Home Malware Programs Ransomware Nusar Ransomware

Nusar Ransomware

Posted: June 28, 2019

The Nusar Ransomware is a file-locking Trojan that's from the STOP Ransomware family, whose campaigns are prolific throughout Asia. The Nusar Ransomware can block media automatically by encrypting it, demand ransoms through text files, download other threats, and remove backups. Retrieving your data from an external backup is an effective response to the Nusar Ransomware infections, and most anti-malware products will identify and delete the Nusar Ransomware appropriately.

The Short Lifespan of a Fake Windows Update

While the STOP Ransomware maintains a breakneck development pace after, finally, hitting 1.0 with the Muslat Ransomware's campaign, its new members are continuing with another, long-held trend: attacking nations in Asia. A new version of the Ransomware-as-a-Service threat is attacking Hong Kong, under the brand of the Nusar Ransomware. As usual, the name is a direct correlation from the extension that it adds onto the files that it takes captive, but this change doesn't imply internal updates to the encryption that's doing the blocking.

The Nusar Ransomware uses a well-hidden installation and setup routine that hides many of its components in a sub-folder of the Temporary Internet Files location, misrepresenting some of them as being Windows patch files. It sets Registry entries for these files for its persistence before beginning attacks on the user's local media, which it encrypts with file-blocking AES and RSA algorithms. It also deletes any setup files that it no longer needs afterward, which can prevent users from connecting the attack to the time or method of infection.

Disconnecting all Internet connections will not stop the Nusar Ransomware's encryption, but will force the Trojan into using a less-secure version of it than the default one. Malware experts also recommend having backups on other devices for any recovery, since the STOP Ransomware family uses attacks that aren't decryptable readily, even by security researchers who specialize in file-locker Trojans. The presence of a Restore Point is unreliable; the Nusar Ransomware may delete it through a CMD command.

The Effect that Your Web-Surfing Has on Your Files

The Nusar Ransomware is, at 1.08, one of the newest versions of its family even though its fundamentals don't vary measurably from the payloads of relatives like the Dutan Ransomware, the Mogera Ransomware, the Raldug Ransomware or the Truke Ransomware. Users can heighten the safety of their computers by avoiding risky interactions with e-mail attachments or illegal downloads like game cracks, from torrent especially. These infection vectors are rife with members of the STOP Ransomware family and its competition in the Ransomware-as-a-Service sector.

Updates to the Nusar Ransomware's family are having some success at obfuscating new versions from current threat-identifying databases. Security products may identify the Nusar Ransomware as being a generic Trojan or, rarely, fail at flagging it. You may update your anti-malware products before any scans for the best accuracy, and most users should avoid removing the Nusar Ransomware infections with anything other than such services or a security researcher's manual assistance.

With Indonesia, Pakistan, China, and other parts of the Middle East and Asia under assault, the Nusar Ransomware is just one fresh voice in an overwhelming chorus. Drowning out the pretensions of a file-locker Trojan isn't very hard, though, if you've been backing your work up somewhere secure.

Loading...