Nuksus Ransomware Removal Guide

If you let Nuksus Ransomware in, it will encrypt your personal files. This infection can corrupt photos, documents, and all other personal files that you might have no way of replacing. Of course, if you are cautious, and if you know about file-corrupting malware, you might have created backups outside the computer. In this case, you can quickly delete the corrupted files and then place backups back into their place. Unfortunately, if backups do not exist, you might be unable to restore them manually. You might find a third-party decryptor that works, but we would not make bets on that. Of course, even if you cannot restore your personal files, we do not recommend following the instructions presented by the attackers because they are only interested in their own gain, and they could not care less about you. You can learn more about this, as well as the removal of Nuksus Ransomware if you continue reading this report.

Our malware research team has analyzed Nuksus Ransomware in our internal lab, and it appears that it comes from the STOP Ransomware family. Although you might be unfamiliar with this family of malware, our researchers are very familiar with it. In fact, Dutan Ransomware, Zatrov Ransomware, and a bunch of other infections that we have reported in the past belong to it. These infections are virtually identical, and the only element that changes (not in all cases) is the email address that allows the victim to contact the attackers. Unfortunately, Nuksus Ransomware did not create a ransom note at the time of research, and so we cannot know which email address is linked to the attackers at this point. This suggests that the infection is incomplete, and, most likely, it is not spreading across the web yet. When it spreads, it is likely to exploit unreliable downloaders and websites, RDP vulnerabilities, and misleading spam emails to enter the system. Unfortunately, once the threat is inside, you are unlikely to delete it before encryption starts.

When Nuksus Ransomware encrypts files and adds the “.nuksus” extension to their names, you will not be able to read them normally. This is done so that you are more willing to follow the demands introduced to you by the attackers. Most infections from the STOP Ransomware family use a text file to introduce them, but, as you already know, that did not happen with Nuksus Ransomware during the analysis. That being said, we have a pretty good idea of what the attackers want from you. Most likely, they want you to send them a message and then pay a ransom of $490. In return for the ransom, you should get a decryption tool that, allegedly, should restore all corrupted files. Can you trust this promise? We would not trust it because, after all, you are dealing with cybercriminals, and they are ready to say and do whatever it takes just to reach their goal. When it comes to ransomware, there is only one goal – money.

Although Nuksus Ransomware did not create any additional files in our internal lab, it should add a registry value, create a task, and drop a malicious .exe file to the %LOCALAPPDATA% directory. Because we expect these components to be associated with the infection, we have created a guide that shows how to remove them. Hopefully, we’ve got all bases covered. Of course, you do not need to delete Nuksus Ransomware manually if you are not ready for it. Installing reliable anti-malware software might be the better option for you. Obviously, you want to make sure that the tool you install is legitimate and powerful. Besides automatically removing Nuksus Ransomware and other malicious threats, it also should be capable of securing your operating system. Remember that if you do not secure it, it could be attacked by new ransomware threats in the future. Another important step you should take is creating backups because if backups of your files exist, no one will be able to terrorize you using your personal files again.

How to delete Nuksus Ransomware

1. Locate the launcher of the infection, right-click it, and choose Delete (name/location unknown).
2. Tap Win+E keys to access Windows Explorer.
3. Type %WINDIR%\System32\Tasks\ into the field at the top and tap Enter.
4. If a task named Time Trigger Task can be found, right-click it, and choose Delete.
5. Type %LOCALAPPDATA% (on Windows XP: %USERPROFILE%\Local Settings\Application Data\) into the field at the top and tap Enter.
6. If a ransomware-related folder with malicious .exe file exists, right-click it, and choose Delete.
7. Tap Win+R keys to access Run and then enter regedit to access Registry Editor.
8. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
9. Right-click and Delete the value named SysHelper.
10. Close all utilities and windows and then Empty Recycle Bin.
11. Install a reliable malware scanner and run a full system scan to check for malware leftovers.