The NMO Ransomware threat can be used by cybercriminals to lock the data of their victims. The threat possesses the ability to encrypt numerous file types, while the strong cryptographic algorithm ensures that the locked files will be nearly impossible to restore without having the necessary decryption keys. After analyzing the NMO Ransomware, infosec researchers confirmed that it is a variant from the Dharma malware family.
Apart from encrypting the files stored on the breached devices, the threat also generates a specific ID string for each victim. NMO appends that string to the original names of the encrypted files, followed by an email address controlled by the attackers. In this case, the email is 'email@example.com.' Finally, '.NMO' will be added as a new file extension.
The threat also delivers two ransom notes to the infected systems. One is dropped as a text file named 'info.txt.' Its message states that users who wish to get their files back must initiate contact with the attackers by messaging 'firstname.lastname@example.org' or 'email@example.com.' A longer ransom-demanding message will be displayed as a pop-up window. It fails to provide any additional details, simply containing a section with various warnings.
The text file contains the following message:
'all your data has been locked us
You want to return?
write email firstname.lastname@example.org or email@example.com
The pop-up window displayed the following instructions:
YOUR FILES ARE ENCRYPTED
Don't worry, you can return all your files!
If you want to restore them, write to the mail: firstname.lastname@example.org YOUR ID -
If you have not answered by mail within 12 hours, write to us by another mail:email@example.com
We recommend you contact us directly to avoid overpaying agents
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'