What is MegaLocker Ransomware
MegaLocker Ransomware (NamPoHyu Virus) is new ransomware virus, that encrypts data from sites, servers, using AES-128 (CBC mode), and then requires $250 ransom for individuals ($1000 for companies) in BTC to return files. Any Windows computers, Linux devices and Android devices connected to computers and network devices used to access the Internet are subject to attack. After encryption MegaLocker adds .crypted or .NamPoHyu extensions to affected files. Ransomware creates ransom note called !DECRYPT_INSTRUCTION.TXT, and places it in each folder with encrypted files in the directories of compromised sites. Here is the content of this file:
What happened to your files ?
All of your files were protected by a strong encryption with AES cbc-128 using MegaLocker Virus.
What does this mean ?
This means that the structure and data within your files have been irrevocably changed,
you will not be able to work with them, read them or see them,
it is the same thing as losing them forever, but with our help, you can restore them.
The encryption key and ID are unique to your computer, so you are guaranteed to be able to return your files.
What do I do ?
You can buy decryption for $800 for company and 250$ for private person.
But before you pay, you can make sure that we can really decrypt any of your files.
To do this, send us 1 random encrypted file to alexshkipper@firemail.cc, a maximum of 5 megabytes, we will decrypt them
and we will send you back. Do not forget to send in the letter your unique id: [redacted] You can check the decryption of more than one file, but no more than 3.
To do this, send us two more letters with files, there should be only one file in each letter!
If you are a private person, then send your private photo (birthday, holidays, hobbies and so on),
this will prove to us that you are a private person and you will pay 250$ for decrypting files.
If you are not a private person - Do not try to deceive us!!!
Do not complain about these email addresses, because other people will not be able to decrypt their files!
After confirming the decryption, you must pay it in bitcoins. We will send you a bitcoin wallet along with the decrypted file.
You can pay bitcoins online in many ways:
hxxps://buy.blockexplorer.com/ - payment by bank card
hxxps://www.buybitcoinworldwide.com/
hxxps://localbitcoins.net
About Bitcoins:
hxxps://en.wikipedia.org/wiki/Bitcoin
If you have any questions, write to us at alexshkipper@firemail.cc
What happened to your files ?
All of your files were protected by a strong encryption with AES cbc-128 using NamPoHyu Virus.
What does this mean ?
This means that the structure and data within your files have been irrevocably changed,
you will not be able to work with them, read them or see them,
it is the same thing as losing them forever, but with our help, you can restore them.
The encryption key and ID are unique to your computer, so you are guaranteed to be able to return your files.
Your unique id: [redacted] What do I do ?
You can buy decryption for 250$.
But before you pay, you can make sure that we can really decrypt any of your files.
To do this:
1) Download and install Tor Browser ( hxxps://www.torproject.org/download/ )
2) Open the hxxp://qlcd3bgmyv4kvztb.onion/index.php?id=02DCED685XXXXXXXXX3C0DFD0E2***** web page in the Tor Browser and follow the instructions.
FAQ:
How much time do I have to pay for decryption?
You have 10 days to pay for the ransom after decrypting the test files.
The number of bitcoins for payment is fixed at the rate at the time of decryption of test files.
Keep in mind that some exchangers delay payment for 1-3 days! Also keep in mind that Bitcoin is a very volatile currency,
its rate can be both stable and change very quickly. Therefore, we recommend that you make payment within a few hours.
How to contact you?
We do not support any contact.
What are the guarantees that I can decrypt my files after paying the ransom?
Your main guarantee is the ability to decrypt test files.
This means that we can decrypt all your files after paying the ransom.
We have no reason to deceive you after receiving the ransom, since we are not barbarians and moreover it will harm our business.
How do I pay the ransom?
After decrypting the test files, you will see the amount of payment in bitcoins and a bitcoin wallet for payment.
Depending on your location, you can pay the ransom in different ways.
Use Google to find information on how to buy bitcoins in your country or use the help of more experienced friends.
Here are some links: https://buy.blockexplorer.com - payment by bank card
hxxps://www.buybitcoinworldwide.com
hxxps://localbitcoins.net
How can I decrypt my files?
After confirmation of payment (it usually takes 8 hours, maximum 24 hours)
you will see on this page ( hxxp://qlcd3bgmyv4kvztb.onion/index.php?id=02DCED685XXXXXXXXX3C0DFD0E2***** ) a link to download the decryptor and your aes-key
(for this, simply re-enter (refresh) this page a day after payment)
Download the program and run it.
Attention! Disable all anti-virus programs, they can block the work of the decoder!
Copy aes-key to the appropriate field and select the folder to decrypt.
The program will scan and decrypt all encrypted files in the selected folder and its subfolders.
We recommend that you first create a test folder and copy several encrypted files into it to verify the decryption.
MegaLocker Ransomware was first spotted in March, 2019, when multiple sources stated they were infected with MegaLocker Virus, that encrypted files on NAS devices with .crypted extension. In April, 2019 name was changed to NamPoHyu Virus and now .NamPoHyu extension is appended. Developers are from Russia (or Russian-speaking country). It is not recommended to pay the ransom to malefactors as there is no guarantee, they will send decryptor in return. Paying the ransom also stimulates the hackers to run malvertising campaign and infect new victims. We recommend you to try methods below to restore your files. File-recovery software may also help you return removed files. Follow detailed instructions below to remove MegaLocker Ransomware and decrypt .crypted or .NamPoHyu files in Windows 10, Windows 8 and Windows 7.
How MegaLocker Ransomware infected your PC
MegaLocker Ransomware focuses on network-attached storage (NAS) devices, some of which come with the Samba server to ensure compatibility when sharing files between different operating systems. It exploits the SambaCry vulnerability. SambaCry is a Linux Samba vulnerability that allows an attacker to open a command shell that can be used to download files and execute commands on a vulnerable device. MegaLocker Ransomware virus can be also propagated via spam attack with malicious e-mail attachments and by manual PC hacking. Can be distributed by hacking through an unprotected RDP configuration, fraudulent downloads, exploits, web injections, fake updates, repackaged and infected installers. Virus assigns certain ID with the victims, that is used to name those files and supposedly to send decryption key. In order to prevent infection with this type of threats in future we recommend you to use SpyHunter 5 or Norton Antivirus.
Download MegaLocker Ransomware Removal Tool
To remove MegaLocker Ransomware completely, we recommend you to use Norton Antivirus from Symantec. It detects and removes all files, folders and registry keys of MegaLocker Ransomware.
How to remove MegaLocker Ransomware manually
It is not recommended to remove MegaLocker Ransomware manually, for safer solution use Removal Tools instead.
MegaLocker Ransomware files:
!DECRYPT_INSTRUCTION.TXT
{randomname}.exe
MegaLocker Ransomware registry keys:
no information
How to decrypt and restore .crypted or .NamPoHyu files
There is no purpose to pay the ransom, because there is no guarantee you will receive the key, but you will put your bank credentials at risk.
If you are infected with MegaLocker Ransomware and removed it from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. To attempt to decrypt them manually you can do the following:
Use Stellar Phoenix Data Recovery Pro to restore .crypted or .NamPoHyu files
- Download Stellar Phoenix Data Recovery Pro.
- Select location to scan for lost files and click Scan button.
- Wait until Quick and Deep scans finish.
- Preview found files and restore them.
Using Windows Previous Versions option:
- Right-click on infected file and choose Properties.
- Select Previous Versions tab.
- Choose particular version of the file and click Copy.
- To restore the selected file and replace the existing one, click on the Restore button.
- In case there is no items in the list choose alternative method.
Using Shadow Explorer:
- Download Shadow Explorer program.
- Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
- Select the drive and date that you want to restore from.
- Right-click on a folder name and select Export.
- In case there are no other dates in the list, choose alternative method.
If you are using Dropbox:
- Login to the DropBox website and go to the folder that contains encrypted files.
- Right-click on the encrypted file and select Previous Versions.
- Select the version of the file you wish to restore and click on the Restore button.
How to protect computer from viruses like MegaLocker Ransomware in future
1. Get special anti-ransomware software
Use ZoneAlarm Anti-Ransomware
Famous antivirus brand ZoneAlarm by Check Point released a comprehensive tool, that will help you with active anti-ransomware protection, as an additional shield to your current protection. The tool provides Zero-Day protection against ransomware and allows you to recover files. ZoneAlarm Anti-Ransomware is compatible with all other antiviruses, firewalls, and security software except ZoneAlarm Extreme (already shipped with ZoneAlarm Anti-Ransomware) or Check Point Endpoint products. The killer features of this application are: automatic file recovery, overwrite protection that instantly and automatically recovers any encrypted files, file protection that detects and blocks even unknown encryptors.
2. Back up your files
Regardless of success of protection against ransomware threats, you can save your files using simple online backup. Cloud services are quite fast and cheap nowadays. There is more sense using online backup, than creating physical drives, that can get infected and encrypted when connected to PC or get damaged from dropping or hitting. Windows 10 and 8/8.1 users can find pre-installed OneDrive backup solution from Microsoft. It is actually one of the best backup services on the market, and has reasonable pricing plans. Users of earlier versions can get acquainted with it here. Make sure to backup and sync most important files and folders in OneDrive.
3. Do not open spam e-mails and protect your mailbox
Malicious attachments to spam or phishing e-mails is most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is MailWasher Pro. It works with various desktop applications, and provides very high level of anti-spam protection.