Security researchers have detected a new file-locking ransomware called Nobu encrypting user data and holding it for ransom. Reportedly, Nobu ransomware is not an entirely new threat, but a variant of a well-known ransomware family called DJVU. The latest threat appears to follow the same encryption and substitution routines as its DJVU.
Nobu ransomware is mainly spread via mass-distribution techniques, such as corrupted links, unofficial software activation tools, and torrent platforms. In more rare cases, trojan horse viruses could drip the ransomware as second-stage malware.
However, as researchers point out, the most common cause of ransomware infection is none other than the classic phishing technique. Whether it is via email, social media, or instant message, criminals use various methods to target a broad spectrum of potential victims.
Table of Contents
How Does Nobu Operate
Upon infecting a device, Nobu will launch a scan that detects user-generated files such as pictures, databases, presentations, spreadsheets, archives, and more. The ransomware will then apply asymmetric and symmetric cryptographic algorithms to "lock" the detected files and prevent the user from accessing them.
Nobu avoid encrypting any system files as it needs the host device to remain operational, it will not meddle with files that are essential for the normal OS operations. The threat will also skip files named "_readme.txt," which contain a ransom-demanding message.
Nobu makes it easy for victims to figure out that their files have been encrypted. Unlike other ransomware threats, which rename the successfully encrypted files by following complex patterns, Nobu will keep the original file name and extension, but will also add the ".nobu" extension to them. For example, a file named "offer.pdf" will be renamed to "offer.pdf.nobu."
Ransom Demands
Upon completing the encryption process, Nobu will create its ransom note in the form of a text file called "_readme.txt."
Ransom Note Text:
“ATTENTION!
Don't worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
hxxps://we.tl/t-j3hj0RjttJ
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
To get this software you need write on our e-mail:
helpmanager@mail.ch
Reserve e-mail address to contact us:
restoremanager@airmail.cc
Your personal ID:---”
Nobu's note is a straightforward message, which informs the victim of their dire situation and lists the hackers' demands.
The attackers offer a decryption key to unlock the user’s files for $980. However, a 50% discount is available to victims who start the payment procedure within 72 hours of the encryption.
Victims are instructed to contact either the helpmanager@mail.ch or restoremanager@airmail.cc email address. Attackers usually respond to these messages with additional details, further negotiating the ransom price, and guiding the victim through the payment procedure.
File Decryption
Although victims are promised free decryption of one file as proof that the attacker's software works, practice shows that victims rarely receive working decryption tools.
Ransomware operators are very likely to ignore their victims once the ransom payment is made. There are cases of victims who paid hefty ransoms, just to be blackmailed for more.
Cybersecurity experts advise against paying the ransom no matter what. Victims are warned that by paying, they finance crime and encourage criminals to expand their illegal business.
Victims can use backups saved on external or cloud storage to recover their files. Of course, Nobu ransomware must be removed before any external device is connected to the infected machine. Otherwise, the threat could spread its corruption to the backup device and encrypt the files stored on it.
Leave a Reply
Thank you for your response.
Please verify that you are not a robot.