Nosu Ransomware

The Nosu Ransomware is a file-locker Trojan that can keep documents and other media from opening. The Nosu Ransomware conducts these attacks as part of an extortion campaign that sells its unlocking service, without which, any data recovery may prove impossible. Users can protect theirdata by backing it up to secure storage devices and let their anti-malware utilities remove the Nosu Ransomware when it's necessary.

A Ransomware-as-a-Service Belying Its Name, as Usual

Few RaaS families are as ironically-named as the STOP Ransomware, a Trojan-for-rental service whose operations are nearly ceaseless, between earlier builds like the Djvu Ransomware and the '.drume File Extension' Ransomware, or later ones, like the Lokf Ransomware, the Msop Ransomware and the Nosu Ransomware. The latter is one of a handful of samples that are active as of 2020, starting January with renewed data attacks against vulnerable businesses and individuals. Some changes indicate a possibly-Iranian connection with current administrators, although all PC users around the world are in theoretical danger.

The Nosu Ransomware demonstrates most of the features and behaviors available to other, modern versions of its family, which criminals hire for extorting money from arbitrary targets temporarily. The infection methods in use are flexible, but multiple STOP Ransomware campaigns are using exploits such as falsified e-mail attachments and torrents that entice victims into interacting with the Trojan's installer. In some instances, malware researchers also find networks with vulnerable passwords or settings (such as Internet-accessible RDP) under attack.

After getting onto the PC, the Nosu Ransomware encrypts Word documents, JPG or BMP pictures, and other media formats with an RSA-secured, AES algorithm. Users can distinguish between unharmed files and 'captive' ones by the 'nosu' extension that the Trojan adds to their names. The Nosu Ransomware also creates a ransom note, although the text is mostly-identical to past versions, except for new e-mail addresses – including an Iranian one.

Putting a Real STOP to Trojans that will not Quit

The Nosu Ransomware uses a deadline as part of its psychological pressure to gain ransom payments before the victims begin questioning the action too closely. Although paying a criminal for a decryptor is a possible recovery path for one's media, criminals focus on cryptocurrencies, vouchers, and other methods of payment that leave them without risks of refunds. There always is a chance that the victim will not get a working decryptor back in return for their money.

The Nosu Ransomware is one of several families that delete Windows backups, by default. Users should compensate for this danger by keeping extra backups in other locations with security protocols such as multi-factor authentication and restricted admin access. In cases where the Trojan's payload doesn't complete its attacks as intended, it also is possible that advanced recovery utilities could restore any files from the Shadow Volume Copies.

Following basic guidelines like installing security patches, avoiding illicit or suspicious downloads, and turning off macros will help with preventing attacks from this Trojan's campaign. Most anti-malware products also will delete the Nosu Ransomware and virtually all other members of its family effortlessly.

Lest we forget backup schedules, the Nosu Ransomware is showing that the STOP Ransomware's family is alive and well for the coming year. Only rejecting ransoms will change that – and a Trojan business model – for the better.