What is Nuclear ransomware?
Nuclear ransomware is a file-encrypting Trojan that was discovered on August 28, 2017 by Michael Gillespie. This ransomware infection is a new variant of the BTCWare ransomware group. It appears that majority of its attacks are aimed at English-speaking users based in Western Europe and North America but that does not exempt other users all over the world from getting infected as well since it spreads using spam bots. It is perceived to be a dangerous threat to small and medium size businesses as well as individual users.
Aside from Nuclear ransomware, the BTCWare ransomware group includes the Blocking ransomware, AnubiNotBTCWare ransomware. And this new ransomware, seems to use a slightly modified encryption algorithm and new obfuscation layers. In addition, there aren’t many changes compared to the latest variants which allowed antivirus programs to respond quickly to the attacks and limit access to domains linked to Nuclear ransomware. Just so you know malware like this mostly rely on a connection to a Command and Control server where the decryption key is supposedly stored.
How does Nuclear ransomware launch its attack on your computer?
Once it infiltrates your system, Nuclear encrypts certain file types using an AES 256 cipher. The compromised files are marked with the string “.[[email protected]].nuclear” placed after the default file extension. Ransomware mostly prioritizes the encryption of text files, spreadsheets, presentations, images, audios, videos, databases, etc. The encryption process is followed by the creation of the ransom note which is the HELP.hta file placed on the desktop, containing the following message:
“All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected]
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.
Also you can find other places to buy Bitcoins and beginners guide here:
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.”
Security experts do not recommend you to follow the instructions given in the ransom note. Aside from encrypting your files, this ransomware also deletes the Shadow Volume copies of your files to make it harder for you to recover your files. It would be safer if you restore your files by using data backups and archived copies of your files.
How does Nuclear ransomware spread its malicious infection?
This malware spreads its infections using spam emails. These spam emails may suggest that you have a pending bill or you need to review a project proposal and other antics just to trick you into opening the email and download its attachment. Their tricks have improved basing on the fact that many users still fall victim to their infection. In such cases, it is best if you delete any suspicious emails as soon as it pops up in your inbox. It is also recommended that you keep your antivirus and system updated to increase its resistance against these kinds of infection.
To terminate Nuclear ransomware, refer to the removal guide below.
Step 1: Open the Windows Task Manager by pressing Ctrl + Shift + Esc at the same time. Proceed to the Processes tab and look for suspicious processes that can be related to the Nuclear Ransomware.
Right-click on the processes, then click Open File Location and scan them using a powerful and trusted antivirus like SpyRemover Pro. After opening their folders, end their processes and delete their folders. If the virus scanner fails to detect something that you know is suspicious, don’t hesitate to delete it.
Step 2: Open Control Panel by pressing Start key + R to launch Run and type appwiz.cpl in the search box and click OK.
Look for Nuclear ransomware or any malicious program and then Uninstall it.
Step 3: Hold down Windows + E keys simultaneously to open File Explorer.
Step 4: Go to the directories listed below and then look for the corrupted files such as its ransom note, HELP.hta created by the malware.
- C:\Users\(your pcname)\AppData\Roaming
The next step below is not recommended for you if you don’t know how to navigate the Registry Editor. Making registry changes can highly impact your computer. So it is highly advised to use PC Cleaner Pro instead to get rid of the entries that Nuclear ransomware created. So if you are not familiar with the Windows Registry skip to Step 9 onwards.
However, if you are well-versed in making registry adjustments, then you can proceed to step 5.
Step 5: Open the Registry Editor, to do so, tap Win + R and type in regedit and then press enter.
Step 6: Navigate to the following path:
Step 7: Delete the registry value named DECRYPTINFO.
Step 8: Close the Registry Editor.
Step 9: Empty the Recycle Bin.
Follow the continued advanced steps below to ensure the removal of the Nuclear ransomware:
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the Safe Mode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading SpyRemover Pro. Installation will start automatically once download is done.
- After all the infections are identified, click REMOVE ALL.
- Register SpyRemover Pro to protect your computer from future threats.