National Security Bureau Ransomware Removal Guide

It has been some time since we last saw an infection like National Security Bureau Ransomware. This malware is very reminiscent of threats that would use the credentials of well-known law enforcement organizations to trick gullible Windows users into paying fines for allegedly committed cyber crimes. FBI Cybercrime Division Virus, National Security Agency Virus, Homeland Security Virus, and hundreds of similar threats would invade operating systems and paralyze them by displaying screen-locking windows to convince victims that fines had to be paid. Although removing this kind of malware came with its complications, when victims eliminated it, they did not need to deal with other consequences. That is not the case with the infection we are discussing in this report. While it hides behind well-known names and it locks the screen, it also works as a file-encryptor. Unfortunately, even if you delete National Security Bureau Ransomware from your operating system successfully, your files cannot be recovered. Of course, even though that is the outcome, you must erase this infection as soon as possible.

According to the research conducted by our malware experts, National Security Bureau Ransomware is not a unique infection. In fact, it is just a new variant of another well-known infection, VirLock Ransomware. Not much has changed, and all versions of this malware still work in the same ways. Nonetheless, there are some unique things about National Security Bureau Ransomware. For example, the ransom note has been modified, and the amount of money demanded as a ransom has changed as well. If the malicious infection slithers in – which it is likely to do using malicious downloaders and spam email attachments – it immediately locks the screen and displays a window with the ransom note. According to it, you need to transfer 250 USD to a special crypto-currency wallet. That is what should help you realize that you are dealing with malware because FBI, the Department of Justice, Homeland Security, and all other organizations whose emblems are represented via the ransom note would never ask to pay fines in such a manner. If you are tricked into purchasing Bitcoins and transferring them to 17Zuj1SV7g2ooyPTKP1h1mws4neduoNqGU, you will not see this money again. Unfortunately, the ransom note suggests that the victim would face prison time and a much bigger fine if they did not pay the original “fine.”

It would be a mistake to treat National Security Bureau Ransomware as a regular file-encryptor. Besides corrupting data that – and when files are encrypted, the “.exe” extension is added to all of their names – the ransomware also deletes shadow volume copies. This should make it impossible for victims to restore files manually. Moreover, it locks the screen and disables the Task Manager and RUN utilities to ensure that you cannot disable and remove National Security Bureau Ransomware. Speaking of removal, you might have eliminated the original .exe file that launched the infection before the encryption started. Unfortunately, if you do not erase the copies in %ALLUSERSPROFILE%\{random name} and %USERPROFILE%\{random name} folders, the attack is successful. Besides these copies, you also need to clean the Windows Registry because the infection adds keys to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN and HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN. Whether or not you have paid the ransom, you need to delete the malicious infection, and these are the components you need to focus on. Are you scared that you cannot erase them all on your own? Do not threat because the right software can help.

The instructions below can aid you with the manual removal of National Security Bureau Ransomware; however, that is not the only option you have. In fact, it is better to leave the removal of malware up to anti-malware software. It is important to have every single malicious component of National Security Bureau Ransomware deleted, and only reliable and up-to-date anti-malware tool can guarantee complete elimination. It is also important to shield the operating system, and that is the primary task for anti-malware software. As mentioned earlier, there is nothing you can do to recover data that was encrypted. You certainly should not pay the ransom to restore it. To ensure that personal data is protected in the future, we suggest figuring out the best way to back it up. If backup copies of your files are stored separately, even malware cannot harm it.

How to delete National Security Bureau Ransomware

N.B. to recover access to the operating system, you need to reboot it. If you choose to proceed manually, go with Safe Mode. If you decide to install anti-malware software, reboot to Safe Mode with Networking.

Reboot Windows 10 or Windows 8

1. Restart the computer, wait for BIOS to load, and immediately start tapping F8 on the keyboard (if this does not work, force-restart the computer 3 times to access Startup Repair).
2. Choose See advanced repair options and then go to Troubleshoot.
3. Click Advanced options, then Startup Settings and, finally, Restart.
4. Pick the desired boot mode (Safe Mode or Safe Mode with Networking).
5. Once the system reboots, follow the instructions at the bottom to erase the ransomware.

Reboot Windows 7, Windows Vista, or Windows XP

1. Restart the computer, wait for BIOS to load, and immediately start tapping F8 on the keyboard.
2. Select the desired boot mode (Safe Mode or Safe Mode with Networking) using arrow keys and tap Enter.
3. Once the system reboots, follow the instructions at the bottom to erase the ransomware.

Remove the malicious ransomware

1. Launch Windows Explorer by tapping keys Win+E.
2. Show hidden folders and files. (On Windows 10/8: click the View tab -> Options -> View -> Show hidden files, folders, and drives -> Apply -> OK. On Windows 7: click Organize -> Folder and search options -> View -> Show hidden files, folders, and drives -> Apply -> OK.)
3. Enter %USERPROFILE% into the field at the top to access the directory.
4. Delete the {random name} folder if it contains a malicious {random name}.exe file.
5. Enter %ALLUSERSPROFILE% into the field at the top.
6. Delete 2 unique {random name} folders if they contain 2 unique malicious {random name}.exe files.
7. Launch RUN by tapping Win+R and then enter regedit.exe to launch Registry Editor.
8. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN.
9. Delete the {random name} value if it represents the %ALLUSERSPROFILE%\{random folder}\{random name}.exe file.
10. Go to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN.
11. Delete the {random name} value if it represents the %USERPROFILE%\{random name}\{random name}.exe file.
12. Quickly Empty Recycle Bin and then install a trusted malware scanner. If leftovers are found, erase them ASAP.