NURRI Ransomware

The ransomware known as NURRI is a threat that could cause significant damage to compromised devices. It operates by encrypting the files on the system and appending the '.NURRI' extension to their filenames, along with the victim's ID and the email address 'nury_espitia@tuta.io.' Additionally, NURRI presents two ransom notes named 'info.hta' and 'info.txt.' Further investigation has revealed that NURRI belongs to the Phobos family of ransomware threats.

As an illustration of how NURRI modifies the names of the encrypted files, it alters '1.pdf' to '1.pdf.id[9ECFA75E-3352].[nury_espitia@tuta.io].NURRI,' '2.png' to '2.png.id[9ECFA75E-3352].[nury_espitia@tuta.io].NURRI,' and so on.

The NURRI Ransomware Takes Victims' Data Hostage and Demands Ransom Payments

In the ransom note received by victims of the NURRI Ransomware, it is explicitly stated that all of their files have been encrypted. The note includes crucial information such as an email address ('nury_espitia@tuta.io') and an ID, which victims are supposed to use to establish contact with the attackers and initiate the process of paying the demanded ransom. However, it is important to note that the payment for decryption has to be in Bitcoins, and the amount varies depending on how promptly the victim contacts the attackers.

Moreover, the ransom note offers a potential solution for victims to regain access to a limited number of files. Victims are granted the option to submit up to three files for free decryption as a demonstration of the attackers' capability. This serves as a guarantee that the decryption process is indeed feasible. The ransom note of the threat cautions against altering the names of encrypted files or resorting to third-party decryption software, emphasizing the potential risks of permanent data loss or falling prey to fraudulent schemes. Additionally, a second ransom note, titled 'info.txt,' provides supplementary contact information, including a Telegram account at '@HostUppp.'

When individuals fall victim to ransomware attacks, they often find themselves in a predicament where they have few viable options for getting their data back. However, it is important to note that paying the ransom is not recommended as there is no guarantee that the cybercriminals will provide the necessary decryption tools. Furthermore, engaging in such transactions increases the risk of falling victim to further scams or fraudulent activities.

Crucial Security Steps to Protect Your Data and Devices from Ransomware Threats

Implementing crucial security steps can significantly help users protect their data and devices from ransomware threats. Here are some recommended measures:

• Regularly Update Software: Ensure that all operating systems, applications, and anti-malware software are kept updated. Software updates usually carry security patches that address vulnerabilities that could be exploited by ransomware.
•  Enable Automatic Updates: Enable automatic updates for all software so the latest security patches can be installed promptly.
•  Install Reliable Anti-malware Software: Use reputable security software and keep it updated. Regularly scan your system for malware, including ransomware, and schedule automatic scans for ongoing protection.
•  Exercise Caution with Email Attachments and Links: Clicking on a link and opening an email attachment require a lot of caution, especially when coming from unknown senders or suspicious emails. Verify the source and authenticity before interacting with any email content.
•  Be Wary of Downloads: Only download files and software from trustworthy sources. Avoid downloading files from unverified websites or clicking on pop-up ads.
•  Backup Important Data: Regularly back up your important files and data to an external hard drive, cloud storage, or other secure backup solutions. Ensure that the backup is not directly accessible from the network to prevent ransomware from infecting it.
•  Be Mindful of Remote Desktop Services: If using remote desktop services, such as RDP (Remote Desktop Protocol), apply strong passwords, limit access, and consider enabling network-level authentication. Additionally, regularly monitor and review logs for any suspicious activities.

By following these crucial security steps, users can enhance their protection against ransomware threats and minimize the risk of falling victim to such harmful attacks.

The ransom note shown to victims of the NURRI Ransomware as a pop-up window is:

'All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail nury_espitia@tuta.io
Write this ID in the title of your message -
If you do not receive a response within 24 hours, please contact us by Telegram.org account: @HostUppp
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

The ransom note delivered as a text file is:

!!!All of your files are encrypted!!!
To decrypt them send e-mail to this address: nury_espitia@tuta.io.
If we don't answer in 24h, send messge to telegram: @HostUppp'