Threat Database Ransomware Nuksus Ransomware

Nuksus Ransomware

By GoldSparrow in Ransomware

Malware researchers discover new ransomware threats daily. The STOP Ransomware family has proven to be one of the largest and most active ransomware families in late 2019. The Nuksus ransomware threat has been identified by researchers as a member of that family. Functionally, Nuksus is virtually identical to all other strains of the STOP Ransomware with the only distinction being the extension added to the end of the encrypted files' names.

Similarly to most other threats from the same family, Nuksus gets on the victim's computer when the victim runs a keygen or cracked installation file for pirated software. Notably, there have been reports of Nuksus being packed into KMSPico bundles. Over the lifespan of the STOP ransomware family, cybercriminals have reportedly used emails with compromised document attachments too.

When Nuksus ransomware gains access to a victim's PC, it scans it immediately to identify the data that it should encrypt. More recent versions also attempt to delete Shadow volumes to prevent data recovery. Nuksus ransomware will then proceed with the next phase of the attack – the encryption process. When Nuksus encrypts a file, it will also alter its name. This ransomware threat adds a '.nuksus' extension to the end of the filename. For example, an audio file that was originally named 'Lost-Muse.mp3' will be renamed to 'Lost-Muse.mp3.nuksus.'

After the encryption process, Nuksus ransomware drops a ransom note named '_readme.txt' that states:

Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don’t get answer more than 6 hours.
To get this software you need write on our e-mail:
Reserve e-mail address to contact us:
Our Telegram account:
Mark Data Restore
Your personal ID:'

In the note, the attackers say that the ransom fee is $980, but for the users who contact them within 72 hours of the attack, the price will be cut by half to $490. The authors of the Nuksus Ransomware also offer to decrypt one file for free as proof that they are in possession of a functional decryption key. Then, they give out two email addresses where they expect to be contacted – '' and '' The attackers also provide their Telegram contact information @datarestore.

It is never advisable to contact cybercriminals or pay them. A much safer approach in this difficult situation is to download and install a legitimate anti-virus software suite and use it to remove the Nuksus Ransomware from your computer safely.


Most Viewed