Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Files encrypted with .nujdlwi extension, new ransom?

  • This topic is locked This topic is locked
4 replies to this topic

#1 test0r


  • Members
  • 56 posts
  • Gender:Female
  • Local time:07:37 AM

Posted 06 June 2016 - 09:07 AM



I'm new to the forum as the ransomware infection that i got today. (from email attach)


My files are encrypted with a ".nujdlwi" file extension, and all the files have the same extension.


Ransomware-ID is not able to recognize the ransomware, so here is a sample encrypted file: http://www.filedropper.com/praticdomenicoxls


the strange thing is that there is NO instructions/recovery file/html/webpage/popup/autostart stuff



Thank you guys


p.s. tried all the public decryptor of course but none is working :(

BC AdBot (Login to Remove)


#2 Demonslay335


    Ransomware Hunter

  • Security Colleague
  • 3,580 posts
  • Gender:Male
  • Location:USA
  • Local time:01:37 AM

Posted 06 June 2016 - 09:21 AM

There should definitely be a ransom note somewhere in any directory that was encrypted, or the desktop.


I would suspect CTB-Locker. It uses a completely random 7-character extension for each victim. I cannot add a rule for this currently as it would generate too many false-positives unfortunately, so ID Ransomware relies on the uploaded ransom note. You most likely have a file called something like "!Decrypt-All-Files-nujdlwi.html".


You can view the support topic here to see if your symptoms match: http://www.bleepingcomputer.com/forums/t/542564/ctb-locker-ransomware-support-and-help-topic-decryptallfilestxt/

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.

#3 test0r

  • Topic Starter

  • Members
  • 56 posts
  • Gender:Female
  • Local time:07:37 AM

Posted 06 June 2016 - 09:39 AM

It looks like CTB locker but there is NO decrypting instructions in any form, neither on desktop nor c:\ or any other folder 


im trying to investigate on the windows registry/windows event loggers to find any clue


maybe it is a missconfigured version of the CTB? 

#4 cybercynic


  • Members
  • 560 posts
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:03:37 AM

Posted 06 June 2016 - 12:59 PM

Has your AV quarrantined some files, perhaps?

We are drowning in information - and starving for wisdom.

#5 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,948 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:37 AM

Posted 06 June 2016 - 08:09 PM

CTB-Locker will leave files (ransom notes) with names like DecryptAllFiles.txt and DecryptAllFiles_<user name>.txt that contains ransom instructions but the newer variants do not always leave a ransom note if the malware fails to change the background like it typically does. An AllFilesAreLocked_<user name>.bmp image file may be left in the My Documents folder which contains further instructions on how to pay the ransom.

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion noted by Demonslay335. To avoid unnecessary confusion, this topic is closed.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users