I wrote this article to help you remove Nomoneynohoney Ransomware. This Nomoneynohoney Ransomware removal guide works for all Windows versions.

Nomoneynohoney ransomware is a variant of Shade. This infection belongs to the CrySiS family of win-lockers. Nomoneynohoney ransomware is a typical encryption virus in terms of the operations it carries out. The malignant program locks users’ personal files and requires a ransom to decrypt them. Nomoneynohoney ransomware has a different approach toward the ransom message. The clandestine program resets the desktop background to an illustrated picture, containing a brief statement from the hackers. The renegade developers make the entire situation look like child’s play. For the victims, the event is serious. You will be unable to access your private files.

Nomoneynohoney ransomware targets text documents, spreadsheets, presentations, databases, audios, videos, images, archives, system components and other file formats. The list of vulnerable extensions includes, among others, the following: .txt, .html, .doc, .docx, .asp, .aspx, .ppt, .pptx, .xls, .xlsx, .pdf, .xml, .sql, .odt, .bin, .dat, .sys, .lnk, .cer, .rtf, .bdf, .mdb, .db, .mp3, .flac, .wav, .wma, .ogg, .eps, .exif, .dng, .wsc, .tif, .tiff, .cdr, .iff, .pak, .sln, .crw, .zip, .rar, .bat, .mkv, .avi, .mp4, .flv, .mpg, .mpeg, .wmv, .asf, .mov, .pfx, .raw, .srf, .qic, .csv, .reg, .eml, .ini, .mid, .php, .ps1, .gif, .jpg, .jpeg, .bmp, .png, .psd, .arw, .bkp, .wps, .sct, .vb, .iff, .m3u, .m4a, .exe.

Nomoneynohoney ransomware appends a custom file extension to the names of the encrypted items. The suffix contains the following information: .[ID number].Nomoneynohoney@india.com.xtbl. The ID is unique for each instance of infection. It encompasses seven hexadecimal characters. The middle symbol is a number, while the other six are letters. The proprietors of the win-locker ask the victim to contact them in order to receive full instructions on the payment process. Their email account is listed in the note and the custom file extension.

Like most cyber criminals, the people behind Nomoneynohoney ransomware require users to pay the ransom in bitcoins. This is a cryptocurrency which protects their anonymity. Neither security experts, nor the legal authorities can track their location. The victim learns the amount of the ransom when the scammers reply to his email. The sum usually ranges between 0.5 BTC and 1.5 BTC. Converted, this equals approximately $350 USD to $1060 USD. The exchange rates for bitcoins fluctuate just like the rates for national and international currencies.

Paying the ransom is not advised. Trying to make a deal with cyber thieves is a risk. They can collect the ransom and not provide the decryption key. There are many cases of win-locker developers taking the ransom and running away with it. We suggest looking for an alternative way to restore your files. Before you proceed with the recovery, you need to uninstall Nomoneynohoney ransomware. Deleting the virus on your own terms is the only sure way to get rid of it for good.

Knowing the propagation vectors of Nomoneynohoney ransomware and how they work can help you prevent getting infected with it in the past. The furtive program uses the same methods as many other win-lockers, so this knowledge will be beneficial on more than one front. Spam emails are a common host for Nomoneynohoney ransomware. The shady program travels secluded behind an attachment to the letter and lays in stealth. The spammer needs to convince the recipient to open the file. This would give the virus entry into the system. To filter spam from legitimate emails, check the sender’s contacts.

The other entry point for Nomoneynohoney ransomware is through bundles. The download clients for the covert program include freeware, shareware and pirated utilities. The win-locker gets included for install with the main tool as a bonus. You have to find where the option for it is listed and uncheck it. Be sure to read the terms and conditions of the programs you intend to add to your system. Select the custom or advanced installation mode to have all options shown.

Nomoneynohoney Ransomware Removal

Method 1: Restore your encrypted files using ShadowExplorer
Usually, Nomoneynohoney Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.

1. Download ShadowExplorer from this link: http://www.shadowexplorer.com/downloads.html.
2. Install ShadowExplorer
3. Open ShadowExplorer and select C: drive on the left panel
4. Choose at least a month ago date from the date field
5. Navigate to the folder with encrypted files
6. Right-click on the encrypted file
7. Select “Export” and choose a destination for the original file

Method 2: Restore your encrypted files by using System Restore

1. Go to Start –> All programs –> Accessories –> System tools –> System restore
2. Click “Next“
3. Choose a restore point, at least a month ago
4. Click “Next“
5. Choose Disk C: (should be selected by default)
6. Click “Next“. Wait for a few minutes and the restore should be done.

Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since Nomoneynohoney Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:

1. Recuva
2. Puran File Recovery
3. Disk Drill
4. Glary Undelete