Home Malware Programs Ransomware Nuksus Ransomware

Nuksus Ransomware

Posted: August 20, 2019

The Nuksus Ransomware is a file-locking Trojan that can keep media, such as documents, from opening through encryption-based attacks. Users may find additional extensions on their files referring to the Trojan's brand name, Notepad ransom messages, or missing the Shadow Volume Copy backups. Non-locally-saved backups, combined with anti-malware services for removing the Nuksus Ransomware on sight, are the recommended defenses for all PCs.

Impending Danger for Indonesians without Backups

Living the risky life of using computers without backing up your work is more of a problem in 2019 than ever before, courtesy of Ransomware-as-a-Service's continuing popularity. Criminals renting out variants of these 'pre-fab' Trojans, such as the STOP Ransomware family, can conduct ransoming attacks without needing much if any, infrastructure. The Nuksus Ransomware is just the latest example of the business's ongoing profit, with malware analysts confirming at least one victim in Indonesia.

That country is a hotspot for the STOP Ransomware releases like the Berosuce Ransomware, the Dodoc Ransomware, the Litar Ransomware or the Novasof Ransomware. However, at release number 1.49, the Nuksus Ransomware is newer than each of them, albeit, dependant on the same attacks for getting its ransoms. The Windows program uses AES encryption for locking files that it rates as good ransoming targets, such as documents or photos, and secures the cryptography with an RSA key that can be either static (offline) or dynamic (online).

Further issues that the Nuksus Ransomware shares in common with its other relatives are as follows:

  • The Nuksus Ransomware inserts its name into the filenames of everything that it locks as an extension (such as: 'example.jpg.nuksus').
  • The Nuksus Ransomware can erase Windows Restore Points by abusing a CMD command.
  • The Nuksus Ransomware may download other threats, although, for now, malware experts only see this feature's association with the spyware, AZORult.
  • The Nuksus Ransomware creates text messages for ransom notes that give the user instructions on contacting the criminal for paying the ransom. Current releases of the Nuksus Ransomware's family are using a static Bitmessage address for supplementing their communication channels, which makes them highly identifiable.

Settling a Ransom without Losing Money Over It

Previous versions of the Nuksus Ransomware's family experienced database leaks that facilitated a straightforward decryption solution. However, as far as modern versions of the Trojan concern themselves, less than one out of ten victims can recover their work from attacks that use the online version of the encryption feature. Since the Nuksus Ransomware also can remove Windows backups, a victim's best chance of restoration is having an already-saved copy of their media on another, safe device.

Campaigns that share the Nuksus Ransomware's ancestry, often, use illicit downloads as social engineering exploits for infecting users' PCs. The Nuksus Ransomware may circulate on torrents or advertising networks and represent itself as being a crack for a game, a Windows license activator, or an in-demand movie. Avoiding illicit content online is always-relevant to diminishing one's chances of encountering file-locking Trojans and other threats, especially, for the STOP Ransomware's family.

In cases where users do come into contact with this Trojan, most anti-malware solutions should shut down and remove the Nuksus Ransomware on sight, which has limited detection-avoidance features.

Ransomware-as-a-Service makes its gains off of the backs of those who don't do their due diligence. A weekly backup can do more than give you peace of mind – it can save you hundreds of dollars in Bitcoins after a Nuksus Ransomware infection.

Loading...