How to remove Nuis Ransomware and recover files

Complete tips to delete Nuis Ransomware and decrypt data

Nuis Ransomware is a DJVU family virus that encrypts stored files to make them inaccessible. Like any other variants, it is used to extort ransom from the victims. In addition to encrypting the files, the virus alters the filenames of each of the affected file by adding .nuis extension and drops _readme.txt file containing ransom note.

An example of how the ransomware modifies the files is: it renames a file 1.jpg to “1.jpg.nuis”, “2.png” to “2.png.nuis”, “3.exe” to “3.exe.nuis”, and so forth.  It is important to note that the DJVU virus can be delivered alongside info stealers. In the vary case, the malicious actors steal sensitive details before files encryption.

Nuis Ransomware’s ransom note overview

The ransom note includes contact and payment information. It states that the victims have to pay $980 (or $490 as a discounted fee in only condition when the contact is established within 72 hours of the encryption) for the decryption tool.

Further instructions will be provided once after emailing the shady individuals behind the ransomware. The ransom text message also mentions that the victims can send one encrypt file and receive it decrypted before paying the ransom. Here is the full text presented on the ransom note:

ATTENTION!

Don’t worry, you can return all your files!

All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.

The only method of recovering files is to purchase decrypt tool and unique key for you.

This software will decrypt all your encrypted files.

What guarantees you have?

You can send one of your encrypted file from your PC and we decrypt it for free.

But we can decrypt only 1 file for free. File must not contain valuable information.

You can get and look video overview decrypt tool:

hxxps://we.tl/t-IfeNgr671e

Price of private key and decrypt software is $980.

Discount 50% available if you contact us first 72 hours, that’s price for you is $490.

Please note that you’ll never restore your data without payment.

Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:

[email protected]

Reserve e-mail address to contact us:

[email protected]

Your personal ID:

–

More about ransomware

In a typical ransomware infection case, the files decryption is not possible without the involvement of the crooks behind the infection. These people have the right decryption tool which is necessary to decrypt the files.

Despite that the Nuis Ransomware’s authors claim in the ransom note to exchange the decryption tool after the transaction of certain amount of ransom fee, we strongly advise you against doing that action as the crooks are not reliable and they are not going to provide you the decryption tool even after the payment is received.

There are many other data recovery alternatives available. You should rely on them instead. But before attempting to recover your files, make sure you successfully remove Nuis Ransomware from the system to avoid its interference during the files recovery process.

After successfully removing the ransomware, you can use existing backups to restore your files. Shadow Copies are automatically designed backups from Windows OS. You can rely on this option or otherwise any third party data recovery for automatically recover all affected files.

How did Nuis Ransomware enter my system?

Ransomware viruses are often spread through phishing emails that contain malicious file attachments or links or drive by downloading. DJVU variants are found to have been distributed through fake installers for pirated software and deceptive pages offering to download videos from YouTube.

In other cases, computers get infected with ransomware through files downloaded from unreliable sources, Trojans and fake updates. In all cases, the users execute malware by themselves. Most threat actors distribute ransomware through malicious documents.

How to protect system from ransomware?

Avoid clicking on any emails which seem suspicious, irrelevant and unknown. Do not click on the attachments and website links on them especially as these are the one that brings cyber-infection. To download any files and program, you should use only official websites and direct links.

Do not use any free hosting pages, third-party downloaders, p2p networks, shady websites and etc as these are the sources for downloading software. Keep your system and program updated. Scan your system for threats on regular basis. Use reputable antivirus tool for real time protection.

Want to get rid of Nuis Ransomware infection? Follow these steps

Identifying the ransomware infection

There are tons of ransomware strains developed over the years and spread all over the world. Crooks are creating new ransomware versions to establish themselves in the illegal business. These viruses use different extensions, ransom notes and other attributes through which you can identify them. However, sometimes, these things overlap and that makes difficult for the users to identify them.

To deal with a ransomware-type infection, your first task would be to identify it. In the process, you should firstly check the file extension. All ransomware viruses are using certain extensions that are appended at the end of the original filenames. But, sometimes, the crooks may replace it with random characters, add marker before the filename or do not visually change the name of the file at all.

So, if your files are appended with .exe, .locked, .encrypted or other broadly-used extensions that are difficult to identity, you would have to identify it by the ransom note. Simply, a .txt file is created and placed on the desktop or other places that can easily be reachable. Other times, a pop-up window is used which is launched soon the encryption process is complete. In the ransom note, the threat actors mention the name of the ransomware.

However, in some cases, the ransom note is very generic and in that case you can use ID Ransomware – a free service to identify the precise malware that you are dealing with. All that you have to do is to upload the ransom note found on the desktop or within the folders where the encrypted files are located and the sample of an encrypted file. You will get the relevant information such as the family of the ransomware belongs to and where or not it is possible to decrypt files.

Isolating the infected system

There are certain ransomware infections that not only infect systems but spread on entire network. Not known whether Nuis Ransomware has this functionality. Why to take risk? So, soon your system is infected, it is important you should isolate it to prevent re-infection after the removal process is complete. The easiest way of disconnecting the system is simply plug-out the Ethernet cable.

However, this process is not easy in corporate environment. The method below will help you in disconnecting from all the networks, including local and the internet, isolating each of the systems involved:

• In the Windows Search, type in Control Panel and click Ok,
• Go to the Network and Internet,
• Click on Network and Sharing Center,
• Pick Change adapter settings,

• Right-click on your connection and select Disable,
• Finally, confirm with Yes.

Also, disconnect all the cloud storage you are connected to as well as all the external devices such as USB flash sticks, external HDDs and etc. Once the removal process is complete, you can connect your computer to the network and internet, by clicking the Enabled button.

Scan your system using antivirus solution

If you are a victim of Nuis Ransomware, you should require employing a reputable antivirus tool for its removal. Some ransomware viruses are self-destruct after the encryption process is finished. Even in such cases, however, the malware leaves various data stealing modules or could operate in conjugation with other malicious programs on your system.

SpyHunter can detect and remove all ransomware related files, additional modules, along with other viruses hidden on the system. The tool is really very easy to use and does not require any prior knowledge to succeed in the malware removal process. To help you with, we have included the steps how to use this tool to perform the ransomware removal from the system. Check below:

• Click on the below link to download SpyHunter,
• When the download process is complete, you will see a set up file named SpyHunter-Installer.exe at below your browser window or within the downloads section,

• Double-click on it to open it and to initiate the installation process,
• A User Account Control dialogue box appears at first on the screen, click Yes within to confirm it,

• Choose your language the then and click OK,

• Click Continue to proceed,

• Read and Accept the EULA and Privacy Policy and then click on Install,

• Let the installation process to complete. Once done, click on Finish button to complete the download/ installation process.

Once after the installation, launch the security software and run a full system scan using it. To launch SpyHunter, locate the program’s icon on the desktop or just click on the Start> Program and click on SpyHunter. Go to its Application page, click on Home and click on Start Scan option on the next pop-up window appears.

The software will initiate the scanning process after that and shows errors, vulnerabilities and malware found as a scan result in total five different categories – like Malware, PUPs, Privacy, Vulnerabilities and Whitelisted objects.

To delete those detected threats, you have to register for the program. Here are the guide on registering for the program and removing the detected threat:

• Click on the Register button on the top-right of the program’s window and click on Buy,

• On the purchasing page, enter the customer details and valid email address, choose your plan and proceed to pay,
• After the payment, you will receive email confirmation message with username and password,
• Now, go to the program’s settings, click on the Advanced on the left pane,
• Click on Activate your Account and enter your username and password to activate your plan,

• Now, go to the scanning report page, select the objects you want to remove and click on the Next button to quarantine them,
• Go to the Malware/ PC Scan tab and click on the Quarantine option there to see all quarantine objects,
• To delete any objects, click on them and then click on the Next button. You can restore any objects there just by selecting them and then clicking on Restore.

Recover the Nuis Ransomware affected data

Not all users have proper data backups prior to being affected by ransomware. Paying ransom to the crooks is very risky – these people often do not provide the decryption tool even after all their demands are met. Data recovery software might be capable in some situations depend on the encryption algorithm used, whether ransomware managed to complete the programmed tasks and etc.

There are thousands of different ransomware strains and it is just difficult to tell you whether third party software will work for you. Therefore, we suggest you trying regardless of which ransomware type attacked your system. However, before you begin, certain things that you should keep in mind while dealing with this situation:

• The encrypted data on system might be permanently damaged by security or data recovery software and thus, you should first make backups of it – use USB flash drive or another storage devices,
• Attempt to recover the files after making sure that you perform a system scan using antivirus software.

Instant files recovery software

Stella Phoenix Windows Data Recovery tool is very popular data recovery tool tested by security researchers and recommended by many individuals all over the world. Here are the steps how to download/ install this tool and recover the Nuis Ransomware infected files:

• Download the tool from the link below,
• This will download Stellar_WinDataRe….exe file on your system,

• Double-click on this file to open it, accept its licensed agreement and follow the on-screen instructions to complete the installation process,

• Once after the installation, the program automatically executes itself and so just select the files you want to restore and click on the Next button,

• Select Drive to run and execute for the files recovery and click on Scan button,

• Wait for the restoration process to complete. Once done, you can preview those files,
• Select them all to restore and set the location where you want to save.

Shadow Copies; another data recovery alternative

Volume Shadow Copy was introduced by Microsoft with the release of Windows XP service Pack 2 and Windows Server 2013. This allows you to backup or snapshot the current state of the files on a particular volume. These backups are stored on some special type of container called Shadow Copy.

Sometimes, in ransomware infection, this automatically created backup is left untouched and thus it ultimately becomes a file recovery option for the users. Before we move onto the guide how to recover files using the Shadow Copies, one thing that is important to mention here that the Nuis Ransomware virus might be capable of deleting this Shadow Copy by using certain commands such as:

C:\Windows\Sysnative\vssadmin.exe” Delete Shadows /All /Quiet

Thus, you can’t 100% sure that these will definitely help you in the files recovery. Moving to the instruction part – you can recover the files using shadow copies using two possible ways; using previous versions and through Shadow Explorer Tool. The steps to use previous version to restore the files are provided below:

• Open the folder containing the file you want to recover,
• Right-click on it and go to its properties,
• Go to the previous tab, select the restore point and click on

The second method involves downloading/ installing a specially crafted tool called Shadow Explorer. Download/ install the tool, and launch it on your system. It will show you a list of all drivers and the dates on which the shadow copy was created. Select the drive for the files and folders and the date, navigate to the folders and files you want to restore, right-click on the folder or file and select Export, select the location the then to save all those recovered files and the software saves them on that location.

Create backups to avoid data loss in future

We have mentioned two data recovery options, namely third party data recovery software and Volume Shadow Copy. However, both of them not surely help you in the files recovery and there is always a suspicion. Therefore, you can’t completely rely on these alternatives for the files recovery in anytime in future and must have to take steps to ensure that there would be no much loss during such a case of system infection.

The best if you create backups of all essential files. The most reliable backup option is to use existing backup and keep it unplugged it from the system. These device could be hard drive, flash (thumb) drive, SSD, HDD and others alike. However, there is a limitation in using it that you will have to update it on time to time.

To overcome this problem, you can refer cloud service or remote server, for example Microsoft OneDrive, Google Drive and so on. These will all your personal files and data in the cloud. You can access and edit these files from different Windows devices. You can sync them to all computers and mobile devices. Surely, using it require an internet connection.

Manual removal using Safe Mode

We have already mentioned, manual methods are time consuming and less-effective solution. Also, there is a risk of doing mistakes that cause direct damages to the system performance and to the users’ personal as well. However, if you are confident with your IT skill and ready to take the entire risks involved in performing the manual process of ransomware removal, we welcome you with our manual instructions provided below.

Step 1: Access Safe Mode with Networking

Manual malware removal should be performed in Safe Mode environment:

Windows 7/Vista/XP users:

• Restart Windows and when it is active, keep pressing F8 (or F2, F12, Del and etc) till you see Advanced Boot Options window on screen,
• Select Safe Mode with Networking from the list appears.

Windows 10/ 8 users:

• Right-click on Start button and select Settings,

• Scroll down to find Update & Privacy and click on it,

• Choose Recovery in the opened window,
• Scroll down to find Advanced startup,
• Click Restart now,

• Select Troubleshoot,

• Go to the Advanced options,

• Now, select startup settings,

• Click on Restart and select Enable Safe Mode with Networking.

Step 2: Shut down all suspicious processes

Use the Tool Windows Task Manager for the purpose. It can show all the processes running in the background. If malware is running a process, you need to shut it down:

• Open Windows Task Manager using shortcut Ctrl+ Shift+ Esc,
• Click on More details,

• Scroll down to find Background processes and search for anything suspicious over there,
• Right-click and select Open File Location,

• Go back to the process, right-click and pick End Task,

• Then, delete the contents of the malicious folder.

Step 3: Check Program Startup

Now, search for the malicious processes automatically run with startup and disable them:

• Open Task Manager and go to the Startup tab,
• Right-click on the suspicious program and click disable.

Step 4: Removing virus files

Last step in the process is to locate the virus files on different places within the system and remove them. Here are the required steps:

• Open Windows Search, type in Disk Clean up and hit Enter,

• Select the drive, typically the C drive that is likely to contain the malicious files,
• Scroll through the files to Delete list check Temporary Internet Files, Downloads, Recycle Bin, and Temporary Files options,
• Pick Clean up System files,

• The then, open Windows Search again and type in for “%AppData%”, “%LocalAppData%”, “%ProgramData%” and “%WinDir%” and hit Enter – do that one-by-one separately and remove all suspicious files hidden on these folders,
• Reboot the device after that in the normal mode.