NanoLocker virus is a new type of ransomware that infects computer systems and encrypts personal files. NanoLocker ransomware is usually distributed as en email attachment. Once the NanoLocker virus has been contracted it will restrict access to the machine and perform various tasks to encrypt files that match certain extensions. It will then provide a ransom note with instructions detailing how to decrypt files and maintain regular access.
NanoLocker ransomware requests a very low amount for a ransom payment compared to other ransomware. The ransom amount is .1 bitcoins which equates to about 43 USD. Due to the low distribution of this ransomware and the small ransom amount, it is suggested that this might be a test run.
NanoLocker also has a very unique payment method. For example, in order to pay the ransom you have to send a BASE64 encoded string in the Public Note field. This public note will then be attached to the bitcoin transaction and the note can be read by the malware developer. Once the ransom payment is received, the malware developer will then send back a micro-transaction that contains another Public Note. The new Public Note sent back by the malware author is what contains your decryption key.
The victim of this infection would then take the key and paste into the Key Field box in the program to decrypt their files.
NanoLocker has many flaws which both benefit the user and complicate things. For example, NanoLocker will encrypt a file using the symmetrical AES encryption algorithm. This means that identical keys are used for the encrypt and decrypt process. Once the ransomware has completed encrypting files, it then encrypts the AES key with a master RSA public encryption key and places it in the %LocalAppData% folder. In the final state of the NanoLocker infection the key cannot be used to decrypt files because the AES key would be encrypted. However, if a victim shuts down the infected computer or terminates the ransomware process before the final stages of the infection they can retrieve the key from the %LocalAppData%\lansrv.ini file and use it to decrypt files encrypted by this infection.
C:\Users\User\AppData\Local\lansrv.exe C:\Users\User\AppData\Local\lansrv.ini C:\Users\User\Desktop\ATTENTION.RTF
NanoLocker registry entries
How to decrypt NanoLocker files
To use Adam’s decryptor, download it and save it to your desktop and open the Command Prompt on your computer. You can open the Command Prompt by holding Win+R and typing cmd in the field. The Command Prompt can also be found in the accessory folder or on Windows Start Menu.
From a command line execute the decryptor using this command line below. Replace [ ] with the appropriate information.
NanoLocker_Decryptor.exe [ENCRYPTED FILE] [DECRYPTED VERSION] [lansrv.ini_file]
A real example that shows how to use this decryptor would be:
NanoLocker_Decryptor.exe "C:\Users\Public\Pictures\Sample.jpg" "C:\Users\Public\Pictures\Sample-good.jpg" %userprofile%\appdata\local\lansrv.ini
Once you have executed the command, the decryptor will ensure that the key is valid and it will individually decrypt your file.
How to remove NanoLocker ransomware
2. Open Malwarebytes and click the large blue Scan Now button to begin a scan.
3. Once the scan is complete click the Remove Selected button and Finish button afterwards. If Malwarebytes suggests that you restart your computer please do so.
5. Open HitmanPro and click Next to start scanning your computer. *If you are using the free version you may chose to create a copy or perform a one-time scan.
6. When the HitmanPro scan is complete click the Next button and then click the Reboot button. *To activate the free version of HitmanPro: enter your email address twice and click the Activate button.
8. Open CCleaner and go to the main Cleaner screen. Click the Analyze button. When the process is complete, click the Run Cleaner button on the bottom right of the program interface.
9. Go to Tools > Startup and search for suspicious entries in each tab starting from Windows all the way to Content Menu. If you find anything suspicious click it and click the Delete button to remove it.
10. Go to the Registry window and click the Scan for Issues button. When the scan is complete click the Fix selected issues… button and click Fix All Selected Issues.