NWA ransomware - How to remove

NWA ransomware is a malware that stems from another cryptovirus Dharma. Despite not being the original virus, NWA is definitely a threat to be careful of because of all the damage it causes to your files after the infection. Just like the predecessors and other ransomware, NWA virus infection manifests as in encrypted data marked with .nwa extension, ransom notes, specific hackers’ contact emails, and the requested payment. Although there is no official decryptor for NWA ransomware, you might be able to clean your infected Windows with other methods mentioned in this article.

Malware expert @JakubKroustek reported about the new Dharma’s NWA ransomware variant on his Twitter on March 11th, 2019. This virus did not seem to have any differences compared to all other related malware, except for the altered code, meaning that decryptors developed for other identical versions are not going to work for this one. But it is important to understand that paying a ransom is never a good decision – you can send threat actors thousands of dollars and they will end up ignoring you without giving any decrypting key in exchange because they simply are hackers and cannot be trusted. Hopefully, this article will help you improve your knowledge about NWA ransomware, learn the prevention techniques and ways you can get rid of this nasty computer infection so later you’d have a chance to recover your precious virtual memories.

How does NWA ransomware work

NWA ransomware is a virus that utilizes a variety of scareware, obfuscation and cryptography techniques in order to abuse Windows system functions and make certain user data inaccessible unless you have a special key that allows to do so, which is exactly how Btc, BGTX, Arena threats operate as well. Since ransomware can make a profit only from the payments made by its victims, NWA virus targets files which can be precious to the user but doesn’t influence the way a computer runs. That provokes affected people in agreeing to the presented conditions and sending the requested ransom, especially if they have no backups of their important pictures, videos, documents and etc.

nwa ransomware ransom notes

After getting inside the computer, NWA cryptovirus runs dozens of background processes affecting registry, System files and etc, just so it would not be discovered by an active antivirus and could reappear even if Windows get restarted. At around the same time, AES or RSA encrypting algorithms are applied on targeted files, later marking them with a long ‘.unique-id.[[email protected]].NWA’ extension at the end of their names. That means that if your files have that string in their names, they are affected by the NWA ransomware. No matter how much data you have stored on your hard drive, ciphers take only seconds to complete the infection, therefore there is nothing much you can do to stop it. When the encryption procedure is finished and every single one document is locked, you’ll notice a ransom note files on your desktop explaining the situation and giving further instructions on what to do next:

All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected]
Write this ID in the title of your message [unique-ID]
In case of no answer in 24 hours write us to theese e-mails:[email protected]
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

The latter message is presented in GUI, but the next one called ‘FILES ENCRYPTED.txt’ is a text file which basically gives the same but shorter orders to just contact crooks:

all your data has been locked us
You want to return?
write email [email protected] or [email protected]

It isn’t known what amount NWA ransomware actors will demand you to pay, but obviously, they need this exchange to be made in Bitcoins, since cryptocurrency ensures the anonymity, therefore, is extremely Common among cybercriminals. Statistics disclose that right now ransomware viruses expect around $1000, but the payment can range from a couple hundred to several thousand dollars. As we said in the introduction, no matter if you have a spare thousand in your account, it is best that you won’t pay and encourage crooks.

As of now, Virustotal.com report shows that NWA ransomware is well detected by the majority antivirus engines as malicious, so its another proof why you should head on and remove this threat from your PC immediately, later applying alternative recovering strategies helping to fix the situation.

How does NWA virus spread

NWA ransomware is still relatively new, so malware experts did not yet figure all the possible proliferation methods but compared to other Dharma’s variants distribution options are extensive. The usual cryptovirus proliferation methods are malspam, Trojans, exploit kits, P2P networks, camouflaged links, fake updates and etc. Most likely NWA virus is masked as an attachment in email phishing attacks, or it can be part of some program’s exploit, such as KMSpico tool that was Adobe ransomware took advantage of before. This, however, requires efforts and crook’s technical skills, that is why Malspam seems to be much more probable.

Creators of NWA ransomware can simply purchase tons of email addresses from the darknet and send out provocative messages encouraging the beneficiary to either click on the hyperlink that downloads the cryptovirus or to open an added .pdf or .docx file with an infection inside its Macros. These emails are extremely deceptive and normally short, however, concerning and urging to use the additional means to get more information. Phishing messages are known to be socially designed to look like imperative news from the government, customers, lawyer, bank, healthcare offices and so on. If you end up getting the attachment and enabling Macros to review it, NWA ransomware begins its installation processes in the background and soon your files become encrypted, while you still wonder why that document was ’empty’. In order to avoid this from happening you really need to brush off your Phishing detecting skills and learn about other cryptovirus preventative measures.

How to remove NWA ransomware and restore files

In regard to fixing all the harm made by NWA ransomware, there is no quick solution. This is a serious computer infection and the consequences are much harder to fix than other viruses because once the encrypting algorithms lock your files, only a unique code, that is known to crooks, can decipher them. Mind you, even if you delete this cryptovirus, it doesn’t mean that your .nwa marked data will be back, however, NWA virus elimination is more crucial than you think and should be your first step. If you do not get rid of ransomware it continues encrypting the new files and interrupting all recovery processes you’ll try, potentially double-locking data.

You are not obliged to use our recommended security applications and can pick any, yet make sure that they are not fake antivirus engines, which can exacerbate the situation. We advice Spyhunter, which are reputable anti-spyware programs, that can detect and eliminate all kinds of viruses, including NWA ransomware. Simply run a scan and follow the given instructions in order to get rid of cryptovirus. Just when the machine is totally free from ransomware and different dangers you can start utilizing the PC normally, and potentially begin restoring unavailable files. If you have your Backups ready of all the data you want to recover, follow the guidelines below on how to restore your system from the snapshots made in the past, and if not then you can try file recovering programs mentioned at the end as well. If nothing seems to be working we suggest you storing the important .nwa marked files somewhere in your hard drive and keep checking Nomoreransom.org or 2-viruses.com for the news about the official decryptor, which is not released yet.

Automatic Malware removal tools

Download Spyhunter for Malware detection
(Win)

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection
(Mac)

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,


How to recover NWA ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode
 

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before NWA ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3
 

Step 2. Complete removal of NWA ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to NWA ransomware. You can check other tools here.  

Step 3. Restore NWA ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually NWA ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover NWA ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *