Nuclear Ransomware

Nuclear Ransomware is a new threat that Windows users need to be cautious about, but it is not a new threat per se. According to our research team, it is just a new variant of the infamous BTCWare Ransomware that emerged earlier this year. This encryption key used by this malware was deciphered, and so victims were capable of decrypting their files for free. Unfortunately, that is not the case with the new variant, and it is possible that this threat is stronger than its predecessor. Hopefully, a decryptor becomes available in the future, but whether or not it does, you need to remove Nuclear Ransomware. We are sure that you need no explanation as to why this threat must be deleted, but if you want to learn a little more about this piece of malware before you get rid of it, continue reading this report. If you find the information unclear, or if you have questions, use the comments section to contact our research team.

According to the latest information provided by our researchers, the malicious Nuclear Ransomware should spread via RDP hacks and spam emails. That is pretty much how all ransomware infections are spread. Of course, the threat is silent, and it keeps itself concealed until the encryption is complete. When the threat encrypts files, it attaches the “.[black.world@tuta.io].nuclear” extension to their original names. That is done for the sole purpose of helping you understand the magnitude of the malicious ransomware. When you go through your folders and realize that all of your personal files have this extension – which means that they are encrypted – you are more likely to pay attention to the demands. According to our research, these demands are represented via a file named “HELP.hta”. A RUN key is added to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN to ensure that the file is launched even if the infected computer is restarted. The same is not done with the main launcher, which means that if the PC is restarted, the malicious executable will not continue encrypting files. Needless to say, both the launcher and the HTA file must be deleted.

The message delivered using the HELP.hta file informs that files were encrypted, and it is most likely that this is how you will learn about the attack of Nuclear Ransomware first. The message introduces you to the black.world@tuta.io email address and informs that you must email cyber crooks via it to initiate the decryption of your files. The threat does not hide the fact that you are expected to pay a ransom in return of a decryption tool, but a specific sum is not revealed. You would be introduced to this information only if you emailed the creator of Nuclear Ransomware. The ransom message also informs that renaming files or decrypting them using third-party tools can lead to permanent loss. That is likely to be just a scare tactic to make you follow the instructions. Unfortunately, the ransomware deletes shadow volume copies, and so recovering files manually might be impossible. What about the decryption tool that is promised in return for a ransom? At this moment, this tool cannot be retrieved in any way. In fact, you are unlikely to get it even if you pay the ransom.

If you cannot risk losing money for no good reason, paying the ransom requested by the developer of Nuclear Ransomware is a bad idea. Of course, if your personal files are not backed up, and you cannot find a free file decryptor, paying the ransom might be the only option. Whatever happens, you must remove the ransomware as soon as possible. If you are thinking about manual removal, you must be able to find the launcher file. If you cannot do that, it is unlikely that you will be able to delete Nuclear Ransomware all by yourself. If you know exactly where this file is, go ahead and follow the instructions below. Of course, you still need to think about virtual protection, and we advise that you employ reliable security software afterward to help you defend your operating system against malicious threats. You can install this software right away to have the ransomware eliminate automatically as well. Hopefully, you now know what to do, and your operating system will be cleared in no time.

Nuclear Ransomware Removal

1. Identify the {random name}.exe file that is the launcher of the ransomware.
2. Right-click and Delete the file.
3. Launch RUN by tapping Win+R and then enter regedit.exe.
4. Navigate to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN.
5. Delete the value named DECRYPTINFO.
6. Launch Explorer by tapping Win+E keys.
7. Enter %APPDATA% into the bar at the top.
8. Right-click and Delete the file named HELP.hta.
9. Empty Recycle Bin and then do not forget to perform a full system scan.