🔥 NOBU VIRUS (.nobu FILE) Ransomware — Recovery & Decrypt Data

Written by Wilbur Woodham
Every virus (not only NOBU Ransomware) is dangerous in its specific state. One steals your data, another includes your personal computer to the botnet, another makes your system full of promotions. But every one of these sorts is fading, when Nobu ransomware walks out.

It is very hard to imagine a more complicated and damaging malware: it encrypts your files and then forces you to pay ransom money, obstructing most of your tries to look for the solution in the web browser. In this guide, you will certainly see the tutorial for Nobu ransomware elimination, and also documents recovery after the invasion.

GridinSoft Anti-Malware Review

It is better to prevent, than repair and repent!

When we talk about the intrusion of unfamiliar programs into your computer’s work, the proverb “Forewarned is forearmed” describes the situation as accurately as possible. Gridinsoft Anti-Malware is exactly the tool that is always useful to have in your armory: fast, efficient, up-to-date. It is appropriate to use it as an emergency help at the slightest suspicion of infection.
GridinSoft Anti-Malware 6-day trial available.
EULA | Privacy Policy | GridinSoft

@topcybersecuritySubscribe to our Telegram channel to be the first to know about news and our exclusive materials on information security.

What is Nobu?

Nobu virus is a very complicated and dangerous malware, that can harm your system as well as your data. It may be properly named as ransomware infection.

The procedure that is utilized by the greater part of actual ransomware is quite easy, and Nobu (like all of the STOP/Djvu class) utilizes this scheme, too. It makes a copy of every file, encrypts that duplicate byte-by-byte, and after that wipes out the initial file, swapping it with the encrypted copy. The encryption algorithm is AES-256, that implies that there are about 2^256 separate passkeys1 – it is too much to decrypt with some common techniques, like brute force. You are required to work with decryption tools.

You will likely never miss the instance when Nobu ransomware will begin its task, especially if you have a huge amount of files on your hard disk. Weak computer owners will notice the ransomware activity even earlier. It may need a notable amount of RAM/CPU for the encryption process, so in case if you own a cheap laptop or a deeply outdated computer with HDD as a storage device, your PC will definitely experience notable efficiency loss.

Besides possible functionality plummeted, you can see an increasing number of files with .nobu extension. These documents are already encrypted, and you can’t open them with any type of software. At the same time along with the encrypted files exhibition, readme.txt files might show up. In this file, you will see the guidance about getting in touch with the ransomware creators, purchasing the decryption key and also working with their specific decryption app. The ransom money sum generally varies from $490 up to $980, relying on the amount of time gone after the encryption operation. The offered transaction option is the payment in Bitcoin, and thanks to the massive amounts of fraud amongst the online exchanging websites, you might become the victim of another group of cybercriminals.

EXT virus message

The scary alert demanding from users to pay the ransom to decrypt the compromised data contains these frustrating warnings

There are 2 sorts of keys that can be utilized by ransomware. Offline keys are used in the case when the encryption procedure is performed when your system is not connected to the web. Such a key is much easier to decrypt, considering that there is a limited number of offline keys. The online key, as you can guess, generated when your computer is online throughout the encryption process. Online keys are saved on the remote web server, which is maintained by ransomware distributors. You can find out if your files are encrypted by online or offline key executing the following uncomplicated steps. Search in the next path with file explorer “%System Root%\SystemID\PersonalID.txt”, then seek the items in that file that end on “t1”. If there are some, you are blessed, due to the fact that your data can be decrypted a lot faster as well as with significantly less risk of failure.

Here is a short info for the Nobu virus:
Ransomware family2DJVU/STOP3 ransomware
Ransomware note_readme.txt
RansomFrom $490 to $980 (in Bitcoins)
Contacthelpmanager@mail.ch, restoremanager@airmail.cc
DetectionWin32/GenCBL.NT, Trojan.Agent.EZUU, Trojan.Cutwail
SymptomsMost of your files (photos, videos, documents) have a .nobu extension and you can’t open it
Fix ToolSee If Your System Has Been Affected by .nobu file virus

Due to some certain aspects of file encryption, you can still utilize several of your documents. Nobu ransomware encrypts only the first 150KB of every file, for this reason, it is possible to launch documents that are considerably larger than 150KB – songs, video clips, voice notes, and so on. Such players as Winamp have the ability to introduce the encrypted files (however, you need to take away .nobu extension primarily), with the only significant effect – the initial few seconds of the recording will definitely not be accessible, because this part of the file is secured.

How was I infected?

Ransomware can be injected in many ways, but there are two methods that are the most popular nowadays.
Ransomware injection scheme

Ransomware injection scheme

As it was stated, ransomware creators are not pretty creative in distributing ways. The biggest share of .nobu virus infiltrations is against e-mail spamming. The victim receives an e-mail which seems like a notification from the shipping company, a bill from the automobile lending company, et cetera. Nevertheless, the sender’s address doesn’t look familiar: generally, it is a bundle of randomly-picked numbers and letters, like “jawlnciacm3124@aol.com”. Corporations normally utilize addresses that are corresponding to their own names, so the utilization of such an unusual e-mail address should raise suspicion. However, as the practical situations reveal, people typically do not take a look at the email sender’s address, clicking on the links or opening the attached data without any uncertainties. Nobu ransomware is stashed in this attachment, or in the document which will be downloaded after following the link.

The second (by success) manner of ransomware distribution is trojan viruses. In the last several years, trojans transformed into all-in-one malware: one malware can include spyware, backdoor, keylogger, and downloader; the last one is used to recover the viruses if they are erased by the user, and to download new and new malware. Ransomware can be included to initial trojan packaging or downloaded later by malware downloader. It is extremely hard to forecast when the ransomware will show itself.

Do not pay for Nobu!

Please, try to use the available backups, or the tools offered below

There is absolutely no guarantee that .nobu malware creators will send you the decryption key, particularly if you had a lengthy dialog with them via the email. Their decryption tool can also be the source of extra malware. And, finally, even when they send you the key, only ransomware developers know if it is capable of the decryption of your files. And they are not ones that deserve your trust.

The major reason why paying the ransom is a bad suggestion is that the money you gave as a ransom may be utilized for financing serious illegal activities. Drug dealing/making, human trafficking, terrorism – all these criminal activities are frequently funded by cybercrimes, and ransomware attacks are amongst them. Obviously, there is still a huge share of attacks that are released just for earning the profit, however, you never find out who you are going to pay the ransom money.

A number of additional words regarding the conversation with Nobu ransomware representatives. There are a number of cases when lasts were accumulating the email addresses of their targets, and then reselling this data to the third party. The third-party can be anyone, perhaps even other malware creators. And it is an incredibly undesirable effect to have your email spammed, especially after the stress created by ransomware. Here is totally no guarantee that you will not open one of these attachments, again, so the bad story can repeat.

As you can see, there are plenty of factors that make paying the ransom quite an uncertain solution. It is way more reliable and also reasonable to utilize an anti-malware program to remove the .nobu virus out of your computer, and decryption or file recovery programs to get your documents back. You will certainly see the guidance for its elimination right below.

A survey of organisations affected by ransomware attacks found that the average total cost of a ransomware attack for organizations that paid the ransom is almost $1.4m, while for those who didn’t give into ransom demands, the average cost is half of that, coming in at $732,000.4

How to remove Nobu virus?

Besides ransomware, your PC is likely infected with other viruses. GridinSoft Anti-Malware is easy-to-use and efficient tool5 that can surely wipe all malware out of your PC, and create a perfect shield that will protect your computer from further malware injections.

To remove Nobu malware from your PC, it is highly recommended to make use of antivirus tools. The hand-operated clearing is probably unachievable, due to the fact that it generates a lot of additional registry keys and also has a branchy file location tactic. Cleaning this up by hand may lead to system failure, or, possibly, partial malware clearing, so the Nobu virus will have the ability to restore itself. But maybe problematic even with anti-malware tools.

Microsoft Defender, which appears to be an evident choice, is certainly efficient in ransomware elimination. But in the majority of situations Nobu ransomware itself, or with the aid of trojan virus that is utilized to insert the ransomware, disables the Defender through the Group Policies and registry editing. Therefore, it is much better to utilize a separate safety program that does not have such vulnerabilities. I advise you to utilize GridinSoft Anti-Malware – an easy-to-use and powerful anti-malware program, that will definitely aid you with ransomware clearing.

  1. Install GridinSoft Anti-Malware
  2. Installation file of GridinSoft Anti-Malware
  3. After GridinSoft Anti-Malware is installed, you will be asked to perform a standard scan. Approve this action.
  4. GridinSoft Anti-Malware during the scan process
  5. During the scan process, you can see the detected malware, but to perform any actions against these viruses, you need to wait until the scan is over.
  6. Gridinsoft Anti-Malware standard scan result
  7. Scan is finished, malware is detected. Click “Clean Now” to wipe the malware out, including Nobu ransomware. In less than 30 seconds your PC will be cleaned up.

Try Trojan Killer for special instances

In some special instances, Nobu ransomware can block the launching of installation files of different anti-malware programs. In this instance, you need to make use of the removable drive with a pre-installed anti-malware app.

There is a quite little range of security tools that have the ability to be set up on the USB drives, and antiviruses that are able to do so in most cases require to pay for quite an expensive license. For this scenario, I can offer you to utilize another tool of GridinSoft – Trojan Killer Portable. It has a 14-days cost-free trial mode that delivers the entire functions of the paid edition. This term will be 100% enough to wipe the Nobu ransomware out.

Nonetheless, to eliminate the setup blocking, you need to execute this procedure on the other computer. Ask your colleague, or borrow your child’s laptop – whatever, the primary requirement is USB-port presence.

  1. After downloading the installation .exe file of Trojan Killer, double-click it. In the shown up window, pick “Setup to removable drive”, and define the removable drive you are going to use.
  2. Trojan Killer installation screen
  3. When the program is installed, you will see the window shown below. Do not disable the launch after installation, it is needed to set up your free license for two weeks.
  4. Trojan Killer successful installation
  5. Enter your name and email address. In less than 10 seconds, you will be able to use the 14-days free trial. The license key will be sent on the email you specified.
  6. Free trial activation in Trojan Killer
  7. After the successful installation of Trojan Killer, go back to your computer and launch your Windows in the safe mode. To do this, press Win+I to open the settings, then go to Update & Security > Recovery. In the Advanced Startup tab choose the Restart now.
  8. Recovery tab in Windows Settings
  9. After the PC is restarted, choose “Troubleshoot > Advanced Options > Startup Settings > Restart. PC will be restarted once again, and you will see the list of options. Choose the 4th option. Windows will be booted in the safe mode, so any of the applications from startup (including Nobu virus) will not be launched. After this manipulation, plug in the USB drive with the installed Trojan Killer.
  10. Trojan Killer files on the removable drive
  11. Run the program (tk.exe file), and start the full scan. It will last approximately 10-15 minutes.
  12. Trojan Killer main screen
  13. After the scan is completed, delete all detected malware by pressing “Cure It!” button. Your PC will be cleaned up in a minute.
  14. Trojan Killer finished the scan

How to decrypt the .nobu files?

Emsisoft Decryptor for STOP Djvu is created specially for decrypting the files, which were ciphered by Nobu ransomware

After the ransomware is taken out, you can launch the data revival. It is recommended to make a separated system back-up. In case if something unpleasant turns out in the process of file recovery, you will be free to begin with the point before the recovery operation. To execute the decryption and recovery, we need to make use of Emsisoft Decryptor for STOP Djvu, and also PhotoRec; both of them are totally free.

Utilizing Emsisoft Decryptor for STOP Djvu

  1. Download and install Emsisoft Decryptor
  2. Emsisoft Decryptor installation
  3. After the successful setup, you will see the window where you can choose the directories where the encrypted files are stored.
  4. Emsisoft Decryptor interface
  5. When the decryption operation is done, the program will notify you.

Use PhotoRec utility to recover the original files from the disk

Ransomware encryption method allows the use of file recovery tools for getting your files back. Below, you can see the detailed instructions of this operation.

Nobu ransomware encryption mechanism function is next: it encrypts every file byte-by-byte, after that saves a file replica on the disk, removing (and not overwriting!) the primary file. That’s why, the info of the location of the documents on the physical drive is slipped away, but the initial data is not deleted from the physical disk. The cell, or the cluster where this data was stashed, can still contain this file, however, it is not recorded by the file system and can be overwritten by data that has been loaded to this disk after the removal. Thus, it is possible to revive your data using a special tool.

There are some technical restrictions for file recovery with PhotoRec (as well as any other file recovery tool) from solid-state drives (SSD). Because of one feature that removes the files completely from the SSD, it is impossible to recover any data from such a drive. See more detailed information in this video.

PhotoRec is an open-source program, which is initially created for files recovery from destroyed drives, or for files recovery in case if they are erased by accident. Nonetheless, as time has actually gone by, this program got the option to revive the data of 400 various extensions. For this reason, it can be used for data recovery after the ransomware attack.

First, you need to download this app. It is 100% free, but the developer mentions that there is no guarantee that your data will be regained. PhotoRec is distributed in a pack with other program of the same creator – TestDisk. The downloaded archive will definitely have TestDisk name, however, don’t panic. PhotoRec files are right inside.

To open PhotoRec, you need to find and open “qphotorec_win.exe” file. No installation is required – this program has all the files it need inside of the archive, hence, you can fit it on your USB drive, and try to help your friend/parents/anyone who was been attacked by DJVU/STOP ransomware.

PhotoRec file in the folder

After the launch, you will see the screen showing you the full list of your disk spaces. However, this information is likely useless, because the required menu is placed a bit higher. Click this bar, then choose the disk which was attacked by ransomware.

Choose the disc in PhotoRec

After choosing the disk, you need to choose the destination folder for the recovered files. This menu is located at the lower part of the PhotoRec window. The best desicion is to export them on USB drive or any other type of removable disk.

Choosing the destination folder of recovery

Then, you need to specify the file formats. This option is located at the bottom, too. As it was mentioned, PhotoRec can recover the files of about 400 different formats.

Choose the file format

Finally, you can start files recovery by pressing the “Search” button. You will see the screen where the results of the scan and recovery are shown.

Recovery process

NOBU files recovery video guide

Frequently Asked Questions

If some questions appeared in the process of PC cleaning and file decryption, check the frequently asked questions. This part is constantly updating, so you will definitely find the answer for your question, sooner or later.

Emsisoft Decryptor for STOP Djvu has not decrypted .nobu files, what do I need to do?

A significant amount of time is needed for Emsisoft analytics to collect all possible keys for each ransomware version. Move the encrypted files to the separate folder, keep patience and wait for a week or two. You can also check if the Decryptor got a database update you need: repeat the decryption procedure once again.

How can I open “.nobu” files?

No way. These files are encrypted by Nobu ransomware. The contents of .nobu files are not available until they are decrypted.

PhotoRec hasn’t recovered any files, or recovered them only partially, is something wrong?

PhotoRec has a recovery mechanism that is based on physical disk data storing features, and on the mechanism of ransomware encryption. More detailed information about data restoration here.

It creates a copy of every file, encrypts that copy byte-by-byte,
and then removes the original file, substituting it with the encrypted clone.

If the sector where the file(s) was stored is used to store other files, your data is lost completely. The only way to figure out if your files are still on the disk is to run PhotoRec or other data recovery programs.

You have advised using GridinSoft Anti-Malware to remove Nobu. Does this mean that the program will delete my encrypted files?

Of course not. Your encrypted files do not pose a threat to the computer. What happened has already happened.

You need GridinSoft Anti-Malware to remove active system infections. The virus that encrypted your files is most likely still active and periodically runs a test for the ability to encrypt even more files. Also, these viruses install keyloggers and backdoors for further malicious actions (for example, theft of passwords, credit cards) often.

What can I do right now?

The Nobu ransomware encrypts only the first 150KB of files. So MP3 files are rather large, some media players (Winamp for example) may be able to play the files, but – the first 3-5 seconds (the encrypted portion) will be missing.

You can try to find a copy of an original file that was encrypted:

  • Files you downloaded from the Internet that were encrypted and you can download again to get the original.
  • Pictures that you shared with family and friends that they can just send back to you.
  • Photos that you uploaded on social media or cloud services like Carbonite, OneDrive, iDrive, Google Drive, etc)
  • Attachments in emails you sent or received and saved.
  • Files on an older computer, flash drive, external drive, camera memory card, or iPhone where you transferred data to the infected computer.

Also, you can contact the following government fraud and scam sites to report this attack:

To report the attack, you can contact local executive boards. For instance, if you live in USA, you can have a talk with FBI Local field office, IC3 or Secret Service.

Is it possible to recover the files without any third party software?

Yes, but you need to have a backup to make use of it in case of a ransomware attack. Unfortunately, the majority of users do not pay attention to the backups, ignoring the possible cases when it can be needed, and cancelling the creation process if the automatic backup is trying to perform.

But be very careful with OneDrive backups! The solution offered by Microsoft has quite a strange behavior: it creates the backups in in-the-move mode (exactly when you are doing your typical work), so it is very hard to catch the moment when the backup creation may be stopped. It may be needed to stop the OneDrive backup because it overwrites the old backup with the files of the new one, so the new backup may be infected with different trojans, Nobu ransomware, or any other viruses.

How to Remove NOBU Ransomware & Recover PC

Name: NOBU Virus

Description: NOBU Virus is a DJVU family of ransomware-type infections. This infection encrypts important personal files (video, photos, documents). The encrypted files can be tracked by a specific .nobu extension. So, you can't use them at all.

Operating System: Windows

Application Category: Virus

User Review
4.25 (16 votes)
Comments Rating 0 (0 reviews)


  1. About AES-256 encryption mechanism on Wikipedia
  2. My files are encrypted by ransomware, what should I do now?
  3. About DJVU (STOP) Ransomware.
  4. ZDNet article about ransom payments
  5. Reasons why I recommend GridinSoft Anti-Malware

About the author

Wilbur Woodham

I was a technical writer from early in my career, and consider IT Security one of my foundational skills. I’m sharing my experience here, and I hope you find it useful.

One Response

  1. Sagar December 9, 2020

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.