To clarify, the sole purpose of this malware is to encrypt all files on the victim’s computer and then try and extort the user to pay a large ransom for NNQP ransomware virus operators. The attackers put data encryption algorithms to bad use. In daily communications, encryption is typically used to secure information transmission so that only the person who has the decryption key could access it. In this situation, cybercriminals are the ones who have the key, so they try to sell it for you after illegally blocking your access to your personal files. To provide the victim with information about the attack, the ransomware is designed to drop ransom notes called _readme.txt throughout the computer system. These notes specify that the only way to decrypt .nnqp files is to pay a ransom. The attackers suggest sending one encrypted file that doesn’t contain any valuable information to them so that they could prove they can decrypt all data. The ransom note specifies to include victim’s personal ID in the email to them. They also provide two email addresses to use – the primary one, manager@mailtemp.ch and an alternative one, helprestoremanager@airmai.cc. According to the note, the cost of the decryption tools depends on how quickly the victim writes to the attackers. If this is done within first 72 hours after the infection timestamp, the crooks promise a 50% discount, which sets the price to $490. Otherwise, the decryption price remains $980. If you’re thinking about paying the ransom, we’d like to warn you that this is not a recommended option according to cybersecurity experts and FBI. Not only it doesn’t guarantee data recovery, it also helps to fuel further ransomware distribution operations. Cybercriminals behind such kind of malware earn millions in US dollars annually, so it only encourages them to continue their filthy business. Moreover, there is no way to track the attackers down if you decide to listen to their demands – the attackers won’t accept regular bank transactions to avoid being tracked down. The only way they accept the payments is via cryptocurrency. They tend to ask victims to purchase, for example, Bitcoins worth the settled ransom amount, and then command to transfer the amount to their virtual wallet. Another worrisome detail about this ransomware is that it tends to infect computers with information-stealing malware, for example, AZORULT or VIDAR Trojans. These threats allow attackers to run specific commands on victim’s computer remotely and extract various sensitive data that can be used in further attacks or blackmailing – for instance, your passwords, banking details, browsing history, cookies, cryptocurrency wallets and more. Therefore, do not think that paying the ransom will solve all the issues with your computer and privacy. You can understand how sneaky these attackers are because there is not a single mention of additional malware dropped on your computer in the _readme.txt note. To clear up the havoc caused on your computer, we recommend you to remove NNQP ransomware virus without any delay. For this, you should boot your computer in Safe Mode with Networking first. You can find free guidelines on how to do it below this article. To identify files associated with the malware and various registry modifications, we suggest using a robust antivirus solution, for instance, INTEGO Antivirus. Additionally, you may want to download RESTORO and use it to repair virus-inflicted damage on Windows OS files.
Ransomware Summary
REPAIR VIRUS DAMAGE
How ransomware-type viruses are distributed
In order to prevent further malware and ransomware infections, it is important to learn how these computer viruses are distributed and how they can get into your computer. When it comes to this particular ransomware strain – STOP/DJVU (the one you got infected with), the primary distribution method relies on pirated software versions containing cracks, key generators and other tools. Most of the time, these can be downloaded via torrents. Computer users who have the bad habit of searching software downloads on unconfirmed and shady online resources are at risk of getting their computers compromised, because cybercriminals prey for such users. Moreover, these computer users are easy targets because they also often ignore their cybersecurity software warnings regarding such torrent downloads. There is a popular misbelief about antivirus warnings and torrents – users tend to wrongly assume that antivirus marks each software crack as malicious. While in some cases these alerts can be false positives, most of the time they’re not. Therefore, to avoid getting infected, we recommend you to choose official and confirmed online resources to get your programs from. Victims of STOP/DJVU have reported getting infected after opening pirated versions of these popular programs: Adobe Photoshop, Internet Download Manager, Corel Draw, Adobe Illustrator, VMWare Workstation, Tenorshare 4ukey, League of Legends and many others. Another way to spread ransomware is by inserting a malicious script into DOCX, PDF, XLS or another file format that supports scripting languages, and attaching such file to deceptive email messages. The attackers use malicious spam technique, often pretending to be a legitimate entity (for example, a well-known online retail company, law enforcement agency, parcel delivery company and others). The attachment may be named as invoice, parcel tracking details, order summary, waybill, pending payment, etc. The attackers want you to believe that the attachment was sent by a trustworthy entity and convince you to open the attached file as soon as possible. Unfortunately, opening one and, even worse, disabling Secured Mode can run inserted scripts that are designed to download the actual payload and run it on your computer. Nowadays, it can be hard to identify dangerous emails. However, there are some patterns used by cybercriminals, so we will try to describe them. First of all, avoid opening email attachments and links if you can sense urgency in the sender’s message. Second, look out for unfamiliar greeting line. Third, scammers tend to write email subject line in capital letters and insert unprofessionally aligned emails containing low-resolution company logos. Finally, we’d like to advise you to avoid emails that your email provider marks as suspected spam. Nowadays, you also cannot trust the sender’s email address, because criminals make use of email spoofing techniques that help to masquerade the original sender’s address. Victims of STOP/DJVU ransomware variations should beware of fake decryption tools available online. Reports show that cybercriminals tend to upload these tools to suspicious online resources. Unfortunately, instead of decrypting .nnqp files, they can infect your computer with second ransomware and encrypt your files again. For this reason, we recommend that you follow updates on our site or on reputable cybersecurity news sites. In the meantime, we recommend that you read current situation on decrypting and repairing STOP/DJVU-encrypted files.
How NNQP ransomware operates: breakdown of its functionality
This section overviews the modus operandi of NNPQ virus and what it does after infecting your computer system. First of all, it arrives as a set of executables, most frequently named as build.exe, build2.exe and another one named as 4-character string, for instance, 6GV7.exe. Some variations of STOP/DJVU also display a fake Windows update window during the attack to justify the sudden system slowdown. This window appears from a executable named winupdate.exe. First of all, the ransomware checks whether the computer can be infected with data-encrypted malware. For this reason, it connects to https[:]//api.2ip.ua/geo.json and saves the response into geo.json file. This file may contain your country name, city, zip code and other details. You can see a screenshot of this file down below. The ransomware then checks its exception country list to ensure that the system can be attacked. The virus tends to cease its operations if it finds that your country matches one of the following countries: Tajikistan, Ukraine, Kyrgyzstan, Russia, Syria, Kazachstan, Armenia, Belarus or Uzbekistan. If a match is not found, the ransomware proceeds to collect some information about the compromised system into information.txt file (as depicted below). The virus gathers details such as your computer’s name, user name, operating system version, infection timestamp, hardware details, installed software list and active processes list. The virus also takes a screenshot of the desktop and sends it along the information.txt file to its Command&Control server. Next, the ransomware tries to get an online encryption key from its C&C server. If it succeeds to do so, it saves it to bowsakkdestx.txt file along with victim’s unique ID. Otherwise, the ransomware uses an offline key for encryption which is hardcoded into the ransomware’s code. Either way, the key and the ID will be saved to the aforementioned file and the ID will be saved to PersonalID.txt file located in C:\SystemID. It is also important to mention that offline encryption key usage is known as the one that gives chances to decrypt files in the future as explained here. You can identify whether online or offline encryption type was used by looking at the last two characters in the PersonalID.txt file. If these are t1, it indicates offline key encryption. The ransomware then begins using a combination of Salsa20 and RSA-2048 encryption to lock all files on the computer system. You can see a screenshot of affected data folder in the image below. Simultaneously, the virus saves _readme.txt note copy in every affected data folder. A screenshot of the ransom note is shown down below. Finally, the virus drops additional malware brought alongside it (such as AZORULT or VIDAR) and deletes Volume Shadow Copies from the system. Getting rid of those ensures that the victim won’t have access to existing System Restore Points. Additionally, the virus may edit your Windows HOSTS file to prevent access to a list of websites. After inspecting the blocked websites’ list, we can say that the attackers try to prevent you from visiting websites that provide relevant cybersecurity news and information regarding ransomware prevention and incident response. Attempts to visit one of the blocked websites may trigger DNS_PROBE_FINISHED_NXDOMAIN error in your web browser.
Remove NNQP Ransomware Virus and Decrypt or Repair Your Files
In an unfortunate event of becoming a victim of file-encrypting malware attack, we recommend that you take action and remove NNQP ransomware virus along with other malware from your computer running Windows operating system. The best way to do this is run your computer in Safe Mode with Networking, so make sure to read guidelines on how to do it below. Once you’re in the said mode, choose the right antivirus for the task. Our team recommends using INTEGO Antivirus, which is an excellent tool for protecting your PC and stopping malware before it enters it. Additionally, we suggest downloading RESTORO to repair virus damage on Windows OS files. You can find the full NNQP virus removal tutorial below. Do not forget to inform your local law enforcement agency about the ransomware incident and change all of your passwords associated with the infected machine as soon as possible. You can use data backups to recover your files, or learn about chances to decrypt/repair files locked by STOP/DJVU variants (see the corresponding section below or read in-depth article about it here). OUR GEEKS RECOMMEND Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system: GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs. Use INTEGO Antivirus to remove detected threats from your computer. Read full review here. RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically. RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them. Read full review here.
Method 1. Enter Safe Mode with Networking
Before you try to remove NNQP Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users Now, you can search for and remove NNQP Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus. For virus damage repair, consider using RESTORO.
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won’t be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense If you’re looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek’s Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Decrypt NNQP files
Fix and open large NNQP files easily:
It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.
STOP/DJVU decryption tool usage guide
STOP/DJVU ransomware versions are grouped into old and new variants. NNQP Ransomware Virus is considered the new STOP/DJVU variant, just like BPTO, ISWR, ISZA, BPSM, ZOUU, MBTF, ZNSM (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie. Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible. In order to test the tool and see if it can decrypt NNQP files, follow the given tutorial.
Meanings of decryptor’s messages
The NNQP decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages: Error: Unable to decrypt file with ID: [example ID] This message typically means that there is no corresponding decryption key in the decryptor’s database. No key for New Variant online ID: [example ID]Notice: this ID appears to be an online ID, decryption is impossible This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible. Result: No key for new variant offline ID: [example ID]This ID appears to be an offline ID. Decryption may be possible in the future. If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn’t available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your NNQP extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.
Report Internet crime to legal departments
Victims of NNQP Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:
In the United States, go to the On Guard Online website.In Australia, go to the SCAMwatch website.In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.In Ireland, go to the An Garda Síochána website.In New Zealand, go to the Consumer Affairs Scams website.In the United Kingdom, go to the Action Fraud website.In Canada, go to the Canadian Anti-Fraud Centre.In India, go to Indian National Cybercrime Reporting Portal.In France, go to the Agence nationale de la sécurité des systèmes d’information.
If you can’t find an authority corresponding to your location on this list, we recommend using any search engine to look up “[your country name] report cyber crime”. This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities. Another recommendation is to contact your country’s or region’s federal police or communications authority.