NanoLocker Virus Removal Guide

NanoLocker

NanoLocker virus is a new type of ransomware that infects computer systems and encrypts personal files. NanoLocker ransomware is usually distributed as en email attachment. Once the NanoLocker virus has been contracted it will restrict access to the machine and perform various tasks to encrypt files that match certain extensions. It will then provide a ransom note with instructions detailing how to decrypt files and maintain regular access.

nanolocker

NanoLocker ransomware requests a very low amount for a ransom payment compared to other ransomware. The ransom amount is .1 bitcoins which equates to about 43 USD.  Due to the low distribution of this ransomware and the small ransom amount, it is suggested that this might be a test run.

NanoLocker also has a very unique payment method. For example, in order to pay the ransom you have to send a BASE64 encoded string in the Public Note field. This public note will then be attached to the bitcoin transaction and the note can be read by the malware developer. Once the ransom payment is received, the malware developer will then send back a micro-transaction that contains another Public Note. The new Public Note sent back by the malware author is what contains your decryption key.

The victim of this infection would then take the key and paste into the Key Field box in the program to decrypt their files.

NanoLocker has many flaws which both benefit the user and complicate things. For example, NanoLocker will encrypt a file using the symmetrical AES encryption algorithm. This means that identical keys are used for the encrypt and decrypt process. Once the ransomware has completed encrypting files, it then encrypts the AES key with a master RSA public encryption key and places it in the %LocalAppData% folder. In the final state of the NanoLocker infection the key cannot be used to decrypt files because the AES key would be encrypted. However, if a victim shuts down the infected computer or terminates the ransomware process before the final stages of the infection they can retrieve the key from the %LocalAppData%\lansrv.ini file and use it to decrypt files encrypted by this infection.

NanoLocker files

C:\Users\User\AppData\Local\lansrv.exe
C:\Users\User\AppData\Local\lansrv.ini
C:\Users\User\Desktop\ATTENTION.RTF

NanoLocker registry entries

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\LanmanServer C:\Users\User\AppData\Local\lansrv.exe

How to decrypt NanoLocker files

A decryptor was created by Adam (GitHub) that can be used to decrypt files encrypted by NanoLocker ransomware.

To use Adam’s decryptor, download it and save it to your desktop and open the Command Prompt on your computer. You can open the Command Prompt by holding Win+R and typing cmd in the field. The Command Prompt can also be found in the accessory folder or on Windows Start Menu.

From a command line execute the decryptor using this command line below. Replace [ ] with the appropriate information.

NanoLocker_Decryptor.exe [ENCRYPTED FILE] [DECRYPTED VERSION] [lansrv.ini_file]

A real example that shows how to use this decryptor would be:

NanoLocker_Decryptor.exe "C:\Users\Public\Pictures\Sample.jpg" "C:\Users\Public\Pictures\Sample-good.jpg" %userprofile%\appdata\local\lansrv.ini

Once you have executed the command, the decryptor will ensure that the key is valid and it will individually decrypt your file.

How to remove NanoLocker ransomware

1. Download and Install Malwarebytes Anti-Malware software.

2. Open Malwarebytes and click the large blue Scan Now button to begin a scan.

3. Once the scan is complete click the Remove Selected button and Finish button afterwards. If Malwarebytes suggests that you restart your computer please do so.

4. Download and Install HitmanPro by Surfright.

5. Open HitmanPro and click Next to start scanning your computer. *If you are using the free version you may chose to create a copy or perform a one-time scan.

6. When the HitmanPro scan is complete click the Next button and then click the Reboot button. *To activate the free version of HitmanPro: enter your email address twice and click the Activate button.

7. Download and Install CCleaner by Piriform.

8. Open CCleaner and go to the main Cleaner screen. Click the Analyze button. When the process is complete, click the Run Cleaner button on the bottom right of the program interface.

9. Go to Tools > Startup and search for suspicious entries in each tab starting from Windows all the way to Content Menu. If you find anything suspicious click it and click the Delete button to remove it.

10. Go to the Registry window and click the Scan for Issues button. When the scan is complete click the Fix selected issues… button and click Fix All Selected Issues.

Sean Doyle

Sean is a distinguished tech author and entrepreneur with over 20 years of extensive experience in cybersecurity, privacy, malware, Google Analytics, online marketing, and various other tech domains. His expertise and contributions to the industry have been recognized in numerous esteemed publications. Sean is widely acclaimed for his sharp intellect and innovative insights, solidifying his reputation as a leading figure in the tech community. His work not only advances the field but also helps businesses and individuals navigate the complexities of the digital world.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.