NullByte Ransomware

The NullByte Ransomware is a ransomware program that impersonates a popular Pokemon Go bot named Necrobot. This is a program that is used by computer users to cheat on the popular online game Pokemon Go. Unfortunately, con artists have taken advantage of the fact that this program may be distributed using unsafe means since it is not sanctioned by the Pokemon Go's developers or considered a legitimate program. Inexperienced computer users that try to download this Pokemon Go bot end up infecting their computers with the NullByte Ransomware and lose access to their files. During its attack, the NullByte Ransomware encrypts the victim's files and then demands the payment of 0.1 BitCoin (approximately $60 USD at the current exchange rate) to obtain access to the encrypted files. Fortunately, a decryptor for the NullByte Ransomware is available currently, which may help computer users to get back their files without having to pay the NullByte Ransomware ransom.

The Surprising Infection Method Used by the NullByte Ransomware

The NullByte Ransomware is being distributed on the Github project that claims to be a rebuilt version of NecroBot supposedly, which would allow people to cheat on Pokemon Go. Someone that downloads it, believing it to be legitimate, will be then treated to a nasty surprise when the NullByte Ransomware begins to encrypt their files, taking them hostage in exchange for a ransom essentially. To further mislead the victim, when the NullByte Ransomware is downloaded and executed, the NullByte Ransomware displays an interface associated with Necrobot, which asks the victim for their login information. As soon as the Login button is pressed, the NullByte Ransomware will go through the motions, making the victim believe that it is connecting to the NecroBot servers. In fact, the NullByte Ransomware collects the victim's login information (which may then aid in identity theft, since many inexperienced computer users repeat their login credentials across sites) and then encrypts the victim's files.

How the NullByte Ransomware Attacks a Computer

The NullByte Ransomware uses a strong encryption method to make the victim's files inaccessible. This is typical of these threat attacks. After the NullByte Ransomware finishes encrypting the victim's files, the NullByte Ransomware displays a lock screen alerting the computer user of the attack and demanding the payment of 0.1 BitCoin in exchange for the decryption key needed to recover the affected files. The NullByte Ransomware uses the AES encryption to take the victim's files hostage. The NullByte Ransomware receives its name because it appends the extension '_the NullByte' to each file that it encrypts. Instead of targeting a specific type of file, in a way similar to other encryption ransomware Trojans, the NullByte Ransomware will encrypt all files located in any of the following directories:

%USERPROFILE%\Documents
%USERPROFILE%\Downloads
%USERPROFILE%\Favorites
%USERPROFILE%\Pictures
%USERPROFILE%\Music
%USERPROFILE%\Videos
%USERPROFILE%\Contacts
%USERPROFILE%\Desktop

This ensures that the NullByte Ransomware will encrypt files that have personal or professional value while not interfering with Windows itself. The NullByte Ransomware also will terminate all Web browsers on the affected computer automatically to prevent victims of the NullByte Ransomware infection to obtain online help to recover from the attack. During its attack, the NullByte Ransomware will take a screenshot of the victim's computer screen, and also upload it to the NullByte Ransomware's Command and Control server. This screenshot may be used for further identity theft or even for blackmailing the victim, along with the collected login credentials.

Dealing with the NullByte Ransomware

While it may not be possible to recover the files encrypted in this way by ransomware Trojans, a decryptor for the NullByte Ransomware is available currently. PC security analysts recommend that computer users remove the NullByte Ransomware infection itself with the help of a reliable security program. Then, the encrypted files may be recovered through the use of the available decryption utility.