NMCRYPT Ransomware

The NMCRYPT Ransomware is part of the R Ransomware family, which can lock your files by encrypting them with the AES-256. The NMCRYPT Ransomware attacks also include creating HTML ransoming messages for selling its decryptor and changing the names of your media. Have your anti-malware products block or delete the NMCRYPT Ransomware for keeping your data safe from further tampering, and revert to your backups for data recovery, when possible.

The R Ransomware Returns Again

The R Ransomware is one of the smallest 'families' of file-locker Trojans. Instead of the almost infinite variants boasted by competition like Hidden Tear or the RaaS-marketed Globe Ransomware, the R Ransomware consists of itself and, up until now, one child variant: the NM4 Ransomware. A year later, malware experts are verifying another variation: the NMCRYPT Ransomware. Interestingly, all of the website infrastructure associated with the original R Ransomware remains intact for the NMCRYPT Ransomware campaign.

As a minor version of the NM4 Ransomware, the NMCRYPT Ransomware's chief difference is the extension it appends onto the names of any files that it locks ('.NMCRYPT' instead of '.NM4'). It uses an AES encryption method for the blocking of the victim's media and operates by avoiding critical folders (such as the Windows operating system's directory), but encrypts everything in all of the non-blacklisted locations. Malware experts have yet to determine whether decrypting the NMCRYPT Ransomware's files without paying is possible.

The NMCRYPT Ransomware also creates a ransom note that's similar to those of the rest of its family: an HTML page that provides instructions for accessing the threat actor's TOR website. Although the NMCRYPT Ransomware's Bitcoin demands are very traditional, users not familiar with its family may find some of the site's other content surprising: a 'live chat' window for technical support. However, malware experts could verify previously that this feature is fake and non-functional.

Sending Past Trojans Back Where They Belong

The NMCRYPT Ransomware displays almost no updating that warrants its re-release, but its threat actor may be distributing it for modifying the ransoming mechanisms such as which Bitcoin wallet receives the payments. Users should as always, avoid paying without trying other recovery options, of which, malware experts always encourage using a non-local backup as the easiest one. Local data redundancy isn't protective universally, and Trojans with attacks similar to the NMCRYPT Ransomware's payload, often, will delete it securely.

The means of infecting your PC with the NMCRYPT Ransomware can follow several, prominent strategies:

• E-mail-attached files may pretend that they're invoices, delivery notifications, or workplace documentation, including automated messages from your office equipment. These attachments can include exploits for installing the NMCRYPT Ransomware automatically or with a minimum of it (such as asking you to enable macros).
• Threat actors can compromise networks directly by brute-forcing their way through insufficiently-strong password protection.
• Recently, the Nebula Exploit Kit also is providing delivery services for file-locking threats and may compromise a PC after its user loads a corrupted website.

Any anti-malware product with a history of identifying R Ransomware accurately also may uninstall the NMCRYPT Ransomware, or block it before it attacks your files. Most users shouldn't try removing the NMCRYPT Ransomware manually, which requires modifying critical Windows components.

Trojans don't need complexity for causing complicated damage to PCs, as the NMCRYPT Ransomware's family shows so well. A backup and anti-malware security, just like a seatbelt and air cushions, can protect you from the accidents that are waiting to happen for the simplest of reasons.