NoobCrypt Ransomware Removal Guide

Do you know what NoobCrypt Ransomware is?

NoobCrypt Ransomware is a dangerous threat that can infiltrate your system without your knowledge and encrypt your most important files in a minute or two. This ransomware demands a relatively high price ($299) as a ransom fee in return for the decryption key that is only available through the criminals behind this attack who keep this key hidden on a remote server. You are given 2 days to transfer the money; or else, you could lose all your files. This infection blocks your screen as well as your system processes to push you into a corner leaving you seemingly no chance to recover your files but to pay up. But our researchers recommend that you do not do so even if you feel like there is no other solution. One reason we say so is that criminals rarely provide the key even after you transfer the money, not to mention the fact that technical issues may also arise. The other reason is that the sample our researchers tested in our internal lab actually has a hard-coded decryption key that we will reveal later on so that you can try to restore your files. Another option you have is using your recent backup from a removable drive if you have any. However, it is important that you remove NoobCrypt Ransomware immediately if you cannot use the decryption key or after you manage to unlock your files.NoobCrypt Ransomware Removal GuideNoobCrypt Ransomware screenshot
Scroll down for full removal instructions

Our research shows that this new ransomware is distributed mostly via spam mails. The sample we worked with was actually disguised as an Adobe Acrobat PDF document attachment. Criminals can use all kinds of tricks to evade spam filters and even the human factor, i.e., your own filtering by using well-known companies and institutions as senders as well as subjects that catch the eyes right away. These can be anything to do with invoices, credit card issues, reservations (flight or hotel), and the like. Even if you do not feel related to the subject, you would most likely open such a mail and the attached file right away. And this would be wrong, of course, because the moment you run the downloaded attachment, you actually infect your system with NoobCrypt Ransomware.

In order to avoid similar infections you should make sure that you only open mails and attachments that are surely sent to you personally. It is also very important that you keep your browsers and drivers (Java and Flash Player) always updated because cyber criminals can use so-called exploit kits to set up malicious webpages with infectious content that could drop such ransomware and other infections onto your system upon loading the page. In any case, if you realize that you have been hit by this malware, it is worth scanning your system with a reliable malware scanner right after you delete NoobCrypt Ransomware.

This dangerous infection is activated the moment you double-click on the malicious executable file you download from the spam mail. Unlike most of its peers, this ransomware does not copy itself and does not download or create other files on your system; it works straight through the downloaded file. It targets all your documents, photos, videos, archives, and program files, and in just a minute or two it encrypts them. Strangely enough this infection does not append any specific extensions to the encrypted files. However, if you try to run them, you will fail to do so. Once done, your desktop gets blocked by the full-screen ransom note that is programmed to always stay on top. Your system processes, such as regedit.exe and taskmgr.exe, get blocked from running so you have no chance to stop this beast or remove it easily.

This ransomware also creates a run registry value in "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" key, with the value name of "CryptoLocker" to make sure that it starts up automatically every time you try to reboot your system. The ransom note informs you about the scary fact that your files have been encrypted and you can only have the decryption key by transferring 299 USD in Bitcoins to the given Bitcoin address within 48 hours. There are two buttons at the bottom of this window. One is “Informations,” with a bit of broken English, and “Check.” By clicking the first button a red panel appears with some useful bits of information about the transfer and Bitcoins. The other button will open the unlock window, which requires the decryption key for you to be able to unlock your files. The good news is that this sample actually has a hard-coded decryption key ("ZdZ8EcvP95ki6NWR2j") that was reverse engineered by a researcher. You could try to use this in the unlock window and see what happens. Obviously, if the criminals realize their mistake, they may come out with a revised variant and this key will not work anymore. But no matter which version you actually have, we suggest that you remove NoobCrypt Ransomware ASAP unless you decide to pay or run the key first, of course.

When it comes to ransomware infections there is always a good teaching or lesson: To make regular backup copies on removable media. Having a backup can save you from the unnecessary and awful loss of your files in case of a severe attack such as this. Although you may be in the luck this time because you may be able to use the provided decryption key to unlock your files, it is still very important to make backups. But do not rush because first you should remove NoobCrypt Ransomware and only then start copying your files. If you decide to use the key, of course, you need to keep this infection active until you finish decoding your files. In order to clean your system you need to restart it in Safe Mode and then, remove the necessary files and registry keys. Please follow our instructions below to make sure you get it right. If you want to protect your computer from similar attacks, we suggest that you download and install a reputable malware removal application, such as SpyHunter.

Restart your PC in Safe Mode

Windows 8, Windows 8.1, and Windows 10

  1. On the Metro UI screen, press the Power button.
  2. Press and hold the Shift key and click Restart.
  3. Select Advanced options from the Troubleshooting menu.
  4. Click Startup Settings and pick Restart.
  5. Restart in Safe Mode by pressing the F4 key.

Windows XP, Windows Vista, and Windows 7

  1. Restart your computer and press F8 when BIOS loads.
  2. Choose Safe Mode and press the Enter key.

Remove NoobCrypt Ransomware from Windows

  1. Press Win+R and type regedit. Press OK.
  2. Locate and delete the value name of "CryptoLocker" from "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" registry key.
  3. Exit Registry editor and restart your computer in Normal Mode.

In non-techie terms:

NoobCrypt Ransomware is a nasty infection that can slither onto your system and encrypt your files. Once the damage is done, you are informed by a ransom note that fills your screen and blocks it at the same time. You cannot close this window and you cannot kill the process either. Normally, such an attack could mean the loss of all your files unless you have a backup copy stored on a removable drive. But in this case you may be able to use a decryption key ("ZdZ8EcvP95ki6NWR2j") that could work for anyone that has been infected with the same sample of this ransomware that we used for testing. We do not advise you to pay the ransom fee even if you cannot use this key to decrypt your files because there is no guarantee that you will get your decryption key from these criminals. Of course, the decision is only yours to make. Keep in mind that even if you remove NoobCrypt Ransomware, it does not mean that your files will be recovered. If you want an automatic and efficient solution to clean up this mess and protect your computer from further infections, we recommend that you use a powerful up-to-date anti-malware application.