What is NOKOYAWA Ransomware
NOKOYAWA is a ransomware-classified infection that runs encryption of data and blackmails victims into paying money for its recovery. A report published by Trend Micro featured similar attack traits of NOKOYAWA Ransomware to Hive – a widespread and disruptive group of developers that breached more than 300 organizations in just a few months. Cybercriminals behind NOKOYAWA Ransomware use the .NOKOYAWA extension to rename targeted data. For instance, a file like 1.xlsx
will change its name to 1.xlsx.NOKOYAWA
and reset the original icon as well. Successful encryption is therefore followed by ransom note creation – the NOKOYAWA_readme.txt file arrives on the desktop.
Dear usernamme, your files were encrypted, some are compromised.
Be sure, you can't restore it without our help.
You need a private key that only we have.
Contact us to reach an agreement or we will leak your black shit to media:
Brookslambert@protonmail.com
Sheppardarmstrong@tutanota.com
亲爱的用户名,您的文件已加密,有些已被泄露。
请确保,如果没有我们的帮助,您将无法恢复它。
您需要一个只有我们拥有的私钥。
联系我们以达成协议,否则我们会将您的黑屎泄露给媒体:
Brookslambert@protonmail.com
Sheppardarmstrong@tutanota.com
Inside this note, cybercriminals attempt to convince victims into opting for paid decryption. They duplicate information in English and Chinese guiding to contact extortionists through one of their e-mail addresses (brookslambert@protonmail.com or
sheppardarmstrong@tutanota.com). Should victims repel their suggestions, the swindlers threaten to publish, as they say, “black shit” to open-access resources. The price for decryption is kept secret until victims establish the contact and it is also likely to be evaluated individually for each victim. In other words, the amount of ransom may range vastly depending on how valuable the captured data is. As a rule, it is not recommended to trust cybercriminals and follow their demands since it can cost you simply a waste of money. Many ransomware cases show that extortionists tend to walk away without providing the promised decryption tools. Therefore, it is up to your own choice whether to pay it or not. The same applies to potential leakage of data as cybercriminals may still publish it without your consent despite paying the ransom. We should therefore say that no complete decryption is actually possible without the help of cybercriminals. They are the only figures wielding the right key to return the deprived access. You can try decryption and recovery instruments suggested in our article, however, no high hopes should be held for their ability to decrypt .NOKOYAWA files. Unless you are scared of having your data publicly leaked, the best way to recover files without paying the ransom is via backup copies. If such are available on external storage devices, you can easily use them to recover your data. Note that prior to trying any recovery methods including third-party instruments, it is important to delete the ransomware virus from your computer. Otherwise, it may continue its malicious activity.
How NOKOYAWA Ransomware infected your computer
Ransomware infections can be delivered in several ways including malicious email attachments (macros), torrent websites, and infectous ads. These channels are only a few yet most popular ones at the moment. For instance, malicious attachments (e.g. DOCX, PDF, EXE, RAR, ZIP, JS, etc.) are usually spread within e-mail spam letters. Such letters are often presented as something important or urgent, especially under the names of legitimate companies to trick users into opening malicious files or links. After such content gets open, the infection installs itself onto a system of unlucky users. In addition to this, people may get infected with any kind of malware by accidentally downloading fake software or updates (usually from suspicious torrent websites or one-page phishing websites). The installation process may look identical to the official windows updating, but run injection of malware instead. We thus recommend you to stay away from feeding your system with unofficial and trustless content. As an additional measure, you can also equip yourself with strong anti-malware software to combat such threats in the feature, even if they come to the doorstep of your system.
- Download NOKOYAWA Ransomware Removal Tool
- Get decryption tool for .NOKOYAWA files
- Recover encrypted files with Stellar Data Recovery Professional
- Restore encrypted files with Windows Previous Versions
- Restore files with Shadow Explorer
- How to protect from threats like NOKOYAWA Ransomware
Download Removal Tool
To remove NOKOYAWA Ransomware completely, we recommend you to use Norton Antivirus from Symantec. It detects and removes all files, folders, and registry keys of NOKOYAWA Ransomware and prevents future infections by similar viruses.
Alternative Removal Tool
To remove NOKOYAWA Ransomware completely, we recommend you to use SpyHunter 5. It detects and removes all files, folders, and registry keys of NOKOYAWA Ransomware. The trial version of Spyhunter 5 offers virus scan and 1-time removal for FREE.
NOKOYAWA Ransomware files:
NOKOYAWA_readme.txt
{randomname}.exe
NOKOYAWA Ransomware registry keys:
no information
How to decrypt and restore .NOKOYAWA files
Use automated decryptors
Download Kaspersky RakhniDecryptor
Use following tool from Kaspersky called Rakhni Decryptor, that can decrypt .NOKOYAWA files. Download it here:
There is no purpose to pay the ransom because there is no guarantee you will receive the key, but you will put your bank credentials at risk.
Dr.Web Rescue Pack
Famous antivirus vendor Dr. Web provides free decryption service for the owners of its products: Dr.Web Security Space or Dr.Web Enterprise Security Suite. Other users can ask for help in the decryption of .NOKOYAWA files by uploading samples to Dr. Web Ransomware Decryption Service. Analyzing files will be performed free of charge and if files are decryptable, all you need to do is purchase a 2-year license of Dr.Web Security Space worth $120 or less. Otherwise, you don’t have to pay.
If you are infected with NOKOYAWA Ransomware and removed from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. To attempt to decrypt them manually you can do the following:
Use Stellar Data Recovery Professional to restore .NOKOYAWA files
- Download Stellar Data Recovery Professional.
- Click Recover Data button.
- Select type of files you want to restore and click Next button.
- Choose location where you would like to restore files from and click Scan button.
- Preview found files, choose ones you will restore and click Recover.
Using Windows Previous Versions option:
- Right-click on infected file and choose Properties.
- Select Previous Versions tab.
- Choose particular version of the file and click Copy.
- To restore the selected file and replace the existing one, click on the Restore button.
- In case there is no items in the list choose alternative method.
Using Shadow Explorer:
- Download Shadow Explorer program.
- Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
- Select the drive and date that you want to restore from.
- Right-click on a folder name and select Export.
- In case there are no other dates in the list, choose alternative method.
If you are using Dropbox:
- Login to the DropBox website and go to the folder that contains encrypted files.
- Right-click on the encrypted file and select Previous Versions.
- Select the version of the file you wish to restore and click on the Restore button.
How to protect computer from viruses, like NOKOYAWA Ransomware, in future
1. Get special anti-ransomware software
Use ZoneAlarm Anti-Ransomware
Famous antivirus brand ZoneAlarm by Check Point released a comprehensive tool, that will help you with active anti-ransomware protection, as an additional shield to your current protection. The tool provides Zero-Day protection against ransomware and allows you to recover files. ZoneAlarm Anti-Ransomware is compatible with all other antiviruses, firewalls, and security software except ZoneAlarm Extreme (already shipped with ZoneAlarm Anti-Ransomware) or Check Point Endpoint products. The killer features of this application are: automatic file recovery, overwrite protection that instantly and automatically recovers any encrypted files, file protection that detects and blocks even unknown encryptors.
2. Back up your files
As an additional way to save your files, we recommend online backup. Local storage, such as hard drives, SSDs, flash drives, or remote network storage can be instantly infected by the virus once plugged in or connected to. NOKOYAWA Ransomware uses some techniques to exploit this. One of the best services and programs for easy automatic online backup is iDrive. It has the most profitable terms and a simple interface. You can read more about iDrive cloud backup and storage here.
3. Do not open spam e-mails and protect your mailbox
Malicious attachments to spam or phishing e-mails are the most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is MailWasher Pro. It works with various desktop applications and provides a very high level of anti-spam protection.