute-force attacks (which recently became very popular among malware authors), spam emails, repacked or cracked software, fake updates, drive-by downloads, exploit kits, etc.

In order to protect yourself from personal files loss, compromised computer and a potential money loss, follow these simple tips from industry experts:[4]

  • Download and install modern security solutions that include real-time scanning feature;
  • Patch your system and all the software installed on the device as soon as security updates are released;
  • Do not get tricked by fake updates – only download them from official websites and do not believe a pop-up message embedded on the malicious site that claims the software needs updating;
  • Be very careful when handling emails, especially those located in the Spam box. Email providers use built-in scanners to recognize phishing, and most of such messages are sent to the Spam box. Nevertheless, some malicious emails might get through to your Inbox, so do not open email attachments or click on links unless you are absolutely sure they are genuine;
  • Do not download high-risk files, such as cracks or keygens, as well as pirated software;
  • Do not click on various suspicious links that claim that your PC is infected with a virus, or you won a prize;
  • Use two-factor authentication procedure, as well as a password manager for all your accounts.

NWA ransomware virusNWA is a file locking malware that stems from Dharma/CrySiS virus family

Terminate the malicious activity of NWA ransomware virus

To remove NWA ransomware without too much trouble, you should enter Safe Mode with Networking environment on your Windows computer. Because ransomware usually tampers with various OS processes, it is best to enter a safe environment that temporarily disables the threat and only launches with a few fundamental drivers and processes.

Once there, employ a reputable security application to scan your device thoroughly. We suggest you use Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner, or any other software that can detect and terminate .NWA file virus.

After you complete the NWA ransomware removal process, you can attempt file recovery. If you have no backups (which, unfortunately, most people forget to prepare), you can try alternative methods as listed below. While the chances of getting all files back using these means are slim, you might be able to get at least some data back.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove NWA virus, follow these steps:

Remove NWA using Safe Mode with Networking

To make sure NWA ransomware can be removed easily, enter Safe Mode with networking and perform a full system scan with security software:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove NWA

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete NWA removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove NWA using System Restore

System Restore can also be used to delete the malware:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of NWA. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that NWA removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove NWA from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by NWA, you can use several methods to restore them:

Make use of Data Recovery Pro when trying to get files back locked by .NWA

This recovery software might be able to recover at least some of ransomware-locked files.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by NWA ransomware;
  • Restore them.

Windows Previous Versions Feature might be useful

If you had System Restore enabled before the ransomware attack, you might have a chance at getting some data back.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer might get all your data back under some circumstances

In case the virus failed to delete Shadow Volume Copies, you might be able to recover all your files.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No decryptor is currently available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from NWA and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Alice Woods
Alice Woods - Likes to teach users about virus prevention

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Alice Woods
About the company Esolutions


Your opinion regarding NWA ransomware