Al-Namrood virus. How to delete? (Removal tutorial)

removal by Julie Splinters - - | Type: Ransomware
12

Al-Namrood ransomware: a constantly developing threat

Al-Namrood virus, a ransomware who shares its name with Saudi Arabian black metal band, will sure cause a headache for those who aren’t accustomed to dealing with such infections on a daily basis. Naming their malware based on cultural subjects has always been a tendency among the ransomware creators. You can easily find software labeled Batman_good@aol.com, NoobCrypt, or Jigsaw ransomware which may also signal the origins of its creators. While at the moment of writing there is no evidence that would link Al-Namrood to the Middle Easterns hackers, the experts are almost certain that it is the very same group of extortionists that stood behind Apocalypse and all of its subsequent spin-offs. By the way, Al-Namrood has received a few follow-ups as well. For instance, Al-Namrood 2.0 virus barely differentiates from the parent version but provides different contact information. While one one malware variant urges users to contact then via Jabber XMPP messaging service, other simply provides email addresses, including decryptioncompany@inbox.ru, fabianwosar@inbox.ru, and decryptgroup@india.com. With each virus version, the malware becomes more advanced and dangerous, while the older versions can receive updates, too. Nevertheless, a ransomware should not cause you to panic or make rash decisions. You should focus and remove Al-Namrood from the infected device with high precision and confidence. To ensure these two conditions are met, use professional antivirus software like Reimage to help you along.

Al-Namrood does not go to great lengths when it comes to data encryption. Unlike most ransomware, it only concentrates on the main types of files that may be of value to the victim The virus typically encrypts files featuring the following extensions:

1cd, dbf, dt, cf, cfu, mxl, epf, kdbx, erf, vrp, grs, geo, st, pff, mft, efd, 3dm, 3ds, rib, ma, sldasm, sldprt, max, blend, lwo, lws, m3d, mb, obj, x, x3d, movie.byu, c4d, fbx, dgn, dwg, 4db, 4dl, 4mp, abs, accdb, accdc, accde, accdr, accdt, accdw, accft, adn, a3d, adp, aft, ahd, alf, ask, awdb, azz, bdb, bib, bnd, bok, btr, bak, backup, cdb, ckp dsk, dsn, dta, dtsx, dxl, eco, ecx, edb, emd, eql, fcd, fdb, fic, fid, fil, fm5, fmp, fmp12, fmpsl, fol, fp3, fp4, fp5, fp7, fpt, fpt, fzb, fzv, gdb, gwi, hdb, his, ib.

The files are encrypted using AES encryption algorithm which can quietly run in the background of the system and lock the predetermined files one-by-one. During the encryption, the virus may append file names with new extensions, just to indicate they have been taken hostage. The victims typically report their files featuring .namrood, .access_denied, .unavailable, .disappeared extensions. The hackers do not forget another ransomware-defining feature — the ransom note and drop it on the computer in the form of a plain text document labeled Read_Me.txt or Decrypt_me.txt. These documents contain all the information needed to decrypt the files if the victim chooses to play by the rules of extortionists. We do not recommend doing that though because the security experts have just come up with Al-Namrood decryption tool which should help the ransomware victims recover their lost files for free. Even if this software fails to decrypt your files, you should not relapse and collaborate with the criminals. Keep in mind that the extortionist may not send you the decryption key, after all, leaving you with an encrypted computer and laughing all the way to the bank.

Update December 2016: new Al-Namrood version emerges

Al-Namrood 2.0 is the follow-up version of the initial virus which uses the same AES-256 algorithm to encrypt files but takes a much harsher approach towards the data recovery. Now, extortionists demand a ridiculous 10 BTC payment in exchange for the data decryption key which is a sum that significantly exceeds the average typically demanded by other ransomware infections. For those who are desperate enough to actually buy their data out, the crooks leave a contact email address – decryptgroup@xmpp.jp. Nevertheless, paying this amount of money for the data that can possibly be recovered for free is rather foolish, to say the least.

Update April 2017: Al-Namrood 2.0 update brings some new changes to the table

When the experts discovered Crypt32@mail.ru virus, few could imagine that this is a new version of Al-Namrood 2.0. Nevertheless, after some investigation, it turned out that this virus is based on the same code, even though it has taken a different shape and employs new distributions strategies. Perhaps the most salient aspect of the latest Al-Namrood version is that it adds long strings of information to each of the infected files. The string may look something like this: [original_filename].ID-[8 random characters+victim’s country code[Crypt32@mail.ru].[14 random characters]. In addition to this, the virus modifies the original filename, so the victim has no idea what files may be hiding under the veil of encryption.

Talking about the virus distribution, the experts have discovered that apart from using the typical RDP attacks and spam to get into the computers, Crypt32@mail.ru virus now uses Skype and hijacked ad networks to deliver malicious files to the users as directly as possible. Since the hackers may use familiar names to trick users into downloading the infectious links, we urge you to stay as careful as possible while you are browsing online.

Methods of ransomware distribution

In most aspects, Al-Namrood is a traditional ransomware which travels around the web using the techniques acknowledged among other ransomware developers. These typically include spam, malvertising, and RDP attacks. In the case of the latter, creating a strong password may help keep the virus away. As for the remaining cases, regularly updating software and keeping data backups may also be helpful.
Elaborating more about spam, we should point out that Al-Namrood and other ransomware creators may target victims using the data collected by affiliate browser hijackers and adware. Such attacks are more dangerous since they may involve personal information and be more convincing. Thus, it is absolutely crucial to remain focused when browsing through your email and to avoid emails received from unfamiliar senders.

Al-Namrood removal: how difficult is it?

While it is generally not difficult to remove Al-Namrood virus from the attacked computer, choosing a wrong method of the elimination may slow down the process or even push it to a disastrous direction. Having this in mind, we recommend sticking to the automatic virus elimination regardless of whether you are an experienced PC user or not. A completely virus-free system is an especially important factor when it comes to data recovery. Thus, to do everything properly, take care of the Al-Namrood removal first and bother about data recover later.

We might promote some affiliate products. An entire disclosure is provided in our Terms and Conditions. By Downloading any recommended Anti-spyware software to uninstall Al-Namrood virus you accept our privacy policy and terms and conditions.
try it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Computer security experts recommend using Reimage to uninstall Al-Namrood virus. Reimage scans the entire computer system and checks whether it is infected with spyware/malware or not. If you want to remove computer threats and secure your computer system, you should consider buying the licensed version of Reimage.

You can find more details about this program in Reimage review.

You can find more details about this program in Reimage review.
Press mentions on Reimage
Press mentions on Reimage

Manual Al-Namrood Virus Removal Instructions:

Eliminate Al-Namrood using Safe Mode with Networking

You can detect malware using Reimage.
You need to purchase a licensed version of it to remove threats.
More details about Reimage.

  • Step 1: Restart your computer in Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Go to Start Shutdown Restart OK.
    2. As soon as your computer starts, start pressing F8 key repeatedly before the Windows logo shows up.
    3. Choose Safe Mode with Networking from the list Choose 'Safe Mode with Networking' option

    Windows 10 / Windows 8
    1. Click on the Power button at the Windows login screen, and then press and hold Shift key on your keyboard. Then click Restart.
    2. Then select Troubleshoot Advanced options Startup Settings and click Restart.
    3. Once your computer starts, select Enable Safe Mode with Networking from the list of options in Startup Settings. Choose 'Enable Safe Mode with Networking' option
  • Step 2: Remove Al-Namrood

    Sign in to your account and launch any Internet browser. Download a legitimate anti-malware software, for instance, Reimage. Make sure you update it to the latest version and then run a full system scan with it to detect and eliminate all malicious components of the ransomware to remove Al-Namrood completely.

If your ransomware does not allow you to access Safe Mode with Networking, please follow the instructions provided below.

Eliminate Al-Namrood using System Restore

You can detect malware using Reimage.
You need to purchase a licensed version of it to remove threats.
More details about Reimage.

  • Step 1: Restart your computer in Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Go to Start Shutdown Restart OK.
    2. As soon as your computer starts, start pressing F8 key repeatedly before the Windows logo shows up.
    3. Choose Command Prompt from the list Choose 'Safe Mode with Command Prompt' option

    Windows 10 / Windows 8
    1. Click on the Power button at the Windows login screen, and then press and hold Shift key on your keyboard. Then click Restart.
    2. Then select Troubleshoot Advanced options Startup Settings and click Restart.
    3. Once your computer starts, select Enable Safe Mode with Command Prompt from the list of options in Startup Settings. Choose 'Enable Safe Mode with Command Prompt' option
  • Step 2: Perform a system restore to recover files and settings
    1. When the Command Prompt window appears, type in cd restore and press Enter. Type 'cd restore' without quotes and hit 'Enter'
    2. Then type rstrui.exe and hit Enter.. Type 'rstrui.exe' without quotes and hit 'Enter'
    3. In a new window that shows up, click the Next button and choose a restore point that was created before the infiltration of Al-Namrood and then click on the Next button again. When 'System Restore' wizard comes up, click 'Next'. Choose a preferable restore point and click 'Next'
    4. To start system restore, click Yes. Hit 'Yes' and start system restore
    After restoring the computer system to an antecedent date, install and check your computer with Reimage to uncover any remains of Al-Namrood.

Bonus: Restore your files

Using the tutorial provided above you should be able to eliminate Al-Namrood from the infected device. novirus.uk team has also prepared an in-depth data recovery guide which you will also find above.

There are a couple of methods you can apply to recover data encrypted by Al-Namrood:

How useful is Data Recovery Pro?

You may apply Data Recovery Pro for the recovery of some of the encrypted files. Feel free to use this tool as shown below:

  • Download Data Recovery Pro (https://novirus.uk/download/data-recovery-pro-setup.exe);
  • Install Data Recovery on your computer following the steps indicated in the software’s Setup;
  • Run the program to scan your device for the data encrypted by Al-Namrood ransomware;
  • Recover the data.

How do I apply Windows Previous Versions feature for the recovery of files encrypted by Al-Namrood?

This feature is inseperable from the System Restore which must be enabled when the virus is not yet infected with any virus. It helps resotring documents from their previously saved copies.

  • Right-click on the encrypted document you want to recover;
  • Click “Properties” and navigate to “Previous versions” tab;
  • In the “Folder versions” section look for the available file copies. Choose the desired version and press “Restore”.

Can I use Shadow Explorer as an alternative for the data recovery?

Shadow Explorer may be a great data recovery alternative if it gets access to the Volume Shadow Copies of the encrypted files. In other words, it only works if the virus does not destroy them. You can test this software out following these guideslines:

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Install Shadow Explorer on your computer following the instructions in the software’s Setup Wizard;
  • Run the program. Navigate to the menu on the top-left corner and select a disk containing your encrypted files. Look through the available folders;
  • When you find the folder you want to recover, right-click it and select “Export”. Also, choose where the recovered data will be stored.

Download Al-Namrood decryptor

Malware researchers at Emsisoft have successfully cracked Al-Namrood virus released  Al-Namrood decrypter — a software that helps ransomware victims to recover their files for free. You can find the Al-Namrood decryptor usage manual by clicking on the indicated link.

It is strongly recommended to take precautions and secure your computer from malware attacks. To protect your PC from Al-Namrood and other dangerous viruses, you should install and keep a powerful malware removal tool, for instance, Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware.

About the author

Julie Splinters
Julie Splinters

If you found this free removal tutorial helpful, please consider making a donation to support us. Even the smallest amount will be appreciated and will help to keep this service alive.

More information about the author

Source: http://www.2-spyware.com/remove-al-namrood-ransomware-virus.html

Uninstall guides in different languages