NCrypt Ransomware
Security breaches that involved '.ncrypt' files lead malware investigators to the discovery of the NCrypt Ransomware. The NCrypt Ransomware is a standard encryption Trojan that is delivered to users the same way the Nuke Ransomware is—spam emails loaded with a macro-enabled DOCX file. Macro in Microsoft Office and other office applications may be abused by crypto malware developers because it can be used to download and install programs from a remote host easily. The payload of the NCrypt Ransomware is dropped to the Temp directory and runs as an executable file with a random name. The primary process of the NCrypt Ransomware may appear as a PDF file in the Windows Task Manager, which should be enough to raise red flags for advanced computer users.
Table of Contents
The NCrypt Ransomware can Lock Data on Local Drives
The NCrypt Ransomware is programmed to scan the PC for a list of connected drives and index files suitable for encryption. The NCrypt Ransomware is unable to edit information on password protected drives and network shares. Security researchers report that the encryption process may take some time depending on the volume of data that is targeted. Samples of the NCrypt Ransomware show that the threat combines the AES and RSA ciphers to lock objects and protect the encryption key. The NCrypt Ransomware may corrupt images, videos, audio, presentations, spreadsheets, text documents and databases. As stated above, the NCrypt Ransomware is ranked among threats like the HCrypto Ransomware and the Cerber3 Ransomware. Security researchers expect the NCrypt Ransomware to encode the following formats:
.3GP, .7Z, .APK, .AVI, .BMP, .CDR, .CER, .CHM, CONF, .CSS, .CSV, .DAT, .DB, .DBF, .DJVU, .DBX, .DOCM, ,DOC, .EPUB, .DOCX .FB2, .FLV, .GIF, .GZ, .ISO .IBOOKS,.JPEG, .JPG, .KEY, .MDB .MD2, .MDF, .MHT, .MOBI .MHTM, .MKV, .MOV, .MP3, .MP4, .MPG .MPEG, .PICT, .PDF, .PPS, .PKG, .PNG, .PPT .PPTX, .PPSX, .PSD, .RAR, .RTF, .SCR, .SWF, .SAV, .TIFF, .TIF, .TBL, .TORRENT, .TXT, .VSD,.WMV, .XLS, .XLSX, .XPS, .XML, .CKP, ZIP, .JAVA, .PY, .ASM, .C, .CPP, .CS, .JS, .PHP, .DACPAC, .RBW, .RB, .MRG, .DCX, .DB3, .SQL, .SQLITE3, .SQLITE, .SQLITEDB, .PSD, .PSP, .PDB, .DXF, .DWG, .DRW, .CASB, .CCP, .CAL, .CMX, .CR2.
The NCrypt Ransomware does not Innovate and Sticks to Tried-And-True Encryption Techniques
The encryption engine of the NCrypt Ransomware is designed to operate with low resource consumption. Victims may not notice problems with their file structure until they attempt to open images and text documents. Experts note that users can recognize corrupted objects with the '.ncrypt' file extension. For example, 'hydronalium_alloy.docx' will be transformed to 'hydronalium_alloy.docx.ncrypt' and you will not have access to your notes on shipbuilding. You should be able to copy, delete and move '.ncrypt' files but that is about all you will be able to do with corrupted data. The ransom note can be found on the desktop where most cryptomalware developers leave their messages. The message of the NCrypt Ransomware comes in '_FILE_RETRIEVAL_INSTRUCTIONS.htm,' which is opened in your default Internet client when the encryption is completed automatically. '_FILE_RETRIEVAL_INSTRUCTIONS.html' has the following content:
'Your Data Has Been Encrypted!
Your important files (photos, videos, documents,etc) have been encrypted with a secure key and are no longer usable.
The only way to restore your files is to purchase the unique decryption key, To purchase the key, send 0.2 Bitcoin (Approx- $120.00 USD) to this Bitcoin address:
[the Bitcoin wallet address]
For information on how to send Bitcoin, see one of these links:
[links to resources on Wikipedia and YouTube on how to manage Bitcoin]
Once you have sent payment, send and EMAIL to rwlcontact@onionmaiLinfo with the [36 random characters] as the SUBJECT and the BitCoin transaction id as the BODY. Do not include other information, this email will not be read but will be processed by an automated system.
Once payment is confirmed, the Decryption Application, Decryption Key, and Decryption Instructions will be sent in an email (to the address that was used to send the Bitcoin Transaction ID). -the decryption application/key will restore your files.
There is no other way to recover your files, the encryption key is unique to your files and uncrackable.
WARNING! FAILURE TO PAY BY [date]. WILL RESULT IN THE DELETION OF THE ENCRYTPTION KEY, MAKING YOUR FILES COMPLETELY UNRECOVERABLE.'
The NCrypt Ransomware is Ineffective Against Users with Backups
The NCrypt Ransomware does not pose a threat to users with backups and archives available. Moreover, users that take advantage of services like the cloud storage offered by Google, Microsoft and Dropbox are not likely to lose important files to the NCrypt Ransomware. Experts recommend users to avoid spam mail and contact with the threat developers on the rwlcontact@onionmail.info address. You should use backup images to restore your data and a reliable anti-malware tool to eliminate the files used by the NCrypt Ransomware safely.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.