Al-Namrood virus Removal Guide
Description of Al-Namrood virus
Al-Namrood ransomware: a constantly developing threat
Al-Namrood virus, a ransomware who shares its name with Saudi Arabian black metal band, will sure cause a headache for those who aren’t accustomed to dealing with such infections on a daily basis. Naming their malware based on cultural subjects has always been a tendency among the ransomware creators. You can easily find software labeled Batman_good@aol.com, NoobCrypt, or Jigsaw ransomware which may also signal the origins of its creators. While at the moment of writing there is no evidence that would link Al-Namrood to the Middle Easterns hackers, the experts are almost certain that it is the very same group of extortionists that stood behind Apocalypse and all of its subsequent spin-offs. By the way, Al-Namrood has received a few follow-ups as well. For instance, Al-Namrood 2.0 virus barely differentiates from the parent version but provides different contact information. While one one malware variant urges users to contact then via Jabber XMPP messaging service, other simply provides email addresses, including email@example.com, firstname.lastname@example.org, and email@example.com. With each virus version, the malware becomes more advanced and dangerous, while the older versions can receive updates, too. Nevertheless, a ransomware should not cause you to panic or make rash decisions. You should focus and remove Al-Namrood from the infected device with high precision and confidence. To ensure these two conditions are met, use professional antivirus software like ReimageIntego to help you along.
Al-Namrood does not go to great lengths when it comes to data encryption. Unlike most ransomware, it only concentrates on the main types of files that may be of value to the victim The virus typically encrypts files featuring the following extensions:
1cd, dbf, dt, cf, cfu, mxl, epf, kdbx, erf, vrp, grs, geo, st, pff, mft, efd, 3dm, 3ds, rib, ma, sldasm, sldprt, max, blend, lwo, lws, m3d, mb, obj, x, x3d, movie.byu, c4d, fbx, dgn, dwg, 4db, 4dl, 4mp, abs, accdb, accdc, accde, accdr, accdt, accdw, accft, adn, a3d, adp, aft, ahd, alf, ask, awdb, azz, bdb, bib, bnd, bok, btr, bak, backup, cdb, ckp dsk, dsn, dta, dtsx, dxl, eco, ecx, edb, emd, eql, fcd, fdb, fic, fid, fil, fm5, fmp, fmp12, fmpsl, fol, fp3, fp4, fp5, fp7, fpt, fpt, fzb, fzv, gdb, gwi, hdb, his, ib.
The files are encrypted using AES encryption algorithm which can quietly run in the background of the system and lock the predetermined files one-by-one. During the encryption, the virus may append file names with new extensions, just to indicate they have been taken hostage. The victims typically report their files featuring .namrood, .access_denied, .unavailable, .disappeared extensions. The hackers do not forget another ransomware-defining feature — the ransom note and drop it on the computer in the form of a plain text document labeled Read_Me.txt or Decrypt_me.txt. These documents contain all the information needed to decrypt the files if the victim chooses to play by the rules of extortionists. We do not recommend doing that though because the security experts have just come up with Al-Namrood decryption tool which should help the ransomware victims recover their lost files for free. Even if this software fails to decrypt your files, you should not relapse and collaborate with the criminals. Keep in mind that the extortionist may not send you the decryption key, after all, leaving you with an encrypted computer and laughing all the way to the bank.
Update December 2016: new Al-Namrood version emerges
Al-Namrood 2.0 is the follow-up version of the initial virus which uses the same AES-256 algorithm to encrypt files but takes a much harsher approach towards the data recovery. Now, extortionists demand a ridiculous 10 BTC payment in exchange for the data decryption key which is a sum that significantly exceeds the average typically demanded by other ransomware infections. For those who are desperate enough to actually buy their data out, the crooks leave a contact email address – firstname.lastname@example.org. Nevertheless, paying this amount of money for the data that can possibly be recovered for free is rather foolish, to say the least.
Update April 2017: Al-Namrood 2.0 update brings some new changes to the table
When the experts discovered Crypt32@mail.ru virus, few could imagine that this is a new version of Al-Namrood 2.0. Nevertheless, after some investigation, it turned out that this virus is based on the same code, even though it has taken a different shape and employs new distributions strategies. Perhaps the most salient aspect of the latest Al-Namrood version is that it adds long strings of information to each of the infected files. The string may look something like this: [original_filename].ID-[8 random characters+victim’s country code[Crypt32@mail.ru].[14 random characters]. In addition to this, the virus modifies the original filename, so the victim has no idea what files may be hiding under the veil of encryption.
Talking about the virus distribution, the experts have discovered that apart from using the typical RDP attacks and spam to get into the computers, Crypt32@mail.ru virus now uses Skype and hijacked ad networks to deliver malicious files to the users as directly as possible. Since the hackers may use familiar names to trick users into downloading the infectious links, we urge you to stay as careful as possible while you are browsing online.
Methods of ransomware distribution
In most aspects, Al-Namrood is a traditional ransomware which travels around the web using the techniques acknowledged among other ransomware developers. These typically include spam, malvertising, and RDP attacks. In the case of the latter, creating a strong password may help keep the virus away. As for the remaining cases, regularly updating software and keeping data backups may also be helpful.
Elaborating more about spam, we should point out that Al-Namrood and other ransomware creators may target victims using the data collected by affiliate browser hijackers and adware. Such attacks are more dangerous since they may involve personal information and be more convincing. Thus, it is absolutely crucial to remain focused when browsing through your email and to avoid emails received from unfamiliar senders.
Al-Namrood removal: how difficult is it?
While it is generally not difficult to remove Al-Namrood virus from the attacked computer, choosing a wrong method of the elimination may slow down the process or even push it to a disastrous direction. Having this in mind, we recommend sticking to the automatic virus elimination regardless of whether you are an experienced PC user or not. A completely virus-free system is an especially important factor when it comes to data recovery. Thus, to do everything properly, take care of the Al-Namrood removal first and bother about data recover later.
Getting rid of Al-Namrood virus. Follow these steps
In-depth guide for the Al-Namrood elimination
The elimination guide can appear too difficult if you are not tech-savvy. It requires some knowledge of computer processes since it includes system changes that need to be performed correctly. You need to take steps carefully and follow the guide avoiding any issues created due to improper setting changes. Automatic methods might suit you better if you find the guide too difficult.
Step 1. Launch Safe Mode with Networking
Safe Mode environment offers better results of manual virus removal
Windows 7 / Vista / XP
- Go to Start.
- Choose Shutdown, then Restart, and OK.
- When your computer boots, start pressing the F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) a few times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click the Start button and choose Settings.
- Scroll down to find Update & Security.
- On the left, pick Recovery.
- Scroll to find Advanced Startup section.
- Click Restart now.
- Choose Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Choose 5) Enable Safe Mode with Networking.
Step 2. End questionable processes
You can rely on Windows Task Manager that finds all the random processes in the background. When the intruder is triggering any processes, you can shut them down:
- Press Ctrl + Shift + Esc keys to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes.
- Look for anything suspicious.
- Right-click and select Open file location.
- Go back to the Process tab, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check the program in Startup
- Press Ctrl + Shift + Esc on your keyboard again.
- Go to the Startup tab.
- Right-click on the suspicious app and pick Disable.
Step 4. Find and eliminate virus files
Data related to the infection can be hidden in various places. Follow the steps and you can find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive (C: is your main drive by default and is likely to be the one that has malicious files in) you want to clean.
- Scroll through the Files to delete and select the following:
Temporary Internet Files
- Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
After you are finished, reboot the PC in normal mode.
Eliminate Al-Namrood using System Restore
Step 1: Restart your computer in Safe Mode with Command Prompt
Windows 7 / Vista / XP
- Go to Start → Shutdown → Restart → OK.
- As soon as your computer starts, start pressing F8 key repeatedly before the Windows logo shows up.
- Choose Command Prompt from the list
Windows 10 / Windows 8
- Click on the Power button at the Windows login screen, and then press and hold Shift key on your keyboard. Then click Restart.
- Then select Troubleshoot → Advanced options → Startup Settings and click Restart.
- Once your computer starts, select Enable Safe Mode with Command Prompt from the list of options in Startup Settings.
Step 2: Perform a system restore to recover files and settings
- When the Command Prompt window appears, type in cd restore and press Enter.
- Then type rstrui.exe and hit Enter..
- In a new window that shows up, click the Next button and choose a restore point that was created before the infiltration of Al-Namrood and then click on the Next button again.
- To start system restore, click Yes.
Bonus: Restore your filesUsing the tutorial provided above you should be able to eliminate Al-Namrood from the infected device. novirus.uk team has also prepared an in-depth data recovery guide which you will also find above.
There are a couple of methods you can apply to recover data encrypted by Al-Namrood:
How useful is Data Recovery Pro?
You may apply Data Recovery Pro for the recovery of some of the encrypted files. Feel free to use this tool as shown below:
- Download Data Recovery Pro;
- Install Data Recovery on your computer following the steps indicated in the software’s Setup;
- Run the program to scan your device for the data encrypted by Al-Namrood ransomware;
- Recover the data.
How do I apply Windows Previous Versions feature for the recovery of files encrypted by Al-Namrood?
This feature is inseperable from the System Restore which must be enabled when the virus is not yet infected with any virus. It helps resotring documents from their previously saved copies.
- Right-click on the encrypted document you want to recover;
- Click “Properties” and navigate to “Previous versions” tab;
- In the “Folder versions” section look for the available file copies. Choose the desired version and press “Restore”.
Can I use Shadow Explorer as an alternative for the data recovery?
Shadow Explorer may be a great data recovery alternative if it gets access to the Volume Shadow Copies of the encrypted files. In other words, it only works if the virus does not destroy them. You can test this software out following these guideslines:
- Download Shadow Explorer (http://shadowexplorer.com/);
- Install Shadow Explorer on your computer following the instructions in the software’s Setup Wizard;
- Run the program. Navigate to the menu on the top-left corner and select a disk containing your encrypted files. Look through the available folders;
- When you find the folder you want to recover, right-click it and select “Export”. Also, choose where the recovered data will be stored.
Download Al-Namrood decryptor
Malware researchers at Emsisoft have successfully cracked Al-Namrood virus released Al-Namrood decrypter — a software that helps ransomware victims to recover their files for free. You can find the Al-Namrood decryptor usage manual by clicking on the indicated link.
It is strongly recommended to take precautions and secure your computer from malware attacks. To protect your PC from Al-Namrood and other dangerous viruses, you should install and keep a powerful malware removal tool, for instance, ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes.
How to prevent from getting ransomware
A proper web browser and VPN tool can guarantee better safety
As online spying becomes an increasing problem, people are becoming more interested in how to protect their privacy. One way to increase your online security is to choose the most secure and private web browser. But if you want complete anonymity and security when surfing the web, you need Private Internet Access VPN service. This tool successfully reroutes traffic across different servers, so your IP address and location remain protected. It is also important that this tool is based on a strict no-log policy, so no data is collected and cannot be leaked or made available to first or third parties. If you want to feel safe on the internet, a combination of a secure web browser and a Private Internet Access VPN will help you.
Recover files damaged by a dangerous malware attack
Despite the fact that there are various circumstances that can cause data to be lost on a system, including accidental deletion, the most common reason people lose photos, documents, videos, and other important data is the infection of malware.
Some malicious programs can delete files and prevent the software from running smoothly. However, there is a greater threat from the dangerous viruses that can encrypt documents, system files, and images. Ransomware-type viruses focus on encrypting data and restricting users’ access to files, so you can permanently lose personal data when you download such a virus to your computer.
The ability to unlock encrypted files is very limited, but some programs have a data recovery feature. In some cases, the Data Recovery Pro program can help recover at least some of the data that has been locked by a virus or other cyber infection.