Most ransomware infections demand money in exchange for the decryption key to decrypt encrypted files. But this time, a malware named nRansom change the usual money for ransom to nude pictures in exchange for unlocking the computer.
So what exactly is nRansom ransomware? And how does it execute its attack?
nRansom ransomware is discovered by the MalwareHunterTeam. This malware actually works as a screen-locking ransomware that locks your computer and then demand you to send 10 nude pictures of yourself to a listed email address for you to gain access to your computer.
Clearly, this malware acts more like a screen-locking malware than a typical ransomware as it does not really encrypt files. A typical ransomware demands ransom money but this one demands 10 nude pictures which according to its ransom note, will be sold in the dark web. And if its picture of Thomas & Friends does not indicate what a joke this ransomware is, then I don’t know what is.
After it has infiltrated your computer, nRansom ransomware will extract a Visual Basic program named nRansom.exe as well as some supporting DLL files and an MP3 named your-mom-gay-.mp3 which are placed in the %Temp% folder. After the files are extracted, the launcher will execute the malicious executable file, nRansom.exe which will lock the screen with a Thomas & Friends tiled background containing the following message:
nRansom
Your computer has been locked. You can only unlock it with the special unlock code. go to protonmail.com and create an account. Send as email to [email protected] We will not respond immediately. After we reply, you must send at least 10 nude pictures of you. After that we will have to verify that the nudes belong to you. Once you are verified, we will give you unlock code and sell your nudes on the deep web.
After it locks the computer screen, it will play the your-mom-gay.mp3 file as the background music which is the song Frolic is known for since it is the them msic to the Curb Enthusiasm show. The message in the lock screen indicates that you have to send the nude pictures to the email address [email protected] – this email address has already been disabled by Protonmail.
How does nRansom ransomware spread its infection?
The nRansom ransomware’s distribution is quite buggy and as of now, it isn’t clear as to how it’s really distributed but it could spread in various ways such as fake software updates, Trojans, peer-to-peer (P2P) networks, unofficial software download sources and even malicious spam email campaigns. So you have to be careful in downloading and opening any suspicious files and you must scan them with an antivirus program like SpyRemover Pro before opening any of them.
Eliminate nRansom ransomware with the help of the removal guide below.
Step 1: Type in the code 12345 in the field to unlock your computer
Step 2: Open Windows Task Manager by pressing Ctrl + Shift + Esc at the same time.
Step 3: Go to the Processes tab and look for nRansom.exe and end its process.
Step 4: Open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 5: Look for any suspicious-looking program that could be related to nRansom ransomware and then uninstall it.
Step 6: Tap Win + E keys to open File Explorer.
Step 7: Navigate to the following locations.
- %TEMP%
- %APPDATA%
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
Step 8: Look for the nRansom’s malicious files listed below and delete all of them.
- exe
- your-mom-gay.mp3
The next step below is not recommended for you if you don’t know how to navigate the Registry Editor. Making registry changes can highly impact your computer. So it is highly advised to use PC Cleaner Pro instead to get rid of the entries that nRansom ransomware created. So if you are not familiar with the Windows Registry skip to Step 12 onwards.
However, if you are well-versed in making registry adjustments, then you can proceed to step 9.
Step 9: Open the Registry Editor, to do so, tap Win + R and type in regedit and then press enter and then go to the following path:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Step 10: Look for suspicious registry entries created by nRansom and delete them.
Step 11: Close the Registry Editor and Empty the Recycle Bin.
Follow the continued advanced steps below to ensure the removal of the nRansom ransomware and its malicious files.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the Safe Mode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. Installation will start automatically once download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.