What is RansomNow Ransomware
RansomNow is another file-encryptor virus issued by cybercriminals to extort money from desperate victims. It is very similar to the already-discussed Polaris Ransomware as it runs the same encryption pattern with AES and RSA algorithms. Another similarity shared between these ransomware attacks is that they do not attach any new extension to enciphered data. Despite files do not experience any significant visual changes, users will still be unable to open them up. The virus also creates a text file called HELP – README TO UNLOCK FILES.txt that features decryption instructions:
Hi, all your files have been encrypted/locked with a Military grade encryption algorithm.
There is no way to restore your data without a special key from me.
Don't panic, you can still restore all your files in few minutes, you just have to pay me for the ransom.
1. You have to send payment of 0.0044 BITCOIN to: bc1qgq8pawjsc5wa392wy92y5pvvskxljks0w6zfcd
2. Once payment have been completed, send proof of payment to: ransomnow@yandex.ru
3. Use your Computer name as email subject so that i can identify your private recovery key.
You can buy bitcoin very easily from these sites:
www.localbitcoins.com
www.paxful.com
A list of several sites where you can buy bitcoin can be found here:
https://bitcoin.org/en/exchanges
IMPORTANT WARNING!!
Make sure payment is sent to: bc1qgq8pawjsc5wa392wy92y5pvvskxljks0w6zfcd
Do NOT attempt to decrypt your files with any software because it will not work and you may corrupt your files.
Do NOT change file names or mess with the files
Do NOT send "PAID" message without paying, price WILL increase for disobedience.
Do NOT think that we won't delete your files and throw away the restore key when you refuse to pay, WE WILL!!!
Developers say victims can restore the data only by purchasing a special key. The price to be paid equals 0.0044 BTC, which is approximately 250$ at the moment of writing this article. Keep in mind that cryptocurrencies rates always change, so there is a chance you will have to pay more or less even tomorrow. After sending the necessary amount of BTC, users should deliver the proof of the transaction to the attached e-mail address (ransomnow@yandex.ru). In addition to that, crooks list a couple of resources where to buy the required cryptocurrency, if you are new to the crypto world. It is also strongly warned against running manipulations with files yourself or with the help of third-party tools. In case of disobedience, cybercriminals intimidate users they will delete the private keys and files forever so users will not be able to get them. Before you run into paying the ransom, we are here to warn you about the risks. Many cybercriminals dump their victims and do not send any decryption tools even after receiving the payment. There are some free and safer tools that can help you recover files in some cases. It is true that third-party decryption is less likely to help since extortionists are the only figures having the necessary key to move off the ciphers. Nevertheless, you should remove RansomNow Ransomware to stop swindlers from accessing your desktop and running further encryption. You can do this and learn about all possible decryption methods in our article below.
How RansomNow Ransomware infected your computer
Developers use quite a bundle of tricky methods to deliver ransomware infections into the system. Most often they use e-mail spam letters containing malicious attachments of various sorts. Files of Word, Excel, PDF, EXE, or Javascript formats may be attached and altered on a macros level to install malicious software upon their opening. Cybercriminals make everything possible to entice users into clicking on such files by using tempting headlines. Phrases like “Urgent”, “Your Invoice”, “Shipment”, “Government Fines”, and similar may be written over the files or message subjects to increase the chances of opening them. Any experienced users should know this is a trap, so this is likely to work with the opposite people. Elder people and other raw users are usually in the target zone of such infections by default as they are easy to trust whatever they face on the web. Some other popular distribution methods cover a range consisting of trojans, fake updates or software installers, backdoors, keyloggers, unprotected RDP configuration, web-injects, malicious ads, and more to fit in this list. In order to stay protected against such threats in the future, follow our tips presented below. There is a lot of useful information regarding this topic.
- Download RansomNow Ransomware Removal Tool
- Get decryption tool for your files
- Recover encrypted files with Stellar Data Recovery Professional
- Restore encrypted files with Windows Previous Versions
- Restore files with Shadow Explorer
- How to protect from threats like RansomNow Ransomware
Download Removal Tool
To remove RansomNow Ransomware completely, we recommend you to use Norton Antivirus from Symantec. It detects and removes all files, folders, and registry keys of RansomNow Ransomware and prevents future infections by similar viruses.
Alternative Removal Tool
To remove RansomNow Ransomware completely, we recommend you to use SpyHunter 5 from EnigmaSoft Limited. It detects and removes all files, folders, and registry keys of RansomNow Ransomware. The trial version of SpyHunter 5 offers virus scan and 1-time removal for FREE.
RansomNow Ransomware files:
WARNING.txt
systemd-timed
polaris
{randomfilename}.exe
RansomNow Ransomware registry keys:
no information
How to decrypt and restore your files
Use automated decryptors
Download Kaspersky RakhniDecryptor
Use the following tool from Kaspersky called Rakhni Decryptor, which can decrypt your files. Download it here:
There is no purpose to pay the ransom because there is no guarantee you will receive the key, but you will put your bank credentials at risk.
Dr.Web Rescue Pack
Famous antivirus vendor Dr. Web provides free decryption service for the owners of its products: Dr.Web Security Space or Dr.Web Enterprise Security Suite. Other users can ask for help in the decryption of your files by uploading samples to Dr. Web Ransomware Decryption Service. Analyzing files will be performed free of charge and if files are decryptable, all you need to do is purchase a 2-year license of Dr.Web Security Space worth $120 or less. Otherwise, you don’t have to pay.
If you are infected with RansomNow Ransomware and removed from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. To attempt to decrypt them manually you can do the following:
Use Stellar Data Recovery Professional to restore your files
- Download Stellar Data Recovery Professional.
- Click Recover Data button.
- Select type of files you want to restore and click Next button.
- Choose location where you would like to restore files from and click Scan button.
- Preview found files, choose ones you will restore and click Recover.
Using Windows Previous Versions option:
- Right-click on infected file and choose Properties.
- Select Previous Versions tab.
- Choose particular version of the file and click Copy.
- To restore the selected file and replace the existing one, click on the Restore button.
- In case there is no items in the list choose alternative method.
Using Shadow Explorer:
- Download Shadow Explorer program.
- Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
- Select the drive and date that you want to restore from.
- Right-click on a folder name and select Export.
- In case there are no other dates in the list, choose alternative method.
If you are using Dropbox:
- Login to the DropBox website and go to the folder that contains encrypted files.
- Right-click on the encrypted file and select Previous Versions.
- Select the version of the file you wish to restore and click on the Restore button.
How to protect computer from viruses, like RansomNow Ransomware, in future
1. Get special anti-ransomware software
Use ZoneAlarm Anti-Ransomware
Famous antivirus brand ZoneAlarm by Check Point released a comprehensive tool, that will help you with active anti-ransomware protection, as an additional shield to your current protection. The tool provides Zero-Day protection against ransomware and allows you to recover files. ZoneAlarm Anti-Ransomware is compatible with all other antiviruses, firewalls, and security software except ZoneAlarm Extreme (already shipped with ZoneAlarm Anti-Ransomware) or Check Point Endpoint products. The killer features of this application are: automatic file recovery, overwrite protection that instantly and automatically recovers any encrypted files, file protection that detects and blocks even unknown encryptors.
2. Back up your files
As an additional way to save your files, we recommend online backup. Local storage, such as hard drives, SSDs, flash drives, or remote network storage can be instantly infected by the virus once plugged in or connected to. RansomNow Ransomware uses some techniques to exploit this. One of the best services and programs for easy automatic online backup is iDrive. It has the most profitable terms and a simple interface. You can read more about iDrive cloud backup and storage here.
3. Do not open spam e-mails and protect your mailbox
Malicious attachments to spam or phishing e-mails are the most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is MailWasher Pro. It works with various desktop applications and provides a very high level of anti-spam protection.