What is Nulltica ransomware?
Nulltica ransomare is a crypto-malware threat designed to encrypt files and holds them hostage unless the ransom is paid. This crypto-malware was discovered by a malware security researcher named Karsten Hahn. Nulltica is based on the open source ransomware project called HiddenTear.
How does Nulltica execute its attack on the compromised computer?
After a successful infiltration, Nulltica encrypts important stored data using the AES 256 encryption algorithm. And during the encryption, this malware appends the files’ names with .lock extension. Once file encryption is completed, it opens a pop-up window and a new browsing tab that redirects you to WikiHow’s “How To Send Bitcoins” web page. The pop-up window contains its ransom note that states:
“Your files have been blocked
Your files is encrypted (AES 256). You need a individual key to unlock your files.
Instructions how to unlock:
- Create bitcoin wallet (coin base, bitty or any else)
- Pay 50 USD to this wallet (bank card, transfer)
- Send 50 USD (if you don’t know how many USD = BTC – calculate with this website coindesk.com/calculator/ – for now 50 USD = 0.02 BTC
- Okay, now get your wallet address and put in on the left side. below “If you already paid”
- Click “unlock and remove the program”
- That’s it.
Warning: If you already paid and you have information “We don’t have your payment yet”, you must waiting (Usually max 12h).
Unlock
Pay 50 use to this BTC address
1MEnyVaoE5Wjzqedv74q1LB83ekULgM
If you already paid
Enter the bitcoin address which you sent
Unlock and remove the program”
As mentioned above, Nulltica utilizes the AES 256 cipher in encrypting files, meaning, decrypting the file would require a unique key which is stored on a remote server controlled by the cyber criminals behind this malware. To get the key, you are pressured to pay the ransom which is equivalent to $50 in Bitcoins. Despite it being low, you shouldn’t even think about paying it since researchers show that most ransomware victims are ignored by the crooks once payment is processed. So no, paying the ransom won’t solve your dilemma. The best thing you can do is to try other recovery options right after the ransomware removal which will be discussed later on this article.
How does Nulltica infect a computer?
Cyber crooks proliferates their ransomware infections in several ways. And since Nulltica ransomware functions as Trojan.Ransom.Nulltica, Gen:Variant.Strictor.145532 (B), Trojan-Ransom.Win32.Blocker.kgwu and so on, it is likely to utilize abandoned and faulty applications. Aside from that, Nulltica also spreads their infection using spam email containing a corrupted attachment sent supposedly by some official institution or group. You should also be wary and cautious in surfing the web for cyber criminals also places exploit its which facilitates the infection of the ransomware process.
Follow the given guidelines below for the successful removal of Nulltica rasnomware and for the recovery of the encrypted files.
Step 1: Open Windows Task Manager by pressing Ctrl + Shift + Esc at the same time.
Step 2: Go to both the Application and Processes tabs and look for important.exe and any suspicious applications and processes and then kill them.
Step 3: Open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 4: Look for Nulltica ransomware or any suspicious program and then uninstall it/them.
Step 5: Hold down Windows + E keys simultaneously to open File Explorer.
Step 6: Go to the directories listed below and look for the malicious file associated with Nulltica ransomware and delete it.
- %APPDATA%
- %TEMP%
- %USERPROFILE%\desktop
- %USERPROFILE%\downloads
Step 7: Close the browser that the ransomware opened as well as its program window.
The next step below is not recommended for you if you don’t know how to navigate the Registry Editor. Making registry changes can highly impact your computer. So it is highly advised to use PC Cleaner Pro instead to get rid of the entries that Nulltica ransomware created. So if you are not familiar with the Windows Registry skip to Step 12 onwards.
However, if you are well-versed in making registry adjustments, then you can proceed to step 8.
Step 8: Open the Registry Editor, to do so, tap Win + R and type in regedit and then press enter.
Step 9: Navigate to the path below:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Step 10: Delete all the random name string value that opens the infection.
Step 11: Close the Registry Editor.
Step 12: Empty the Recycle Bin.
Step 14: Try to recover your encrypted files.
Note: Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if Nulltica Ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
Follow the continued advanced steps below to ensure the removal of the ransomware infection:
Perform a full system scan using SpyRemover Pro.
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the Safe Mode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in Nulltica http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between Nulltica and http. Click OK.
- A dialog box will be displayed by Internet Nulltica. Click Run to begin downloading SpyRemover Pro. Installation will start automatically once download is done.
- Click OK to launch the program.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.