Ransomware turned all my files into ".nobu"

[markson]

The same with me. But I can still open some files. But most of my files and softwares cannot be run and it has that readme document that says I should email and make a payment. Also the file type became nobu file. If you have solved the problem please do update. I dont know what to do either ;-;

[kevinf80]

Hello Markson and welcome to Malwarebytes,

Can you post the ransom note and attach a copy of one of the encrypted files....

Thank you,

Kevin.

[Maurice Naggar]

Hello @markson  To add some other remarks.   Look on your Desktop and or your Documents folder or any other folder where there are encrypted files.  You most likely will see a text-type file named 

_readme.txt

That would be a file containing a ransom note made by this ransomware.  We here on the forum and also at Malwarebytes have no decryption tool,

Just so you are aware of that.  It seems your machine was / is a victim of a very new variant of the STOP (djvu) ransomware.

See these articles

"Meet Stop Ransomware: The Most Active Ransomware Nobody Talks About"
https://www.bleepingcomputer.com/news/security/meet-stop-ransomware-the-most-active-ransomware-nobody-talks-about/

 

Also See https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-puma-djvu-promo-drume-help-support-topic/

 

If you have saved offline backups of the system from before this infection, that is the best means of recovering damaged user files.

Sincerely.

[markson]

I found this on the internet. I’m planning to do it but with lack of knowledge I would like to ask/confirm if this is legit and can decrypt the ransomware and eventually recover my files.

 

https://sensorstechforum.com/nobu-virus-file/

[Maurice Naggar]

That app that they push will NOT decrypt or salvage your user files.  Plus they typically will want you to buy the app in order for it to actually do actual work.

While that 'tool' might find normal everyday type malware, it CANNOT fix the corrupted user files that you have on this machine.

No, do not fall for that opportunist hogwash.

Do you have a Backup of this system from before this infection?   Backup is your best friend.

I and the Malwarebytes team ( likely) want to know if this pc has had Malwarebytes for Windows PREMIUM installed from before the infection?

I'd also be curious if you downloaded any sort of "free" tool or app before this infection happened?

What we here can do:   Is to help you to see that there is no currently active malware infection.  We can help you delete the "ransom notes".

We cannot do anything as far the encrypted user files   ( and neither can that 'tool'  that is mentioned on the page you cited.)

.

Please know that ransomware infectors, like the STOP (djvu) and this very new nobu do Delete themselves after they do their dirty work.

They also delete all prior existing System Restore points as part of their dirty work.

Please do not fall for any more scams or hacks or free stuff  that you are not sure are legitimate.

[markson]

I’m looking for a free software then I downloaded it. Then suddenly gdireview was downloaded instead of the real software (premiere pro 2020). I find it quite suspicious so I deleted it, but I thought I already deleted but not really. Then something popped up, my fault I didn’t read it properly. I clicked okay then my computer restarted then all my games, and files cannot be opened. It says “The archive might have been removed or damaged” Then when you look on the file/folder it has the text-type file. 

I had this pc for like a week ago, I’m not sure it was backed up. I’m thinking of not getting all my files back. Since it isn’t that important. Right now my concern is that how can I remove this ransomware 100%. And will it continue infecting new files? If so, how can I stop it?

 

(Sorry I’m not that knowledgeable enough in terms of these things)

I hope you’d help me clear my mind and get rid of this nobu files. Thank you

[Maurice Naggar]

Hello.  Tell me, has this computer been yours for like only a week or so ?   Did you get it brand new ?  or is this a second-hand computer ?

I would like to know that from you.   If you have nothing on this machine that is worth keeping, it is possible to get this machine totally freshly rebuilt with Windows 10.

As I tried to convey to you, most ransomwares do Delete themselves so that the ransomware itself is gone.  They just leave the ransom notes behind, along with the encrypted files.    ( the files that you are seeing as ".nobu" extensions.

Please do all the steps outlined on this pinned topic at the top of this sub-forum

and attach all the reports in a Reply to this thread here.

What I cannot do is recovering or fixing any of the ".nobu" files.   full stop.

What I can do is guide you to running some scans just to check things.  What I can also do is point you to external resources so that you can wipe / erase the system if you want & to rebuils / install Windows 10 as a new install, if you wish.

The ".nobu" files you can copy all to a external device  ( like a large USB device) and stash them away for the future ....in case there is ever a decryptor for this ransomware.

Malwarebytes has NO decryptor for any ransomware.

Edited December 5, 2020 by Maurice Naggar

[Maurice Naggar]

Added note:   You mentioned 

Quote

premiere pro 2020

May I know just where you "got" it from ?   I am presuming it is not paid-for.   and that it was not from the real "Adobe".

So called hacks ( tools to evade software license protection ) are very often pushed and packaged with ransomware  & other sorts of destructive malware.

That is why it is never ever a good idea to go to pirate sites.  Or even to go after "free stuff".