Nuclear Ransomware

What is Nuclear Ransomware?

It is unlikely that you will notice when your files are being encrypted by Nuclear Ransomware, but once the attack is complete, you will not be able to miss this infection. First of all, a window representing a demand for a ransom will be displayed. Second, your files will become unreadable. It is currently unknown which encryption algorithm this malicious ransomware uses, but when the encryption happens, the monstrous “.[black.world@tuta.io].nuclear” extension is appended to their names, and so it is impossible to miss them. Unfortunately, this ransomware is likely to go after files that are considered personal, such as documents, media files, and, of course, photos. If you had set up a system restore point to protect data, that might not be enough to save files because Shadow Volume Copies are deleted when the ransomware attacks. Unfortunately, we cannot guarantee that you will be able to recover your files at all. Anti-Spyware-101.com research team recommends reading this removal guide because it not only shows how to delete Nuclear Ransomware but also helps you understand how the threat works.

How does Nuclear Ransomware work?

Did you know that Nuclear Ransomware is a new version of a different infection, BTCWare Ransomware? This infection was the updated version of Crptxxx Ransomware. BTCWare Ransomware demanded a ransom of 0.5 Bitcoins (right now, this is around 2400 USD) in return of a decryptor. The infection did not last long because a free file decryptor was discovered by malware researchers. That, without a doubt, is the main reason why Nuclear Ransomware was created. Of course, the decryptor that worked with the older version is unlikely to assist with this new one, and it is unknown if a new decryptor will be created at all. Of course, if your files were encrypted, and there is nothing you can do to recover them yourself, you should look for a legitimate file decryptor. Unfortunately, at this time, the only decryptor that can help you is in the hands of cyber criminals, and they want you to email black.world@tuta.io. If you do that, you should be sent an email providing you with more specific information, including how big the ransom is and how you need to transfer it. If you do not email cyber criminals – which is what we recommend – all you have is the information introduced to you via HELP.hta.

HELP.hta is a file that Nuclear Ransomware uses to introduce you to certain information. When the file is launched, a window is opened. The message within the window informs that your files were encrypted and that you need to send an email to the provided address. It then informs that you can send three files to have decrypted for free, which, allegedly, proves that all files will be decrypted at the end. That is not necessarily the truth. The ransom message also informs how to purchase Bitcoins, and it warns against renaming files or trying to decrypt them yourself. You should not be afraid to rename files (that will not help though) or try to recover your files, but the problem is that you do not have that many options. If a free file decryptor does not exist, you can recover files only if they are backed up.

How to delete Nuclear Ransomware

It is most likely that Nuclear Ransomware entered your operating system without your notice after exploiting vulnerable RDP backdoors or using corrupted spam email attachments, but if one threat has managed to slither in unnoticed, you have to consider the possibility that other threats have invaded your PC as well. You can use a malware scanner to help you identify them, which is very important if you choose to remove Nuclear Ransomware and other active infections manually. We recommend installing an anti-malware tool because it can do three important things: scan your operating system, remove malicious threats, and reinforce all-rounded protection. While you might be able to identify and erase malware yourself, protecting the operating system against clandestine threats created by smart cyber criminals can be extremely difficult. Your best chance at keeping the PC malware-free in the future is to install reputable anti-malware software right away.

Removal Instructions

1. Right-click the malicious .exe file (the name of this file and its location are random).
2. Delete the file (make sure you are removing the malicious installer and not some harmless file).
3. Simultaneously tap Win+R keys on the keyboard to launch RUN.
4. Type regedit.exe and then click OK to launch Registry Editor.
5. In the pane on the left navigate to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN.
6. Right-click the value named DECRYPTINFO and then select Delete (first, check if the value data points to the file in %AppData%\Roaming\HELP.hta).
7. Simultaneously tap Win+E keys on the keyboard to launch Windows Explorer.
8. Enter %APPDATA% into the bar at the top and then Delete the file named HELP.hta.
9. Perform a full system scan to check for leftovers as soon as you Empty Recycle Bin. Download Removal Tool100% FREE spyware scan and
   tested removal of Nuclear Ransomware*