Remove Nagini Ransomware Virus

How to Remove Nagini Ransomware?

Reader recently start to report the following message being displayed when they boot their computer:

Done Encrypting!
Enter your credit card:
Get key!
Enter key to decrypt the files:
Decrypt Now!


The magical world of Harry Potter has inspired millions of people all over the globe. Unfortunately, a couple of days ago it inspired cyber criminals as well. For those of you unfamiliar with the young wizard and his adventures, Harry Potter has a mortal enemy. His name is Lord Voldemort and he’s quite an intimidating villain. Now, Lord Voldemort owns a pet snake named Nagini. For some reason, crooks have decided to make a Harry Potter reference in this virus. Just like Nagini the snake, Nagini the ransomware is stealthy and harmful. Actually, ransomware-type programs are considered to be the most devastating infections on the Web. This isn’t a title ransomware just got one day out of the blue. It’s a title ransomware has earned. Back to your problem. The Nagini Virus (also known as Voldemort Virus) is still under development. That means it is yet to be improved. Yes, this infection could become much more dangerous in the future. The parasite was discovered by Michael Gillespie, a popular malware researcher. It definitely differs from most ransomware programs out there. Usually, these infections encrypt all the personal files on the computer system. That’s what Cerber, Locky, Cryptolocker and many more parasites do. However, this one only targets the main file formats – .doc, .pdf, .png, etc. Furthermore, Nagini only locks data stored in the C:\Users\Colosseum\Desktop\files\ directory. Colosseum is the name of this pest’s developer. Keep in mind that the program is still in the making, though. It might add some tricks to its malicious repertoire. Another distinct feature Nagini Ransomware exhibits is that the virus doesn’t create ransom notes. It denies you access to your desktop instead. The lock screen includes a nasty picture of Voldemort himself with Nagini. Now, there are no payment instructions to be seen. Hackers just want you to enter your credit card number. It goes without saying that crooks should stay away from your credit card data. Even though the Nagini Ransomware Virus is rather unique, it’s still an attempt for a cyber scam. All ransomware infections are. Crooks are supposed to free your data after you follow their instructions. However, do you know what hackers usually do after they receive what they want? They ignore you. Ransomware is nothing but a way for cyber crooks to blackmail gullible PC users. Don’t let this pesky infection fool you. Get rid of if instead.

How did I get infected with?

The Nagini Virus follows the classic rules when it comes to distribution. As you probably know already, spam messages and emails are very dangerous. More often than not, these are corrupted. Next time you find some suspicious-looking email in your inbox, delete it ASAP. Prevention is much easier than having to remove a virus afterwards. Therefore, don’t underestimate any potential threat online. Make sure you protect your security and avoid spam messages. Another technique involves malicious torrents/websites. Be careful what you click open. Ransomware also gets attached to freeware and shareware bundles. When downloading such program packages, always watch out for “bonus” infections. There might be some sneaky intruder hiding in the bundle. Last but not least, ransomware sometimes gets installed with the help of Trojans. Check out the PC for more parasites. Nagini might not be the only piece of malwate currently on your device.

remove Nagini

Why is Nagini dangerous?

Not all of Nagini’s functions are clear at this point. Take the C:\Temp\voldemort.horcrux folder, for example. It appears after the encryption process is complete. However, its purpose is still a mystery. One more thing – the Nagini ransomware doesn’t add any file extensions or prefixes. What typically happens is, the virus renames your personal data. Nagini, on the other hand, only changes the target files’ sizes and keeps their names intact. Thanks to its lock screen, this program successfully plays mind games with you. It’s key for your further safety to ignore the parasite’s shenanigans. This is, without a doubt, a very bizarre and unpredictable file-encrypting program. Don’t overlook the giant threat it poses. Remember that crooks are aiming at your bank account. There’s no plausible scenario in which this program doesn’t jeopardize your safety. The sooner you manage to uninstall it, the better. To do so manually, please follow our detailed removal guide down below.

Nagini Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover Nagini Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

  • Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
  • Locate the process of the ransomware. Have in mind that this is usually a random generated file.
  • Before you kill the process, type the name on a text document for later reference.

end-malicious-process

  • Locate any suspicious processes associated with Nagini encryption Virus.
  • Right click on the process
  • Open File Location
  • End Process
  • Delete the directories with the suspicious files.
  • Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

  • Open any folder
  • Click on “Organize” button
  • Choose “Folder and Search Options”
  • Select the “View” tab
  • Select “Show hidden files and folders” option
  • Uncheck “Hide protected operating system files”
  • Click “Apply” and “OK” button

STEP 3: Locate Nagini encryption Virus startup location

  • Once the operating system loads press simultaneously the Windows Logo Button and the R key.

win-plus-r

Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

  • and delete the display Name: [RANDOM]

delete backgroundcontainer

  • Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

  • Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

windows system restore

  • Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
  • Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.

Leave a Comment