Nozelesn Ransomware

The Nozelesn Ransomware is an encryption ransomware Trojan that was first observed on July 2, 2018. The Nozelesn Ransomware seems to have been created to target computer users located in Poland due to its distribution methods and the use of Polish in its attack. This is not the first time PC security researchers have observed ransomware Trojans targeting Polish computer users, although it does not seem that there is a connection between the Nozelesn Ransomware and previous threats designed to target this region of the world. The Nozelesn Ransomware is mainly delivered using spam email messages, which impersonate emails from DHL or other legitimate sources.

How the Nozelesn Ransomware Attack Works

The spam emails used to deliver the Nozelesn Ransomware will have an attached file, commonly a Microsoft Office file with an embedded macro script that downloads and installs the Nozelesn Ransomware onto the victim's computer. Once the Nozelesn Ransomware has been installed on the victim's computer, the Nozelesn Ransomware will scan the victim's computer for the user-generated files, looking for a wide variety of media files, documents types, databases, and numerous others. Threats like the Nozelesn Ransomware will target certain files in their attacks, which include:

.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.

The Nozelesn Ransomware's encryption method makes it easy to recognize the affected files because the Nozelesn Ransomware will add the file extension '.nozelesn' to each affected file.

The Nozelesn Ransomware's Ransom Note

The Nozelesn Ransomware delivers its ransom note in the form of an HTML file. The Nozelesn Ransomware ransom note is named 'HOW_FIX_NOZELESN_FILES.htm' and displays the following message on the infected computer:

'All files including videos, photos and documents on your computer are encrypted by the Nozelesn Ransomware.
File decryption costs money.
In order to decrypt the files. you need to perform the_following steps:
1. you should download and install this browser hxxp://.torproject[.]org/projects/torbrowser 2. After installation, run the browser and enter the address: lyasuvlsarvrlyxz[.]onion
3. Follow the instruction on the web-site. We remind you that the sooner you do, the more chances are left to recover the files.
Guaranteed recovery is provided within 10 days.
IMPORTANT INFORMATION You should enter the personal code on the for site.
Your Personal CODE: - [random characters]'

Following these instructions leads to a payment website on the Dark Web, which includes the following notification on a payment Web page:

'Nozelesn decryption cabinet
Your files are encrypted
To get the key to decrypt your files, you should pay 0.1000 BTC.
We are present special decryption key - which is allow to decrypt and return control to all
your encrypted files.'

Computer users are advised to avoid paying the Nozelesn Ransomware ransom, which amount is 680 USD approximately at the current exchange rate. Instead of paying the ransom, they should take preventive measures against the Nozelesn Ransomware and similar threats. The best precaution against threats like the Nozelesn Ransomware is to have file backups stored on the cloud or an extern device. File backups allow computer users to restore their files after the Nozelesn Ransomware attack without having to contact the criminals or consider paying the ransom to restore affected files.