What is NoCry Ransomware
First found and researched by an independent expert named S!R!, NoCry is a ransomware program designed to run data encryption. It is a very popular scheme employed by ransomware developers to extort money from victims upon successful restriction of data. For now, there are two known versions of NoCry differing by extensions assigned to blocked data. It is either .Cry or .IHA extension that will be appended to encrypted files. For instance,
1.pdf will change its look to
1.pdf.IHA and reset its shortcut icon to blank after getting affected by malware. Extortionists behind NoCry Ransomware demand payment for returning the data via an HTML file called How To Decrypt My Files.html.
Ooooops All Your Files Are Encrypted ,NoCry
Can I Recover My Files ?
Yes, You Can Recover All Your Files Easily And Quickly
But How ?
Send The Required Amount And
I Will Send The Key To You For Decryption
See You Soon (0_0)
Your files will be lost on :
Send $100 worth of bitcoin to this address:
1LHaSk425DzEoR6dT8t6gc4wkoKnQ4iVwK [Copy] [Show Encrypted Files] [Decrypt] About bitcoin
How to buy bitcoins?
Oooops, Your Files Have Been Locked by IHA Team !!!!!
Can I Recover My Files ?
your important files are encrypted.
you has been hacked by IHA team, and you cant back your files again unless you pay for decryption code, remember no escape for you HAHA
Can I Recover My Files?
sure we guarantee that you can recover all your files safely and easily.
but you have not so enough time.
if you need to decrypt your files, yo need to pay.
after that the price will be doubled or your files and computer will be destroyed
How Do I Pay?
payment is accepted in bitcoin only. for more information, click
check the current price of bitcoin and buy some bitcoin. for more information, click
and send correct amount to the address below
after your payment. click to to decrypt your files
LOCKED BY IHA TEAM
Send $100 worth of bitcoin to this address:
It also force-opens a pop-up window that victims can interact with to send the ransom and decrypt their data. The contents of both are identical and inform victims about the same. NoCry gives about 72 hours to send 100$ in BTC to the attached crypto address. If no money will be delivered within the allocated timeline, NoCry will delete your files forever. This is an intimidation strat meant to hurry up victims and pay the demanded ransom quicker. After completing the payment, victims are instructed to contact developers by e-mail, which can be found in both the pop-up window and the HTML file. Unfortunately, there is no other way to decrypt NoCry files apart from paying the ransom. At the moment of writing this article, third-party tools are unable to decipher files with “.Cry” or “.IHA” extensions for free. It can be possible if some version of NoCry was released with bugs or flaws that help third-party algorithms crack open the ciphers. Despite this, it is highly recommended against meeting the requests of cybercriminals and paying the ransom. There have been many cases when victims got fooled and did not receive any decryption keys or tools at the end. If you want to recover your data for free, the only feasible way is to use backup copies. Delete the virus and plug in your external storage to copy the files back to your system. Keep in mind that removing the virus is mandatory in any case unless you are going to pay the ransom. Otherwise, continuous virus presence may result in more encryptions or privacy threats.
How NoCry Ransomware infected your computer
If you wonder how malware like NoCry could sneak into your system, then here is the list of most popular methods:
E-mail spam letters, trojans, backdoors, keyloggers, fake software updates, or installers hosted on Peer-to-Peer networks (torrent websites), badly protected RDP configuration, and other less notable channels as well.
The biggest part of ransomware infections has been continuously tracked to happen malicious files attached to suspicious e-mail letters. Such messages are usually sent by fake representatives of legitimate companies like DHL, DPD, FedEx, or similar. The content written inside of such letters tells you to open some attached file or link to access information about your parcel, invoice, or something else. Cybercriminals may use tempting names of the attachments or subject lines to lure users into acting upon the request. The presence of .DOCX, .XLXS, .PDF, .EXE, .RAR, .ZIP, or .JS file extensions with clickbait-looking names almost certainly means there is malware hidden inside. Upon their opening and allowing the necessary actions, users will summon executable scripts to install malicious software like NoCry Ransomware. For this reason, it is advised to not trust such messages even if they seem to be sent from familiar sources. To be more protected against such threats in the future, it is worth reading our guide below. There is plenty of useful information on that topic.
- Download NoCry Ransomware Removal Tool
- Get decryption tool for .Cry or .IHA files
- Recover encrypted files with Stellar Data Recovery Professional
- Restore encrypted files with Windows Previous Versions
- Restore files with Shadow Explorer
- How to protect from threats like NoCry Ransomware
Download Removal Tool
To remove NoCry Ransomware completely, we recommend you to use Norton Antivirus from Symantec. It detects and removes all files, folders, and registry keys of NoCry Ransomware and prevents future infections by similar viruses.
Alternative Removal Tool
To remove NoCry Ransomware completely, we recommend you to use SpyHunter 5 from EnigmaSoft Limited. It detects and removes all files, folders, and registry keys of NoCry Ransomware. The trial version of SpyHunter 5 offers virus scan and 1-time removal for FREE.
NoCry Ransomware files:
How To Decrypt My Files.html
NoCry Ransomware registry keys:
How to decrypt and restore .Cry or .IHA files
Use automated decryptors
Download Kaspersky RakhniDecryptor
Use following tool from Kaspersky called Rakhni Decryptor, that can decrypt .Cry or .IHA files. Download it here:
There is no purpose to pay the ransom because there is no guarantee you will receive the key, but you will put your bank credentials at risk.
Dr.Web Rescue Pack
Famous antivirus vendor Dr. Web provides free decryption service for the owners of its products: Dr.Web Security Space or Dr.Web Enterprise Security Suite. Other users can ask for help in the decryption of .Cry or .IHA files by uploading samples to Dr. Web Ransomware Decryption Service. Analyzing files will be performed free of charge and if files are decryptable, all you need to do is purchase a 2-year license of Dr.Web Security Space worth $120 or less. Otherwise, you don’t have to pay.
If you are infected with NoCry Ransomware and removed from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. To attempt to decrypt them manually you can do the following:
Use Stellar Data Recovery Professional to restore .Cry or .IHA files
- Download Stellar Data Recovery Professional.
- Click Recover Data button.
- Select type of files you want to restore and click Next button.
- Choose location where you would like to restore files from and click Scan button.
- Preview found files, choose ones you will restore and click Recover.
Using Windows Previous Versions option:
- Right-click on infected file and choose Properties.
- Select Previous Versions tab.
- Choose particular version of the file and click Copy.
- To restore the selected file and replace the existing one, click on the Restore button.
- In case there is no items in the list choose alternative method.
Using Shadow Explorer:
- Download Shadow Explorer program.
- Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
- Select the drive and date that you want to restore from.
- Right-click on a folder name and select Export.
- In case there are no other dates in the list, choose alternative method.
If you are using Dropbox:
- Login to the DropBox website and go to the folder that contains encrypted files.
- Right-click on the encrypted file and select Previous Versions.
- Select the version of the file you wish to restore and click on the Restore button.
How to protect computer from viruses, like NoCry Ransomware, in future
1. Get special anti-ransomware software
Use ZoneAlarm Anti-Ransomware
Famous antivirus brand ZoneAlarm by Check Point released a comprehensive tool, that will help you with active anti-ransomware protection, as an additional shield to your current protection. The tool provides Zero-Day protection against ransomware and allows you to recover files. ZoneAlarm Anti-Ransomware is compatible with all other antiviruses, firewalls, and security software except ZoneAlarm Extreme (already shipped with ZoneAlarm Anti-Ransomware) or Check Point Endpoint products. The killer features of this application are: automatic file recovery, overwrite protection that instantly and automatically recovers any encrypted files, file protection that detects and blocks even unknown encryptors.
2. Back up your files
As an additional way to save your files, we recommend online backup. Local storage, such as hard drives, SSDs, flash drives, or remote network storage can be instantly infected by the virus once plugged in or connected to. NoCry Ransomware uses some techniques to exploit this. One of the best services and programs for easy automatic online backup is iDrive. It has the most profitable terms and a simple interface. You can read more about iDrive cloud backup and storage here.
3. Do not open spam e-mails and protect your mailbox
Malicious attachments to spam or phishing e-mails are the most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is MailWasher Pro. It works with various desktop applications and provides a very high level of anti-spam protection.