Home / Spyware Help / Nuksus Ransomware Removal Guide

Nuksus Ransomware Removal Guide

by 0 Comments

Do you know what Nuksus Ransomware is?

Nuksus Ransomware is a threat that might have been unfinished at the time of research. We know that it comes from the STOP Ransomware family, but it did not act like other infections from this family during analysis. Although it encrypted files just like Dutan Ransomware, Zatrov Ransomware, Vesrato Ransomware, and all other well-known threats, it did not create a ransom note, and there were no additional components created. The only thing that ran was the executable. Most likely, the threat will evolve in the future, and so the manual removal guide below explains where to look for malicious components. If we learn anything new, this report will be updated. At the end of the day, if you need to delete Nuksus Ransomware, you need to do it fast, and it does not matter how many components exist.

Since Nuksus Ransomware was not fully functional at the time of research, it is hard to say how exactly this threat could spread. Most likely, of course, it will use spam email attachments with macros to trick victims into executing the infection themselves. Malicious downloaders and remote access vulnerabilities could be used successfully too. The bottom line is that you should not notice when Nuksus Ransomware slithers in so that it could encrypt your personal files without disturbance. When personal files are encrypted, the “.nuksus” extension is added to their names, and when you see this extension, you do not need to try to open the file. This file is encrypted, and, therefore, is no longer readable. Although, at the time of research, a ransom note was not available, it should be represented as a .TXT file created in all affected folders and directories.

When we analyzed STOP Ransomware infections, the same demands were linked to them all. The attackers behind them claimed that victims could get the files decrypted only if they paid a ransom of $490. It was also always stated that the price would grow to $980 if it was not paid within three days. Even if victims decided that they wanted to pay the ransom, they could not do it right away because the ransom note lacked some basic information regarding the payment. Most likely, this was done intentionally so that the victim would end up exposing themselves to the attackers via email or Telegram. If Nuksus Ransomware ends up creating a message of the same nature, we do not advise communicating with the attackers because once they can reach you via email or Telegram, they could expose you to new misleading messages. Furthermore, paying the ransom is extremely risky too. After all, you do not know for sure if you would get the decryptor after paying for it.Nuksus Ransomware Removal GuideNuksus Ransomware screenshot
Scroll down for full removal instructions

Even though only one malicious file was linked to Nuksus Ransomware, if it acts like a normal STOP Ransomware infection, it should have additional components created, and, they must be deleted too. The instructions below show what other elements you should look for. Of course, if you can find them, you should eliminate them without hesitation. Since most victims are unlikely to be able to remove Nuksus Ransomware manually, it is our recommendation to install trusted anti-malware software. Since it can secure the system as well as automatically erase active infections, you should really consider installing it. If you decide otherwise, make sure you do not forget to secure your operating system against new malicious threats that could try to attack at any point.

Remove Nuksus Ransomware

  1. Locate the [unknown name].exe file that launched the ransomware.
  2. If you can find this malicious file, right-click it and select Delete.
  3. If a ransom note file exists (should be named _readme.txt), you are likely to find its copies everywhere, and you want to Delete them all.
  4. Launch Windows Explorer by tapping Win+E keys.
  5. Enter %LOCALAPPDATA% into the field at the top to access the directory.
  6. If you can find an unfamiliar [unknown name] folder with a malicious [unknown name].exe file inside, you should right-click and Delete it.
  7. Enter %WINDIR%\System32\Tasks\ into the field at the top.
  8. If a task called Time Trigger Task exists, right-click it and select Delete.
  9. Launch Run by tapping Win+R keys.
  10. Enter regedit into the dialog box and click OK to launch Registry Editor.
  11. Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
  12. If you can locate a value named SysHelper, you should right-click and Delete it.
  13. Empty Recycle Bin and then examine the system for malicious leftovers using a reliable malware scanner.

In non-techie terms:

If your personal files were encrypted by Nuksus Ransomware, you might be unable to decrypt them. We certainly do not recommend relying on the decryptor offered by the attackers because even if it exists, you are unlikely to obtain it by paying the huge ransom. Hopefully, you can find a free decryptor, or you can replace the corrupted files with backup copies. Speaking of backups, you want to have copies of all of your personal files stored outside the computer because you never know when a new file-corrupting or file-removing infection will slither into your system next. Of course, you can decrease the chances of facing malware by implementing trustworthy anti-malware software, but you have to be cautious at all times anyway. If you install this software, you will have Nuksus Ransomware removed automatically, but if that is not your preferred option, you will have to delete the threat manually.