Nozelesn Ransomware: What To Do If You’re Infected

Graphic for Tetra Defense Ransomware 101: Nozelesn

What is Nozelesn Ransomware?

The first Nozelesn ransomware outbreak was detected in July 2018. It is currently still an active malware threat, and experts have seen steady infection rates for Nozelesn since its original release.  The initial outbreak struck victims in Poland, and Nozelesn has since spread across the European Union and overseas.

Experts have had some difficulty measuring how many users have been affected by the Nozelesn ransomware strain. We estimate its proliferation to be moderate relative to other ransomware strains. Importantly, to date, no development communities, cybersecurity firms, or law enforcement officials have released a successful decryptor for Nozelesn. Microsoft platforms, such as Windows Server and Windows 10, are susceptible to Nozelesn ransomware.

Following infection, all files that are locked by the malware have the “.Nozelesn” file extension added to them. User files such as documents, pictures, databases, and non-system files are encrypted.

Nozelesn leaves a ransomware note with instructions regarding how to pay the ransom using bitcoin on the user’s desktop and within all encrypted folders. The hackers “guarantee” that a personal decryptor will be provided to the victim within ten days of payment.

How Does Nozelesn Ransomware Work?

Most of the evidence that has reported about Nozelesn suggests that it nearly exclusively distributed using targeted phishing campaigns, sometimes called “spearphishing.” The malware payload is embedded within rogue Microsoft Word email attachments.

Typically, Nozelesn phishing campaigns target victims with spoofed emails from genuine companies. For example, intended victims commonly reported fake DHL emails that mimicked authentic email templates, a tactic that tricked many users into opening the attachment.

In this method of propagating the ransomware, once the malicious attachment is double-clicked, Nozelesn injects the payload into the computer operating system using macros within the email attachment. This triggers a series of events which result in all user files being locked.

In some cases, the malware payload was identified as Emotet malware, which loads Nozelesn ransomware by using exploited Remote Desktop (RDP) connections. Once breached, the ransomware spawns hidden PowerShell scripts that scan the local host for information.

The ransomware scans local network IP addresses and attempts to distribute the malware payload through the internal network using Windows admin shares. Next, the ransomware targets network-attached storage, such as NFS and Samba shares. Some reports state that Microsoft shared folders were not directly affected by the incident.

At this stage, the malware begins encrypting the files via its encryption algorithm, and connections are made to command and control (C&C) servers on the public Internet.  Experts believe that the C&C handshake likely generates a unique key that Nozelesn publishes in the automatically generated ransomware note.

Following infection, the victim is directed to a web page on the darknet using the TOR browser. Victimized users have to log in using a unique password found within the ransomware note, which directs them to a personalized page that includes both the ransom demand itself and instructions on how to pay the ransom.

How Do I Prevent Nozelesn Ransomware?

Nozelesn is not particularly sophisticated ransomware. However, as with all types of ransomware infections, unless you have a viable backup, the malware can wipe out your server and cost money in lost revenue or access to files with sentimental value, such as treasured family photographs. With Nozelesn, the only form of defense is to maintain security-conscious practices when managing computer systems.

As Nozelesn spreads via phishing campaigns, security and IT personnel should make educating users to be extremely vigilant when opening any form of attachment an absolute necessity. Before opening any attachment, users should verify that the sender is a trusted source, and must assess the legitimacy of the email before opening. Questions should be considered, including: Am I expecting this invoice? Have I ever used that company before? Is the email actually from that company’s real domain?

Besides phishing awareness, educating employees on all aspects of cybersecurity is essential. Users need to check URLs when web browsing to reduce the possibility of successful phishing attempts. This includes teaching employees to check a website’s SSL status and never to open attachments from unknown sources.

The system administrator must ensure that all servers are up to date with current patches. This ensures that your version of Microsoft Windows is protected against the latest known vulnerabilities. Additionally, system administrators should be running daily antivirus updates and might want to consider deploying anti-malware technology.

Backups are a critical strategy that can help organizations stay one step ahead of the threat of ransomware. Often the only way to roll back from a ransomware outbreak is to restore the system from a backup. The ability to restore an entire computer infrastructure from backup or to leverage a disaster recovery solution can significantly reduce the risk associated with ransomware.

Another measure that can help protect you or your organization from a ransomware infection is to get to know your computer infrastructure inside out, which could mean performing a system inventory audit. This knowledge will help sysadmins understand where the risks are in the system, allowing you to create working disaster recovery alternatives and embrace best practices, such as pen testing, to harden the infrastructure.

Removing Nozelesn Ransomware & How to Fix Nozelesn Files

As of early 2020, it is still impossible to decrypt data encrypted by Nozelesn ransomware without a decryption key obtained from the threat actor. The only viable options to gain access to your encrypted files are to restore data from a backup or to get the decryption key. If you are in the untenable position of not having a backup, and you urgently need your encrypted files, we recommend you contact the incident response experts at Tetra Defense.

Tetra Defense prioritizes restoration to get businesses back to where they were before the ransomware attack. We approach ransomware restoration and investigations simultaneously, so you return to normal operations at the same time you are getting answers.

Our teams are standing by to focus on what matters most: your business! We will investigate the ransomware outbreak and perform an initial assessment of the infection and the possibility of file decryption, which will help to identify a course of action to fix the infection and restore files, if possible. If deemed necessary, we can conduct ransom negotiation and can facilitate ransom payment – as the ransomware note says, “file decryption” costs money when working with the threat actors who caused the ransomware infection.

We remove the threat from your system and conduct malware scans and network threat hunting. Each incident is leveraged to learn from the ransomware attack and discover the root cause. Once the decryption keys are obtained, we assist with the decryption of the encrypted files and get systems restored to full functionality as quickly as possible.

Get Help with Nozelesn Ransomware and Encrypted Files

If you’re ready to get help removing Nozelesn ransomware from your critical systems, contact Tetra Defense’s incident response team today. We will reach out for an assessment of file recovery and build a plan to get your systems up and running once again.

Example of a Nozelesn Ransom Note: “File Decryption Costs Money”

Screenshot of Nozelesn ransom note


Check out some related content on our blog: