Home / Spyware Help / NanoLocker Ransomware Removal Guide

NanoLocker Ransomware Removal Guide

by 0 Comments

Do you know what NanoLocker Ransomware is?

NanoLocker Ransomware is a type of Trojan that was created by greedy cyber criminals to extort money from you. Therefore, it is vital that you remove it from your PC as soon as possible. This ransomware is set to encrypt various files of different formats that may be of huge personal importance to you and demand that you pay a ransom fee in Bitcoins in exchange for the decryption key that will render them accessible again. However, or malware researches insist on not paying the ransom because there is no guarantee that you will receive the decryption key. This description will provide you with essential information that will help you get a better understanding about how this infection works and ways you can delete it from your PC. So without further ado, let us begin our analysis by starting with its origins.

Obviously, this infection was not developed by a company that can be called any even remotely legitimate. Its developers are the real deal and they can only be referred to as none other than cyber criminals because NanoLocker Ransomware is an illicit program and its developers would have to answer for creating and using it according to the laws of most countries around the globe.NanoLocker Ransomware Removal GuideNanoLocker Ransomware screenshot
Scroll down for full removal instructions

Therefore, the criminals that have created it and use it use various highly deceptive methods to distribute it. Your computer might accidentally become infected with this ransomware if you click fake updates for various third-party software products that most need to have, such as Java and Adobe Flash Player updates. You may encounter these fake updates by browsing on a malicious website. In most cases you should be presented with a pop-up message that will say that you need to update your Java or Adobe Flash to see and play certain content. And, if you click download, then you are in big trouble. Furthermore, our researchers believe that cyber criminals might also distribute it using email spam. Such emails are automatically sent from a server and they usually contain a self-extracting WinRar archive, so if you do not have an antimalware tool, then there is no stopping NanoLocker Ransomware.

Once you computer has become infected with this ransomware, it will create a hidden directory that will contain all of its files at C:\Users\user\AppData\Local. Its primary executable is named lansrv.exe, but it may also include other files with the dynamic link library (DLL) extension. Also, it creates one registry entry that serves as the Point of Execution (POE) at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. And, its registry value should be named LanmanServer.

After it is executed, it will spring into action and encrypt various files, including: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .java, .jpeg, .pptm, .pptx, .xlsb, .xlsm, .db, .docm, .sql, and .pdf. However, it does not add any extensions to these files. After the encryption is completed, NanoLocker Ransomware will dump two files in every location where an aforementioned file type was encrypted. The files are named Decryptor.lnk and ATTENTION.RTF. Decryptor.lnk redirects you to C:\Users\user\AppData\Local, while ATTENTION.RTF contains the same information that is displayed on the main NanoLocker screen message. And, on that note, we should analyze what that message says.

Your important files are encrypted: photos, documents, etc.

To get Key to decrypt files you have to pay 0.1 bitcoin (BTC) ~ $43.

If payment is not made before Sunday, January 17, 2016 the cost of Key will increase 5 times and will be 0.5 BTC.

As you can see, this ransomware can ask for a lot of money, but this is subject to change because it is possible to change the sum and conditions of it. This message provides detailed step-by-step instructions on how to pay the ransom fee in Bitcoins. Firstly, it will ask you to create a new Bitcoin wallet on one of their recommended websites. Then, it will recommend that you put in 0.11 BTC into the wallet. And send it to their provided address. After you have done that, you will have to wait up to 24 hours to receive the decryption key, but as we said, you might not get it at all. In case you do get it, you will have to copy it from the clipboard to the Decryptor “Key Field” and click Decrypt files.

We do not recommend paying the ransom fee because it is quite likely that you will not receive the decryption key at all. And, if you pay the ransom, then you will also fuel their greed and fund their next ransomware project. So you should backup your files from an external drive if possible after you remove NanoLocker Ransomware using our manual removal guide or our recommended antimalware tool SpyHunter. If you have any questions or problems, do not hesitate to leave a comment in the comment section below, and we will get back to you as soon as we can.

Enable Hidden files and Folders

Windows 10/8.1/8

  1. Simultaneously press the Windows Key+E keys.
  2. Click the View tab and select Show hidden files and folders.

Windows 7 and Vista

  1. Simultaneously press the Windows Key+E keys.
  2. Click Organize and select Folder and Search Options.
  3. Click the View tab and select Show hidden files and folders.

Windows XP

  1. Open the Start menu and go to My Computer.
  2. Click Tools and go to Folder Options.
  3. Then, click on the View tab at the top of the window.
  4. Select Show hidden files and folders.
  5. Click OK.

How to manually remove NanoLocker Ransomware

  1. Simultaneously press the Windows Key+E keys.
  2. Go to C:\Users\{user}\AppData\Local.
  3. Locate lansrv.exe.
  4. Right-click on it and click Delete.

Delete the malicious registry value

  1. Simultaneously press the Windows Key+R keys.
  2. Type regedit in the dialog box and click OK.
  3. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
  4. Locate LanmanServer.
  5. Right-click on it and click Delete.
  6. Exit the Registry Editor and Restart your computer.

In non-techie terms:

NanoLocker Ransomware is an infection that can secretly infect your computer via fake software updates or email spam. Once on your computer, it will encrypt your files and render them unusable. Then it will demand that you pay a ransom fee in Bitcoins. The sum is subject to change but cyber criminals are quite greedy and they set a payment deadline, and failure to meet it will result in the ransom fee increasing 5 times. However, there is no guarantee that you will receive the promise decryption key, so we suggest removing this infection.