NOOD Virus (.Nood File) Decryption & Removal

NOOD Virus Ransomware
NOOD Virus Ransomware
Written by Brendan Smith

The Nood virus, part of the STOP malware family, actively targets computer systems for file encryption and ransom demands. Once it infects a computer, it searches and encrypts various file types such as documents, videos, and photos, appending the “.nood” extension to each, which makes them inaccessible without a decryption key.

Nood Virus

Nood

🤔 The Nood virus, a member of the DJVU/STOP ransomware family, aims to encrypt accessible files before demanding a ransom of $499 to $999 in Bitcoin from its victims.

The Nood virus encrypts your files, forcing you to pay for their recovery. It encrypts a broad array of file types, marking each with a unique “.nood” extension, rendering affected files inaccessible.

Following encryption, the virus demands a Bitcoin ransom from its victims, ranging from $499 to $999, depending on how much time has passed since the attack. It leaves a text file, “_readme.txt“, containing payment instructions.

Nood Ransomware employs the Salsa20 encryption algorithm, making it extremely difficult to decrypt files without the attackers’ help.

After encrypting the files, Nood displays a ransom note, demanding payment for the decryption key. This note includes payment instructions and often threats of permanent data loss or an increased ransom if not paid promptly.

I have compiled a comprehensive list of solutions, advice, and practices for stopping the Nood ransomware and regaining access to your files. Sometimes, decryption is possible; other times, it may not be.

Brendan Smith
Brendan Smith
IT Security Expert
First, perform a PC scan using an antivirus tool!
I will help you remove the Nood virus and guide you through the process of decrypting or restoring encrypted files. Below, you will find several universally applicable methods for recovering encrypted .nood files. It's crucial to read and understand the full instructions. Do not skip any steps. Completing each step is vital.
Anti-Malware
Gridinsoft Anti-Malware 6-day trial available.
EULA | Privacy Policy | 10% Off Coupon
Subscribe to our Telegram channel to be the first to know about news and our exclusive materials on information security.

📌 Important Note!

Paying the ransom does not guarantee the successful recovery of your files. The individuals behind the Nood virus are not trustworthy. There have been instances where victims paid the ransom and were still denied the decryption key by the cybercriminals.

Nood uses a unique key for each victim, except:

  • When Nood cannot connect to its command and control server (C&C) before starting the encryption, it resorts to using offline keys. These offline keys, the same for all affected users, allow some files encrypted by the ransomware to be decrypted.

Similar to other DJVU ransomware variants like Wiaw and Lkfr, Nood encrypts a wide range of common file types and appends the “.nood” extension. For example, a file named “1.jpg” becomes “1.jpg.nood” and “2.png” to “2.png.nood“.

Following encryption, the virus generates a special text file named “_readme.txt” and places it in every folder with encrypted files, as well as on the desktop, ensuring victims notice it immediately.

The image below offers a visual representation of files with the “nood” extension:

Nood Virus - encrypted nood files

Encrypted Files by STOP/DJVU Ransomware

NameNood Virus
Ransomware family1DJVU/STOP2 ransomware
Extension.nood
Ransomware note_readme.txt
RansomFrom $499 to $999 (in Bitcoins)
Contactsupport@freshingmail.top, datarestorehelpyou@airmail.cc
DetectionMalware.Heuristic.2046, Trojan:Win32/Vundo.A, Trojan:Win32/Conhook.D
Symptoms
  • Installs password-stealing Trojan on the system, like Vidar Stealer or RedLine Stealer;
  • Adds a list of domains to the HOSTS file to block access to certain security-related sites;
  • Encrypts most of your files (photos, videos, documents) and adds a particular “.nood” extension;
  • Manages to install a SmokeLoader backdoor;
  • Can delete Volume Shadow copies to make victim’s attempts to restore data impossible;
Fix Tool To remove possible malware infections, scan your PC:


6-day free trial available.

This message demands payment for restoring files via a decryption key:

_readme.txt (STOP/DJVU Ransomware)


_readme.txt (STOP/DJVU Ransomware) – The intimidating warning that demands users pay the ransom to decrypt their encrypted data, filled with these irksome cautions.

The Nood ransomware executes a series of operations on the victim’s computer, starting with launching winupdate.exe. This deceptive process mimics a Windows update notification to mislead the victim into thinking the system slowdown is due to an update.

Simultaneously, the ransomware activates another process, named with 4 random characters, which scans the PC for target files to encrypt. It then proceeds to eliminate Volume Shadow Copies from the system with the following CMD command:

vssadmin.exe Delete Shadows /All /Quiet

With Volume Shadow Copies gone, restoring the computer to its previous state through System Restore Points becomes nearly impossible. The ransomware creators deliberately remove any built-in Windows recovery methods that could allow victims to retrieve their files for free. Moreover, they alter the Windows HOSTS file by adding and redirecting a list of domains to the localhost IP, causing the victim to encounter a DNS_PROBE_FINISHED_NXDOMAIN error when attempting to visit any of the blocked sites.

This tactic aims to prevent victims from accessing online guides that could help counter the ransomware attack. By blocking certain websites, the attackers obstruct victims’ access to valuable information. Additionally, the malware leaves two .txt files on the victim’s system, revealing attack-specific details — the public encryption key and a personal ID, named bowsakkdestx.txt and PersonalID.txt.

Nood ransomware virus saves public encryption key and victim's id in bowsakkdestx.txt file

Furthermore, STOP/DJVU variants often install the Vidar password-stealing Trojan on infected systems, which boasts a broad set of harmful capabilities:

  • Running malicious software to gather sensitive data.
  • Stealing login credentials for Steam, Telegram, and Skype accounts.
  • Accessing and manipulating files without the victim’s consent.
  • Extracting cryptocurrency wallets.
  • Allowing hackers to remotely control the victim’s computer for nefarious purposes.
  • Collecting browser cookies, saved passwords, and browsing history.

The STOP/Djvu ransomware uses the Salsa20 encryption algorithm. If your files were encrypted with an online decryption key, the chances of recovery are slim. Each victim’s online key is unique, making a suitable match difficult to find.

Securing the online decryption key otherwise is nearly impossible, as it resides on a server controlled by the Nood virus distributors. To get the unlocking key, victims must pay $999 and contact the fraudsters via email (support@freshingmail.top).

The message by the ransomware states the following information:

ATTENTION!

Don't worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
Do not ask assistants from youtube and recovery data sites for help in recovering your data.
They can use your free decryption quota and scam you.
Our contact is emails in this text document only.
You can get and look video overview decrypt tool:
https://we.tl/t-hPAqznkJKD
Price of private key and decrypt software is $999.
Discount 50% available if you contact us first 72 hours, that's price for you is $499.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.


To get this software you need write on our e-mail:
support@freshingmail.top

Reserve e-mail address to contact us:
datarestorehelpyou@airmail.cc

Your personal ID:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

How to Remove Nood Ransomware

  1. Download the Removal Tool

    Click below to download GridinSoft Anti-Malware:

  2. Install Anti-malware

    After downloading, open the setup-antimalware-fix.exe file to start the installation of GridinSoft Anti-Malware.

    Run Setup.exe

    Click “Yes” when the User Account Control prompts you to allow GridinSoft Anti-Malware to make changes to your device.

    GridinSoft Anti-Malware Setup

  3. Start the Installation

    GridinSoft Anti-Malware Install

  4. Run the Anti-Malware Tool

    GridinSoft Anti-Malware will launch automatically after installation.

    GridinSoft Anti-Malware Splash-Screen

  5. Scan Your Computer

    Allow GridinSoft Anti-Malware to scan your computer for infections. This comprehensive scan may take 20-30 minutes. Check the scan progress periodically.

    GridinSoft Anti-Malware Scanning

  6. Eliminate Detected Threats

    Click “Clean Now” to remove the threats detected by GridinSoft Anti-Malware.

    GridinSoft Anti-Malware Scan Result
  7. Use Trojan Killer for Special Cases

    If Nood ransomware blocks anti-malware setup files, consider using a removable drive with pre-installed antivirus software.

    Very few security tools can install on USB drives. Those that can often require an expensive license. In such cases, I recommend Trojan Killer Portable by GridinSoft. It comes with a 14-day free trial that includes all features of the paid version, which should be sufficient to eliminate the malware. For more details, visit Trojan Killer Portable.

Video Guide


How To Decrypt .nood Files?

Restoring Large Files

If you’re dealing with large files (2GB or more), try removing the .nood extension and then attempt to open them. Due to encryption flaws, the malware might not encrypt or correctly mark large files, making recovery possible for these particular cases. Please share your experience in the comments to help others.

Recent STOP/Djvu variants emerged around the end of August 2019 after the criminals behind them upgraded their tactics. Consequently, STOPDecrypter became obsolete and was succeeded by the Emsisoft Decryptor for STOP Djvu Ransomware, developed by the cybersecurity experts at Emsisoft.

Access the free decryption tool here: Decryptor for STOP Djvu.

  1. Initiate the Decryption Process

    Begin by downloading the Emsisoft decryption tool. Remember to run it with administrator rights and agree to the license terms by clicking “Yes“:

    Emsisoft Decryptor - license terms

    Once you agree to the terms, the decryptor’s main interface will appear:

    Emsisoft Decryptor - user interface

  2. Select Targets for Decryption

    The decryptor, by default, targets all accessible directories on connected drives, including network drives. Use the “Add” button to include any additional locations you wish to decrypt.

    Depending on the ransomware family, decryptors may offer various specific options within the Options tab. Review and adjust these settings to suit your needs. Below, you can find a detailed list of these options currently available.

  3. Begin Decryption

    After setting your desired locations, press the “Decrypt” button to start decrypting your files. The interface will switch to a status view, showing real-time progress and statistics of the decryption process:

    Emsisoft Decryptor - the decryption statistics

    Upon completion, the decryptor will alert you. For documentation or further assistance, save the report by clicking “Save log”. This log can also be copied to your clipboard for easy sharing via email or messages.

How to Restore .nood Files?

Ransomware doesn’t always spell doom for your files…

The Nood ransomware employs a meticulous encryption strategy: it encrypts files byte by byte, duplicates them, and then deletes the original without overwriting it. This means the original file’s data isn’t erased from your drive. The sectors that previously contained the file may still have the data, even though it’s no longer part of the file system and is at risk of being overwritten. Fortunately, with the right tools, you have a chance to recover these files.

I recently encountered a virus attack on my PC, which overcame two antivirus programs and two malware fighters.

Despite the setback with my encrypted files due to an online algorithm, my backup drive, which I initially thought was fully compromised, held a surprise. Although every folder seemed infected at first, I was able to recover nearly 80% of my 2TB storage.

Digging deeper, I noticed the ransom note in each folder. Files directly within these folders were encrypted, but, interestingly, files in subfolders within these folders remained untouched. This pattern held true for my C and D drives, but my backup drive was different: having subfolders saved most of my data.

It seems creating subfolders on a backup drive can create a loophole. I was fortunate to recover an additional 10% of my data from another drive. My experience shows that structured data storage can inadvertently protect against such encryption.

This discovery might offer hope to others in similar predicaments.
Jamie Newland

Tips for the recovery and repair of Nood files, applicable to all STOP/DJVU variants:

  • Check deeply nested folders. STOP/Djvu variants often miss encrypting files in deeper subfolders.
  • The ransomware’s process involves saving encrypted data as new files and deleting originals. There’s a slim chance that parts of these deleted files can be salvaged with file recovery software. Though recovering the original folder structure might be challenging, tools like PhotoRec could prove invaluable.
  • The first 150 KB of files is usually what gets encrypted. For larger files or certain data types, it might be possible to recover the unencrypted portions.
  • Joep

    Recovering Your Files with PhotoRec

    PhotoRec stands out as a robust, free tool initially designed to retrieve files from damaged disks or to recover accidentally deleted files. Over time, it has evolved to support the recovery of over 400 different file types, making it a powerful ally in the fight against the Nood ransomware.

    Begin by downloading PhotoRec. While the tool is completely free, its developer notes that file recovery is not guaranteed. PhotoRec comes bundled with TestDisk, another utility by the same developer. Despite the archive bearing the TestDisk name, rest assured, PhotoRec is included within.

    To launch PhotoRec, locate and open the “qphotorec_win.exe” file. An installation is unnecessary as the program contains all required files in the archive, enabling its use directly from a USB drive—offering a handy solution for assisting friends or family afflicted by the Nood ransomware.

    PhotoRec file in the folder for restore Nood files

    At startup, you’ll be presented with a list of drives. This overview might seem daunting at first, but the essential menu is just above. Click the bar to select the disk impacted by the ransomware.

    Choose the disc in PhotoRec

    Next, specify the destination folder for the recovered files. You’ll find this option at the bottom of the PhotoRec window. Opting to save them to a USB drive or another form of removable media is recommended.

    Choosing the destination folder of recovery Nood files

    Then, select the file formats you wish to recover. This setting is also at the bottom. As previously mentioned, PhotoRec supports recovery of about 400 file formats.

    Choose the file format

    Finally, initiate the file recovery process by clicking the “Search” button. You will be directed to a screen displaying the scan and recovery outcomes.

    Recovery process

    Nood files recovery Video Guide.


    Frequently Asked Questions

    🤔 How can I open “.nood” files?

    Unfortunately, there’s no direct way to open files with a “.nood” extension as they are encrypted by ransomware. You cannot access the encrypted contents without decrypting them first.

    🤔 The virus has blocked my infected PC: I can’t get the activation code.

    In such cases, you should use a memory stick that already has Trojan Killer installed. For more information, visit our Trojan Killer page.

    🤔 The decryptor didn’t decrypt all my files, or not all of them were decrypted. What should I do?

    It’s important to remain patient in this situation. If you’re dealing with a new version of the STOP/DJVU ransomware, the decryption keys might not be available yet. Keep an eye on our website for updates on new keys or decryption tools.

    🤔 What can I do right now?

    The Nood ransomware typically encrypts only the first 150KB of files. For example, some larger MP3 files might still be playable in media players like Winamp, minus the first 3-5 seconds due to encryption. To recover, you can:

    • Redownload encrypted files from the internet.
    • Request copies of shared pictures from family and friends.
    • Retrieve photos from social media or cloud services such as Carbonite, OneDrive, iDrive, Google Drive, etc.
    • Find attachments in saved emails.
    • Look for files on older computers, flash drives, external drives, camera memory cards, or iPhones that were synced with the infected computer.

    If you’re still struggling to remove the infection, I recommend downloading GridinSoft Anti-Malware. Your experiences and solutions are valuable to others facing similar problems. Please, share your story in the comments below. Your insights can offer hope and demonstrate that no one has to face this challenge alone. Together, we can find a solution.

    Sending
    User Review
    0 (0 votes)
    Comments Rating 0 (0 reviews)

    References

    1. My files are encrypted by ransomware, what should I do now?
    2. About DJVU (STOP) Ransomware.

    German Japanese Spanish Portuguese (Brazil) French Turkish Chinese (Traditional) Korean Indonesian Hindi Italian

    About the author

    Brendan Smith

    I'm Brendan Smith, a passionate journalist, researcher, and web content developer. With a keen interest in computer technology and security, I specialize in delivering high-quality content that educates and empowers readers in navigating the digital landscape.

    With a focus on computer technology and security, I am committed to sharing my knowledge and insights to help individuals and organizations protect themselves in the digital age. My expertise in cybersecurity principles, data privacy, and best practices allows me to provide practical tips and advice that readers can implement to enhance their online security.

    Leave a Reply

    Sending