Nusar Ransomware - How to remove

Nusar is a computer virus that affects Windows PCs and works like a cybernetic extortion scam. It corrupts people’s files and promises to return them back to normal if the victim just pays a few hundred dollars to cybercriminals. However you decide to deal with Nusar, you should be aware of the options available to you and their pros and cons.

Nusar infection symptoms

Files are renamed by having the extension “.nusar” appended.

A ransom note called _readme.txt appears, calling you to contact the extortionists:

ATTENTION!

Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-xHnpiAalxT
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

These people have created Nusar and are trying to now make money off of the victims who’ve lost their files to their virus. The behavior is undoubtedly criminal, but Nusar is part of a family of ransomware (STOP/DJVU) that targets individuals, so, unlike the Baltimore case or the Florida attack, it hasn’t featured much in the news.

Despite being relatively low-profile, Nusar’s developers have been extorting people for months now using Djvu, Kroput, Drume, and many other variants of their virus. Downloading a software crack or a program from the wrong website that was infected with Nusar or another cryptovirus has cost a lot of people their files. Luckily, there are a few ways to try and restore some of the files broken by Nusar. There is no guarantee that they will work, but then neither is there guarantee that you will get your files back after paying the criminals.

Paying Nusar developers has mixed results. A lot of people never receive the decryption key. A few only receive a demand for even more money. Some do receive their decryption key (this key is unique to each person) but only manage to restore some of their files (for example, the biggest files are still corrupted). And, of course, Nusar’s sibling viruses have been distributed together with spyware (a banking trojan a lot like Astaroth), meaning that any banking that you do on the infected computer is likely being watched (unless you’ve removed all the viruses).

How to remove Nusar

Use an antivirus program to get rid of the virus. Your antivirus program should have no problem recognizing this virus because it is already detected by many professional antivirus tools. However, it might seem impossible to remove Nusar from your infected computer because it disables some antivirus functions. Try the guide below this article to scan your system without Nusar interfering. If your usual program isn’t working, try Spyhunter, or another reputable antivirus tool.

nusar ransom text

How to restore Nusar files

Now that the computer is clean, time to restore the files. How much you’ll succeed depends on your preparation, as well as some luck.

If you were prepared for Nusar and other ransomware, you must have had a backup of your data. Backups are extremely powerful, protecting you not only from ransomware, but also mitigating the consequences of your PC being stolen or the disk breaking. It’s just important to keep the backup on a separate, disconnected device.

Even if you didn’t intentionally set up a backup, it may be that the files that Nusar corrupted are still recoverable. If you e-mailed them to someone or had them saved in the cloud, you can re-download them. If the files weren’t created by you, you can probably re-download them, so you don’t need to worry about those.

Try restoring files from shadow copies. In case you had system restore enabled on your PC, copies of your old files might have been saved by Windows. Nusar should have encrypted them, but it might not have worked correctly, so it’s worth trying.

You can also use data recovery software to browse your HDD for some of your deleted (actually deleted, no longer available in the bin) files and restore them, but remember that this will only work if you haven’t used your computer much at all. The deleted files can easily and quickly be overwritten, making them unrecoverable or corrupted. It’s safest to perform data recovery from another computer. Just know that the process isn’t easy and chances of getting back something useful are not very high.

The last possible option to restore the Nusar-encrypted files is to wait for a decryptor. The chances of one being developed for all the files are low, but @demonslay335 has been developing STOPDecrypter, a program that can decrypt some of the files of some versions of STOP/DJVU. Even if Nusar is supported, the decryption only works for the minority of the victims, but you can save the Nusar-encrypted files and hope for a full decryptor to be developed, that’s not unprecedented.

Automatic Malware removal tools

Download Spyhunter for Malware detection
(Win)

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection
(Mac)

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,


How to recover Nusar Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode
 

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Nusar Ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3
 

Step 2. Complete removal of Nusar Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Nusar Ransomware. You can check other tools here.  

Step 3. Restore Nusar Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Nusar Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Nusar Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *