Threat Database Ransomware N1n1n1 Ransomware

N1n1n1 Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 80 % (High)
Infected Computers: 8
First Seen: September 7, 2016
Last Seen: February 3, 2020
OS(es) Affected: Windows

The N1n1n1 Ransomware is an Encryption Trojan that uses a combination of the AES and RSA ciphers to encrypt data. The N1n1n1 Encryption Trojan targets commonly used data containers and demands a ransom of 1,5 Bitcoins to release the decryption key. Computer users may encounter the N1n1n1 Ransomware via spam mail attachments and corrupted links. Victims of the N1n1n1 Ransomware will be directed to write to from an account on Google and download the TOR Browser to access the payment portal.

Users that have been infected with the N1n1n1 Ransomware will notice that their video, audio, image, and text files are not acceptable and have a new file extension. The N1n1n1 Ransomware is named after the suffix it uses to mark objects it has modified. For example, the file wow_leagion_soulreaper.png will be changed to wow_leagion_soulreaper.png.n1n1n1. At that point, no image viewer will be able to load the content of wow_leagion_soulreaper.png.n1n1n1 as long as it is encrypted. The N1n1n1 cryptomalware will drop how return files.txt on the victim's desktop with the following content:

'If you don't speak English then use public online translators or or

Your files encrypted.
To decrypt and return control to all your encrypted files you need:
1) Go to [direct link to the TOR Browser installer]. Download Tor browser for windows.
If you can't open this page, then go to [link to the main page of the TOR project] and click on button Download.
It will redirect you to page where you can find "Tor Browser for Windows". Download it. If you still can't download or run tor browser then download, unpack and run the most stable tor browser version here: [link to Google Drive]
2) Install it and run it.
3) Type in the address bar [link to an .onion domain] open our secret website.
4) Secret website will ask you to input your public key.
5) Enter your public key and follow the instructions.

Your public key:

[your key]

If you have any problems while downloading or installing tor browser or opening secret tor site then
If you have antivirus then remove or disable it (antivirus can prohibit open tor browser) or try use other computer.
Don't forget that you can browse and search videos with tor browser installation process.
If you still can't open this secret page then
1) Go to [link to Gmail] (use your usual browser: (firefox, google chrome, ...)
2) If you don't have ...@gmail account then sign up. You will get Google (gmail) account.
3) Compose letter and send it to
In letter you need type us your public key (see public key above).
4) Soon (in 1 or 2 days), we will send you instructions what you need to do to decrypt your files.

Small remark:
You can compose and send letter using other mail provider ( or other)
but we DON'T RECOMMEND you to do it because we are not sure that we will receive your letter!'

As stated above, users will be welcomed to write an email to and transfer Bitcoins to a certain wallet address. Security authorities do not encourage payment of the ransom because the release of a decryptor is not guaranteed or it might not work properly. The experience of experts suggests that the operators of the N1n1n1 Ransomware are not likely to send a functional decryption tool to users that paid for their files to be returned to normal. Instead of losing hundreds of dollars and your files you should reach out to backups and archives. The best practice against threats like the N1n1n1 Ransomware involves using backup tools like Google Drive and Dropbox. Keep in mind that you will require clean backups and a trusted anti-malware instrument to restore your data and remove the N1n1n1 Ransomware.


Most Viewed