Threat Database Ransomware NMoreira Ransomware

NMoreira Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 2
First Seen: November 23, 2016
Last Seen: May 4, 2019
OS(es) Affected: Windows

The NMoreira Ransomware is a ransomware Trojan that is being used to target computer users in Portuguese-speaking countries, particularly Brazil and Portugal. The purpose of the NMoreira Ransomware is to encrypt the victim's files to extort a ransom from the victim. If the NMoreira Ransomware is installed on your computer, PC security analysts advise against paying the ransom, despite that it may be impossible to decrypt files affected by the NMoreira Ransomware without access to the decryption key necessary to restore the infected files currently.

The NMoreira Ransomware is not Related to the Maktub Ransomware

The NMoreira Ransomware is a ransomware Trojan that is similar to a previously known ransomware threat known as AiraCrop. PC security analysts suspect that the creators of the NMoreira Ransomware are the same as those that created XRat, a known Remote Access Trojan that allows third parties to control the infected computer from afar. The NMoreira Ransomware uses an asymmetric cryptographic method to encrypt the victim's files, making them inaccessible. Essentially, the NMoreira Ransomware encrypts them and then encrypts the decryption key with a different encryption algorithm. The NMoreira Ransomware identifies the files that have been encrypted with the extension '.maktub,' although there seems to be no direct connection between the creators of the NMoreira Ransomware and the creators of the Maktub Ransomware. It is very common for threat creators to misappropriate or recycle portions of their code, which may explain the extension used by the NMoreira Ransomware.

How the NMoreira Ransomware Demands Payment from Its Victims

The NMoreira Ransomware drops a text file on the victim's Desktop. This file is named 'Recupere seus arquivos. Leia-me!.txt,' Portuguese for 'Recover your files. Read me!' The NMoreira Ransomware ransom note is written in Portuguese. This note asks victims to contact the creators of the NMoreira Ransomware by using an included email address,, to receive further instructions. Essentially, victims lose access to their files, and the con artists hold the decryption key that is necessary to recover the files. It is currently unknown exactly what ransom is demanded by the NMoreira Ransomware. However, previous variants of this attack demanded the payment of 0.5 BitCoin, which is equivalent to approximately $370 USD at the current exchange rate. The following is the full text of the ransom note that is used by this ransomware threat:

Olá, seus arquivos foram criptografados.
A única forma de tê-los de volta, é atraves de um software juntamente com sua chave privada.
Caso haja interesse em recuperar seus arquivos, entre em contato pelo seguinte email:
No campo do email, me envie sua chave pública que está logo a baixo.
Te responderei o mais rápido possível.

Essentially, the ransom note informs the victim that the files were encrypted and it is necessary to contact the fraudsters' email, finishing with a message that computer users should respond as soon as possible.

Dealing with the NMoreira Ransomware

Malware analysts strongly advise computer users to avoid contacting the people responsible for the NMoreira Ransomware or paying the ransom. Computer users may be cheated after contacting the con artists; either they will be ignored, the con artists may ask for more money, or the provided decryption key will simply not work. Even if the con artists provide you with a working decryption key, your payment finances further threat attacks, and you have no guarantee that your files will not become encrypted soon after payment.

The NMoreira Ransomware and other ransomware Trojans become completely ineffective if the victim can recover the files. Because of this, the best measure that computer users can take to prevent the NMoreira Ransomware and halt these attacks is to have backups of all files and update the backups regularly. Once computer users can recover their files from a backup quickly, the con artists have no way of demanding payments from the victim. Establishing effective backups on the cloud or an external memory device only costs a small fraction of what it would take to recover from a NMoreira Ransomware attack by paying the ransom.

SpyHunter Detects & Remove NMoreira Ransomware

File System Details

NMoreira Ransomware may create the following file(s):
# File Name MD5 Detections
1. file.exe bdbb903591448a9cee8eb3dcc920beec 0

Registry Details

NMoreira Ransomware may create the following registry entry or registry entries:
File name without path
Learn how to recover your files.txt


Most Viewed