Threat Database Ransomware Naampa Ransomware

Naampa Ransomware

By GoldSparrow in Ransomware

The Naampa Ransomware is an encryption ransomware Trojan that may be delivered to victims of the attack through spam email messages. These messages may include attached DOCX files that use corrupted macro scripts to download and install the Naampa Ransomware on the victim's computer. Once the Naampa Ransomware has been installed on the victim's computer, it will encrypt the victim's files, making them inaccessible. Like many other encryption ransomware Trojans, the Naampa Ransomware will then demand a ransom payment by showing a ransom note on the infected computer. PC users should take some steps to prevent attacks like the Naampa Ransomware, and the most important of them are the use of a security product that is fully up-to- date and have backup copies of their files.

The Naampa Ransomware Uses a Powerful Encryption Method

The Naampa Ransomware is related to a previously observed ransomware Trojan named Unlckr Ransomware, which itself is a variant of the Unlock92 Ransomware. The Naampa Ransomware stands out from other ransomware Trojans by using the RSA 2048 encryption to encrypt the victim's files directly, rather than using the AES 256 as with most encryption ransomware Trojans that are active currently. The use of the RSA 2048 encryption makes the encryption much stronger, but the encryption process is slower. The Naampa Ransomware will target the user-generated files in its attack, encrypting them and making them inaccessible, and taking them hostage. Then, like most ransomware Trojans, the Naampa Ransomware will demand that the victim makes a ransom payment to receive the decryption key necessary to decipher the affected files. The Naampa Ransomware will mark the files it encrypts by adding the file extension '.crptd' to each affected file. Once the Naampa Ransomware encrypts the victim's files, it will display a ransom note by replacing the image file used as the infected PC's desktop Wallpaper with a JPG file named '!----README----!.jpg'. This file displays the following Russian text:

'Ваши файлы зашифрованы с использованием алгоритма RSA-2048.
Если хотите их вернуть отправьте один из зашифрованных файлов и файл key.res на e-mail:
Если вы не получили ответа в течение суток или письмо возвращается с ошибкой то скачайте с сайта браузер TOR и с его помощью зайдите на сайт
hxxp://n3r2kuzhw2h7x6j5.onion - там будет указан действующий почтовый ящик.
Попытки самостоятельного восстановления файлов могут безвозвратно их испортить!'

Which translated into English reads as follows:

'Your files are encrypted using the RSA-2048 algorithm.
If you want to recover them, send one of the encrypted files and key.res file to e-mail:
If you do not receive a reply within 24 hours or the letter is returned with an error, then download from the site www.torproject[.]com browser TOR and go to the site
hxxp://n3r2kuzhw2h7x6j5.onion - there will be specified a valid mailbox.
Attempts to repair the files yourself can irreversibly damage them!'

Protecting Your Data From Ransomware Trojans Like the Naampa Ransomware

Although computer users may want to write to the people responsible for the Naampa Ransomware attack, malware researchers strongly advise against it. Paying these ransoms will rarely result in the complete recovery of the affected files. Furthermore, paying the ransom allows the con artists to continue developing new ransomware Trojans, creating new variants and claiming more victims. Instead of paying the Naampa Ransomware ransom, take preventive measures to ensure that you can recover your files and remove the Naampa Ransomware in the case of an infection. The best protection against the Naampa Ransomware and other ransomware Trojans is to have file backups. Having your files backed up on a removable device or the cloud, then recovering your data can be as simple as deleting the original, affected file and replacing it with the backup copy. Apart from file backups, an updated security program can intercept these threats before they infiltrate your computer.


Most Viewed