November 04, 2016

A ransomware virus using the This email address is being protected from spambots. You need JavaScript enabled to view it. e-mail address as a file extension and belonging to the CrySiS ransomware variants has been spotted in the wild by victims and IT support staff. The virus has been reported to also use the .xtbl file extension and be themed based on a parody video of Vinnie the Pooh. Fortunately like other CrySiS ransomware viruses, Nomoneynohoney ransomware also turns out to be decryptable. In order to remove Nomoneynohoney ransomware and decrypt your files for free, we advise you to read this article thoroughly.

Nomoneynohoney Ransomware – More Information

To better inform you about this variant of XTBL/Shade also known as Nomoneynohoney ransomware, we will take you through it’s infection process methodologically since this will help affected users understand how they may have become unsuspecting victims and in the future protect themselves.

Initially you may become infected by this .xtbl ransomware virus by simply two methods:

  • Opening a malicious web link.
  • Opening a file extension that is with malicious character.

    Such may be spread in many different places, like spammed e-mail messages with either, spammed comments on websites as well as posted files on suspicious websites as fake setups. Not only this but it has also been reported the CrySiS may be encountered in game cracks, keygens or other fake executable files that may be existent in different forms.

After the user opens the malicious file, the Nomoneynohoney virus situates malicious files in key Windows folders, like:


As soon as this has been done, the malware deletes the shadow volume copies and other backups via commands, like the vssadmin command in privileged mode without the victim noticing what is happening on the computer:

cerber ransomware shadow command sensorstechforum 3

After they are deletet, the Nomoneynohoney virus also uses techniques allowing it to encrypt the files of the affected computer. It may scan for and encrypt most commonly used file types, like the following:

File extensions related to videos.
Image file types.
Audio files.
Document type of files (Microsoft Office, Adobe)
Database type of files and virtual drives.
After this has been performed the virus leaves the files in the following state:

ransomware nomoneynohoney encrypted sensorstechforum
It is widely believed that the ransomware virus may itself be originating from Russia, because of the parody it uses from the Russian viral video “no money no honey”.
Remove Nomoneynohoney and Decrypt Your Files

In order to completely remove the Nomoneynohoney virus we urge you to follow our removal instructions below. In case you lack the professional malware removal experience, it is also recommended to use an advanced anti-malware program which will automatically and swiftly take care of the Nomoneynohoney virus.

Fortunately, regarding the files encrypted by Nomoneynohoney ransomware, there is a decryptor for which we have created instructions. But bear in mind that you should consider yourself lucky by being infected with it, due to the fact that most ransomware viruses are non-decryptable. This is why we advise you to check our protection tips on ransomware.

After the removal of the virus, please follow the instructions in the article in the red box below to successfully decrypt the encrypted files by Nomoneynohoney ransomware:

decrypt files
Manually delete Nomoneynohoney
from your computer

News Courtesy :