Geek's Advice

NLAH ransomware corrupts personal files, then asks for money

NLAH ransomware virus is the 230th variant of STOP/DJVU ransom-demanding malware family that has recently hit the computers worldwide. Similarly to its predecessors, this ransomware infiltrates the user’s computer system and encodes all data by appending .nlah file extension. Information is no longer accessible for personal use and victims receive _readme.txt as a ransom note where criminals identify helpmanager@mail.ch and restoreadmin@firemail.cc as their contact addresses.

Just as other versions, including OONN, NILE, KKLL, ZIPE, PEZI, COVM, MZLQ, and SQPC file-encrypting viruses, this ransomware spreads around in peer-to-peer (P2P) websites or via fake offers to update Adobe Flash Player. Once infiltrated, this virus drops multiple executable files to prevent people from accessing the built-in Windows Defender software or security websites. What is even worse, the malware installs a password stealer, named AZORULT, on the system.

People remain unsuspecting of NLAH ransomware attack until the very last minute since it hides its presence by imitating a Windows update screen while encrypting data. All photos, videos, audio files, documents, and other information are corrupted and marked with the proper virus extension.

Due to the fact that encoded files are no longer accessible, people are encouraged to pay up to receive a unique decryption key. Cybercriminals give 50% off the original price if the victim agrees to transfer money in Bitcoins within 72 hours. So, within the given period of time, the price is $490 and then increases to $980.

Note that the decryption tool consists of a completely unique sequence of numbers, letters, and characters. Thus, it is theoretically the only way to restore encrypted files. However, our professionals work really hard that you would not need to cooperate with the attackers.

We have received an excessive amount of reports that the developers of malicious programs are never satisfied with the amount of money transferred. Thus, whenever people pay, they keep asking for more and refuse to give the decryption key.

Therefore, we suggest you remove NLAH ransomware and avoid further losses. The simplest way to complete the elimination is to install a robust antivirus and let it scan all system files. After it uninstalls the file-encrypting virus and its components you can continue with restoring files.

Decrypt .nlah files (Recovery options explained)

As we have already mentioned, the NLAH file virus decryption tool is theoretically the only way to regain access to your data. Although, you can use the latest backup of your files stored in the Cloud. Yet, those who do not keep backups are more than welcome to read our STOP/DJVU decryption guide to try alternative methods suggested by our experts.

To make it easier to identify whether you’re lucky to expect to recover your files, we suggest determining whether your files were subject to offline encryption. Offline encryption is used when NLAH ransomware fails to connect to its command & control server and uses in-built key instead.

1. To determine whether you’re subject to offline encryption, go to C:/SystemID/PersonalID.txt.
2. If the key stored here ends in t1, you have been affected by offline encryption. Please wait a few weeks or months until the decryptor tool gets updated.

Summary of the threat

Name	NLAH ransomware
Type	File-encrypting virus
Extension	.nlah
Family	STOP/DJVU
Variant	230th version
Ransom note	_readme.txt
Contact addresses	helpmanager@mail.ch and restoreadmin@firemail.cc
Amount of a ransom	$490-$980 depending on the time payed
Symptoms	Infiltrates the system and starts displaying a fake Windows Update screen; during that time all files are encrypted and the user is blocked from accessing the Windows Defender application or other security websites; After full encryption, the victim is asked to pay up to restore the corrupted data
Distribution	Deceptive Adobe Flash updates, files on peer-to-peer (P2P) networks, and other illegal downloads
Damage	People cannot use their data on the computer and may suffer from further financial losses if they agree to pay up for the attackers
Removal	The only way to get rid of the virus is to get help from a professional malware removal application. To repair virus damage on the system, our recommendation is RESTORO.

The methodology of ransomware distribution

There are multiple methods of how cybercriminals infiltrate ransomware on victims’ computers. However, all those techniques have one thing in common — criminals upload malware files disguised as legitimate software and tricks people into downloading them themselves.

Usually, they place executable files of ransomware on peer-to-peer (P2P) websites where people search to download software cracks. Malware-related components are named as legitimate applications and many people are tricked to believe that they are getting paid software for free.

Unfortunately, they are lured to download everything a malware needs to encrypt data and demand a ransom. Therefore it is essential to stay away from questionable file-sharing sites and other illegal downloads. The research shows that this is one of the most popular methods of how ransomware reaches its victims.

Another widely used technique uses similar methodology — criminals develop pop-up ads claiming that you need to update your Adobe Flash Player. People who browse on untrustworthy sites might encounter a redirect to its landing page.

The pop-up ad is designed to resemble a legitimate Adobe update. Thus, many people who are not highly experienced believe that it is an authorized call for an update. Sadly, it is merely a disguise to distribute ransomware and even other cyber threats.

If you want to protect your computer from file-encrypting viruses, you must stop visiting untrustworthy websites. Additionally, aim to download applications only from official pages or authorized distributors. Otherwise, you risk your computer’s security.

Finally, it is essential to keep a professional antivirus software running on your PC. Choose only from the best ones offering real-time protection. This way the security application can scan websites, files, and other content for malicious codes to protect you right away.

Safe way to remove NLAH file virus

Ransomware-type infections are currently one of the most dangerous cyber threats a regular computer user can encounter. Safe NLAH removal requires high skills in the tech field as well as experience with computer security. Therefore, people who do not expertise in this field should use a robust malware removal application.

Many security programs share different features and some are not compatible to get rid of such dangerous malware. Therefore, it is essential to purchase software that is able to remove NLAH virus from your computer.

This antivirus application can successfully identify all ransomware-related elements, put them into quarantine, and uninstall them from your computer system. Later, you have an option to fix virus damage that is left after the cyber attack. For this, we recommend running RESTORO.

Keep in mind that malware removal applications usually are not free. However, investing in your computer’s security is one of the best decisions in the long-run as you successfully avoid almost all future attacks. Thus, do not hesitate and keep your system protected.

Finally, you should start the elimination procedure by booting your computer into Safe Mode. Otherwise, this ransomware can prevent access to security applications and block the removal process. Further instructions are provided below.

TIP. Do not forget to change all your passwords for accounts previously saved in your browser due to Azorult Trojan’s activity on the system.

OUR GEEKS RECOMMEND

Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:

GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.

Alternative software recommendations

Malwarebytes Anti-Malware

Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.

System Mechanic Ultimate Defense

If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.

Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.

NLAH file decryption explained (File Recovery Guide)

We insist that you perform NLAH file virus removal before starting file decryption. You can try the Emsisoft’s tool or use the data backup you created prior to the cyber attack. Please bear in mind that if you do not have a data backup, you can only expect the decryptor to work if your files were affected by offline DJVU encryption.

You can read more about online/offline encryption system here, although the easiest way to identify offline encryption is to open C:/SystemID/PersonalID.txt file on your computer. It stores the real victim’s ID or a couple of them and one of them should end in t1 if you’re subject to offline encryption. In every other case, online encryption is used.

A quick guide how to use STOP Decryptor, which you can download here.

1. Once you download the decryptor, run it and check whether you agree to its Terms and conditions.
2. No that you have agreed to the terms, add a folder to decrypt, as shown in the picture. Then hit decrypt and be patient until the tool finishes its work. If your files can’t be decrypted, you will receive a message from the tool.

NOTE. The NLAH decryption tool might show certain responses informing about the chances of file recovery. One of the possible scenarios is when the decryptor shows the following message:

Result: No key for new variant offline ID: [ID]
This ID appears be an offline ID. Decryption may be possible in the future.

If you receive this message, it means that your files were affected by OFFLINE NLAH ransomware encryption, which means that your encryption/decryption pair matches with any other victim affected by offline encryption.

In other words, offline encryption is used when the virus fails to fetch unique key pair per victim from its C&C server. Therefore, once one victim pays the ransom and shares the obtained key with Emsisoft’s researchers, the decryptor will be updated. In short, if you received this message, do not delete your files and stay patient. Check for updates every week here and see when the tool becomes capable of decrypting your files.

Decryption is impossible: an online key is used.

This message says that your files were affected by an online encryption, which is sad news. It means that no one else has the same encryption/decryption key pair.

In other words, do not expect to recover files now. In fact, the only possible scenario is if the criminals get caught and their computers/servers seized; or if they disclose the decryption keys willingly. Needless to say, such scenarios are highly unlikely to turn into reality. Please use data backups to restore your files.