The Neon virus belongs to the STOP/DJVU family and infects computer systems with ransomware. It encrypts various files, including videos, photos, and documents, and appends the “.neon” extension to them. This virus utilizes a robust encryption method, making it nearly impossible to calculate the decryption key through any means.
I have compiled a comprehensive collection of potential solutions, tips, and techniques to actively combat the Neon virus and recover your files. While some situations offer straightforward options for retrieving files, others present significant challenges.
📌 Important Reminder!
It is crucial to note that paying the ransom does not guarantee the successful recovery of your files. The individuals behind the Neon virus are known for their untrustworthiness. There have been instances where victims have paid the ransom, only to be denied the decryption key by the cybercriminals.
When the Neon virus infects a computer’s operating system and initiates the file encryption process, it alters the file extensions of the encrypted files by appending “.neon” to them. To regain access to these encrypted files, the virus demands a ransom payment in exchange for the decryption key. Typically, a ransom note named “_readme.txt” is displayed, outlining the payment instructions.
Neon employs a unique identification code for each victim, except in one specific scenario:
- If the Neon virus fails to establish a connection with its command and control servers (C&C Server) prior to initiating the encryption process, it resorts to using an offline key. This offline key remains the same for all victims, potentially offering a means of decrypting files affected by the ransomware attack.
Is Neon virus?
☝️ Neon can be correctly identified as a STOP/DJVU ransomware infection.
Neon
🤔 Neon virus is ransomware that originates from the DJVU/STOP family. Its primary purpose is to encrypt files that are important to you. After that ransomware virus asks its victims for a ransom fee ($490 – $980) in BitCoin.
The Neon ransomware is a kind of malware that encrypts your documents and then forces you to pay to restore them. Note that Djvu/STOP ransomware family was first revealed and analyzed by virus analyst Michael Gillespie.
Neon virus is similar to other the same DJVU family: Weqp, Weon, Werz. This virus encrypt all popular file types and adds its particular “.neon” extension into all files. For example, the file “1.jpg”, will be changed into “1.jpg.neon“. As soon as the encryption is accomplished, the virus creates a specific text file “_readme.txt” and adds it to all folders that contain the modified files.
The image below gives a clear vision of how the files with “.neon” extension look like:
Neon File (STOP/DJVU Ransomware)
| Name | Neon Virus |
| Ransomware family1 | DJVU/STOP2 ransomware |
| Extension | .neon |
| Ransomware note | _readme.txt |
| Ransom | From $490 to $980 (in Bitcoins) |
| Contact | [email protected], [email protected] |
| Detection | Trojan:Win32/Redline!ic, Trojan:Win32/Vindor!pz, Trojan:Win32/Vindor!pz |
| Symptoms |
|
| Fix Tool |
To remove possible malware infections, scan your PC:
6-day free trial available. |
This _readme.txt file asking payment is for restoring files via decryption key:
_readme.txt (NEON Ransomware) – The scary alert demanding from users to pay the ransom to decrypt the encoded data contains these frustrating warnings
The Neon ransomware is designed to execute multiple processes on a victim’s computer. One of the initial processes launched is winupdate.exe, which displays a deceptive Windows update prompt during the attack. This is intended to mislead the victim into believing that a legitimate Windows update causes a sudden system slowdown. Meanwhile, another process, usually named with four random characters, scans the system for target files and encrypts them. To eliminate any possibility of file restoration, the ransomware then proceeds to delete Volume Shadow Copies from the system using the following CMD command:
vssadmin.exe Delete Shadows /All /Quiet
Once these copies are deleted, it becomes impossible to restore the previous state of the computer using System Restore Points. The ransomware operators intentionally remove Windows OS-based methods that could potentially aid victims in file recovery without payment. Additionally, the criminals modify the Windows HOSTS file by adding a list of domains and mapping them to the localhost IP. Consequently, when attempting to access any of the blocked websites, the victim encounters a DNS_PROBE_FINISHED_NXDOMAIN error.
It has been observed that ransomware aims to block websites that provide various how-to guides for computer users. By restricting access to specific domains, the criminals attempt to hinder victims from obtaining relevant and helpful information related to ransomware attacks. The virus also generates two text files on the victim’s computer containing attack-related details: the victim’s public encryption key and personal ID. These files are named bowsakkdestx.txt and PersonalID.txt.
Even after implementing these modifications, the malware does not cease its activities. Variants of the STOP/DJVU malware often deploy Vidar password-stealing Trojans on compromised systems. This particular threat boasts an extensive range of capabilities, including:
- Stealing login/password credentials for platforms like Steam, Telegram, and Skype;
- Pilfering cryptocurrency wallets;
- Downloading and executing additional malware on the infected computer;
- Extracting browser cookies, saved passwords, browsing history, and other sensitive information;
- Viewing and manipulating files residing on the victim’s computer;
- Granting hackers the ability to remotely carry out various tasks on the victim’s computer.
The DJVU/STOP virus employs the AES-256 cryptography algorithm. Therefore, if your documents have been encrypted with a unique online decryption key, it becomes practically impossible to decrypt the files without possessing that specific key.
In the event that Neon operates in online mode, obtaining access to the AES-256 key becomes unattainable. The key is securely stored on a remote server owned by the criminals responsible for distributing the Neon ransomware.
To obtain the decryption key, a payment of $980 is required. Victims are instructed to contact the fraudsters via email ([email protected]) to receive the payment details.
The message by the ransomware states the following information:
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-WJa63R98Ku Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Do not pay for Neon!
Please, try to use the available backups, or Decrypter tool
The ransom note, “_readme.txt,” additionally instructs computer owners to contact Neon representatives within 72 hours of their files being encrypted. By adhering to this timeframe, users are eligible for a 50% discount, reducing the ransom amount to $490. However, I strongly discourage paying the ransom.
Instead, I highly recommend exploring alternative options to recover your lost data, such as utilizing available backups or employing a Decrypter tool.
It is important to understand that most ransomware viruses follow a similar pattern in generating a unique decryption key for data recovery. Unless the ransomware is still in the developmental stage or contains significant vulnerabilities, manually decrypting the encrypted data is not feasible. Regularly creating backups of your critical files is the most effective way to prevent data loss.
Remember that even if you maintain regular backups, they should be stored in a separate location disconnected from your primary workstation. For example, you can store backups on a USB flash drive, an external hard drive, or utilize online (cloud) storage solutions.
It is worth noting that keeping your backup data on your main device may also be susceptible to encryption, just like other data. Therefore, it is not advisable to store backups on your primary device.
How I was infected?
Ransomware has a various methods to built into your system. But it doesn’t really matter what concrete method was used in your case.
Neon attack following a successful phishing attempt.
However, these are the common vulnerabilities through which the Neon ransomware may infiltrate your PC:
- Hidden installation bundled with other apps, particularly utilities that are offered as freeware or shareware;
- Dubious spam emails with malicious links that lead to the installation of the virus;
- Utilizing online free hosting resources;
- Engaging in the use of illegal peer-to-peer (P2P) platforms for downloading pirated software.
There have been instances where the Neon virus was disguised as a legitimate tool, such as messages urging users to initiate unwanted software or browser updates. This is a common tactic employed by online fraudsters to manipulate users into manually installing the Neon ransomware, essentially tricking them into actively participating in the process.
Naturally, the bogus update alert will not disclose that you are actually installing the virus. Instead, the installation process will be camouflaged under an alert claiming that you need to update Adobe Flash Player or some other suspicious program.
Certainly, the usage of cracked apps also poses a significant risk. Engaging in peer-to-peer (P2P) activities is not only illegal but can also lead to the infiltration of severe malware, including the Neon ransomware.
To summarize, what can you do to prevent the intrusion of the Neon ransomware into your device? While there is no foolproof method to guarantee complete protection for your PC, there are certain tips I would like to share to help mitigate the risk of Neon infection. It is crucial to exercise caution when installing free software nowadays.
Always take the time to read what additional components the installers may offer alongside the main free program. Avoid opening suspicious email attachments and refrain from opening files sent by unknown senders. Furthermore, ensure that your security program is consistently updated.
Malware does not openly disclose its presence. It will not be listed among your installed programs. Instead, it remains disguised as a malicious process running discreetly in the background, starting from the moment you boot up your computer.
How To Remove Neon Virus?
In addition to encode a victim’s files, the Neon infection has also started to install the Vidar Stealer on system to steal account credentials, cryptocurrency wallets, desktop files, and more.3
Reasons why I would recommend GridinSoft4
-
Run the setup file.
-
Press “Install” button.
-
Once installed, Anti-Malware will automatically run.
-
Wait for complete.
-
Click on “Clean Now”.
Leave a Comment