A distribution campaign for a new ransomware called Nozelesn is currently underway that is targeting Poland. This campaign started July 1st and we already have reports from victims in our forums and numerous cases have been spotted on ID Ransomware.
A researcher at CERT Polska, the Computer Emergency Response Team for Poland, has also stated that they believe the ransomware is being distributed through a spam campaign pretending to be a DHL invoice.
It seems that the delivery method was through a spam campaign with fake DHL invoice.— Rev (@RevToJa) July 2, 2018
Unfortunately, the campaign's appear to be dead and we have not been able to find sample of the actual ransomware. Therefore, if you have more information or just need help with the ransomware, please post in our Nozelesn Ransomware Support & Help Topic.
As a sample of Nozelesn Ransomware has not been found as of yet, the only information we currently have is based on the reports by victims who have posted to Twitter and in our forums.
What we know is that the ransomware will encrypt a user's files and append the .nozelesn extension to the encrypted file's name. You can see an example of what an encrypted folder would look like below.
The ransomware will also create ransom notes on the computer named HOW_FIX_NOZELESN_FILES.htm. This ransom note contains isntructions on how to login to a TOR payment server at lyasuvlsarvrlyxz.onion to receive instructions. It also contains a unique personal code that the victim will be need in order to login to the server.
The TOR payment server is described in the next sections.
The TOR Payment server for this ransomware is called the "Nozelesn decryption cabinet" and is located at the lyasuvlsarvrlyxz.onion address. When you first visit the site you will be required to enter the personal code from your ransom note and a captcha answer into the login screen.
Once logged in you will see payment instructions that contain the amount of bitcoins to send and the address to send them to in order pay the ransom. Currently the ransom payment amount is set to .10 bitcoins or approximately $660 USD.
It is not known if paying the ransom will result in getting a decryption key and it is strongly advised that you do not pay the ransom. Instead try and restore from backups or Shadow Volume Copies if they are available.
Once a sample is found, it will be analyzed to determine if a victim's files can be decrypted for free. Once again, if you need help with this ransomware, please post in our Nozelesn Ransomware Support & Help Topic.
In order to protect yourself from ransomware in general, it is important that you use good computing habits and security software. The most important step is to always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.
You should also make sure that you do not have any computers running remote desktop services connected directly to the Internet. Instead place computers running remote desktop behind VPNs so that they are only accessible to those who have VPN accounts on your network.
A good security software solution that incorporates behavioral detections to combat ransomware and not just use signature detections or heuristics is important as well. For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer.
Last, but not least, make sure you practice the following security habits, which in many cases are the most important steps of all:
For a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against Ransomware article.
All files including videos, photos and documents on your computer are encrypted by nozelesn ransomware. File decryption costs money. In order to decrypt the files, you need to perform the following steps: 1. You should download and install this browser http://www.torproject.org/projects/torbrowser.html.en 2. After installation, run the browser and enter the address: lyasuvlsarvrlyxz.onion 3. Follow the instructions on the web-site. We remind you that the sooner you do, the more chances are left to recover the files. Guaranteed recovery is provided within 10 days. IMPORTANT INFORMATION You should enter the personal code on the tor site. Your Personal CODE: [id]