NOOD Virus (.Nood File) How to Decrypt & Remove Ransomware?

The Nood virus, part of the STOP malware family, actively targets computer systems for file encryption and ransom demands. Once it infects a computer, it searches and encrypts various file types such as documents, videos, and photos, appending the “.nood” extension to each, which makes them inaccessible without a decryption key.

Nood Virus

Nood

🤔 The Nood virus, a member of the DJVU/STOP ransomware family, aims to encrypt accessible files before demanding a ransom of $499 to $999 in Bitcoin from its victims.

The Nood virus encrypts your files, forcing you to pay for their recovery. It encrypts a broad array of file types, marking each with a unique “.nood” extension, rendering affected files inaccessible.

Following encryption, the virus demands a Bitcoin ransom from its victims, ranging from $499 to $999, depending on how much time has passed since the attack. It leaves a text file, “_readme.txt“, containing payment instructions.

Nood Ransomware employs the Salsa20 encryption algorithm, making it extremely difficult to decrypt files without the attackers’ help.

After encrypting the files, Nood displays a ransom note, demanding payment for the decryption key. This note includes payment instructions and often threats of permanent data loss or an increased ransom if not paid promptly.

I have compiled a comprehensive list of solutions, advice, and practices for stopping the Nood ransomware and regaining access to your files. Sometimes, decryption is possible; other times, it may not be.

Subscribe to our Telegram channel to be the first to know about news and our exclusive materials on information security.

📌 Important Note!

Paying the ransom does not guarantee the successful recovery of your files. The individuals behind the Nood virus are not trustworthy. There have been instances where victims paid the ransom and were still denied the decryption key by the cybercriminals.

Nood uses a unique key for each victim, except:

When Nood cannot connect to its command and control server (C&C) before starting the encryption, it resorts to using offline keys. These offline keys, the same for all affected users, allow some files encrypted by the ransomware to be decrypted.

Similar to other DJVU ransomware variants like Wiaw and Lkfr, Nood encrypts a wide range of common file types and appends the “.nood” extension. For example, a file named “1.jpg” becomes “1.jpg.nood” and “2.png” to “2.png.nood“.

Following encryption, the virus generates a special text file named “_readme.txt” and places it in every folder with encrypted files, as well as on the desktop, ensuring victims notice it immediately.

The image below offers a visual representation of files with the “nood” extension:

Encrypted Files by STOP/DJVU Ransomware

Name	Nood Virus
Ransomware family¹	DJVU/STOP² ransomware
Extension	.nood
Ransomware note	_readme.txt
Ransom	From $499 to $999 (in Bitcoins)
Contact	[email protected], [email protected]
Detection	Malware.Heuristic.2046, Trojan:Win32/Vundo.A, Trojan:Win32/Conhook.D
Symptoms	Installs password-stealing Trojan on the system, like Vidar Stealer or RedLine Stealer; Adds a list of domains to the HOSTS file to block access to certain security-related sites; Encrypts most of your files (photos, videos, documents) and adds a particular “.nood” extension; Manages to install a SmokeLoader backdoor; Can delete Volume Shadow copies to make victim’s attempts to restore data impossible;
Fix Tool	To remove possible malware infections, scan your PC: 6-day free trial available.

This message demands payment for restoring files via a decryption key:

_readme.txt (STOP/DJVU Ransomware) – The intimidating warning that demands users pay the ransom to decrypt their encrypted data, filled with these irksome cautions.

The Nood ransomware executes a series of operations on the victim’s computer, starting with launching winupdate.exe. This deceptive process mimics a Windows update notification to mislead the victim into thinking the system slowdown is due to an update.

Simultaneously, the ransomware activates another process, named with 4 random characters, which scans the PC for target files to encrypt. It then proceeds to eliminate Volume Shadow Copies from the system with the following CMD command:

vssadmin.exe Delete Shadows /All /Quiet

With Volume Shadow Copies gone, restoring the computer to its previous state through System Restore Points becomes nearly impossible. The ransomware creators deliberately remove any built-in Windows recovery methods that could allow victims to retrieve their files for free. Moreover, they alter the Windows HOSTS file by adding and redirecting a list of domains to the localhost IP, causing the victim to encounter a DNS_PROBE_FINISHED_NXDOMAIN error when attempting to visit any of the blocked sites.

This tactic aims to prevent victims from accessing online guides that could help counter the ransomware attack. By blocking certain websites, the attackers obstruct victims’ access to valuable information. Additionally, the malware leaves two .txt files on the victim’s system, revealing attack-specific details — the public encryption key and a personal ID, named bowsakkdestx.txt and PersonalID.txt.

Furthermore, STOP/DJVU variants often install the Vidar password-stealing Trojan on infected systems, which boasts a broad set of harmful capabilities:

Running malicious software to gather sensitive data.
Stealing login credentials for Steam, Telegram, and Skype accounts.
Accessing and manipulating files without the victim’s consent.
Extracting cryptocurrency wallets.
Allowing hackers to remotely control the victim’s computer for nefarious purposes.
Collecting browser cookies, saved passwords, and browsing history.

The STOP/Djvu ransomware uses the Salsa20 encryption algorithm. If your files were encrypted with an online decryption key, the chances of recovery are slim. Each victim’s online key is unique, making a suitable match difficult to find.

Securing the online decryption key otherwise is nearly impossible, as it resides on a server controlled by the Nood virus distributors. To get the unlocking key, victims must pay $999 and contact the fraudsters via email ([email protected]).

The message by the ransomware states the following information:

ATTENTION!

Don't worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
Do not ask assistants from youtube and recovery data sites for help in recovering your data.
They can use your free decryption quota and scam you.
Our contact is emails in this text document only.
You can get and look video overview decrypt tool:
https://we.tl/t-hPAqznkJKD
Price of private key and decrypt software is $999.
Discount 50% available if you contact us first 72 hours, that's price for you is $499.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.


To get this software you need write on our e-mail:
[email protected]

Reserve e-mail address to contact us:
[email protected]

Your personal ID:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX