Infected with N1N1N1 ransomware? Need to decrypt your files?

What is N1N1N1 ransomware

N1N1N1 is an encrypting virus that encrypts most of the user files on the PC. This cryptovirus uses the AES encryption algorithm and changes the file extension of the victims to .n1n1n1. Let’s look at a couple of examples for clarity: the photo.png becomes a photo.png.n1n1n1 or document.docx looks like document.docx.n1n1n1 and so on. Plus, N1N1N1 removes system restore points and shadow copies of files to exclude the possibility of data recovery. The virus encrypts files of different formats, office documents, archives, PDF files, audio files and so on. Scammers carefully provided an informative note containing information about encryption and redemption. This file is called how to return files.txt and here’s how it looks:

N1N1N1 ransomware

Dont speak english?
Ingilizce konusamiyor musun? Daha sonra
Ino hablan a Ingles? Luego usar el sitio

Your data have been encrypted.
To decrypt your files follow the instructions:
1. Run your browser, open , you can see button "Download", click it .
find tor browser for windows, download it
2. Install tor browser. If you can't download or run it then download and unpack the most stable tor browser version:

3. You need type in tor browser www.uc7k2wj6526xlivj.onion/start.php
4. You will be redirected to hidden website.
5. Follow the instructions on website.
Probably you need to disable or remove your antivirus to make steps 1,2,3,4,5.

Your public key


If you still can't open our secret hidden website or you have any questions then
Open using your usual browser.
If you don't own personal gmail account then you need sign up. You will get email
Create e-mail message and send it to our email:
Copy your public key into the letter (see this key above). Soon I will answer you about decrypting of your files.

Judging by the contents of the note, the conclusion suggests that the target audience is English-speaking users, but N1N1N1 has already spread all over the world. The manual states that the user must download and run the Tor Browser and pay a ransom in the amount of one and a half bitcoins (according to the latest exchange rate it is about $1000). Thus, attackers try to avoid prosecution and minimize the risk of tracking their actions, since Thor browser does not leave any traces, and it is almost impossible to track cryptocurrency operations. If the user goes to the specified site, he finds a countdown timer and a warning that after this time the site will be deleted along with the last hope to restore the files. It sounds ugly, but it’s nothing more than a ruse. The only purpose of intruders is to make you pay them. We strongly recommend that you remove N1N1N1 right now using our guides to decrypt your files.

Update: Use following service to identify the version and type of ransomware you were attacked by: ID Ransomware. If you want to decrypt your files, please follow our instruction below or, if you have any difficulties, please contact us: We really can help to decrypt your files.

How N1N1N1 ransomware infected your PC

Despite the fact that new cryptographers and updates for existing ones are constantly appearing in the network, nevertheless, the ways for penetration remain unchanged. Most cryptoviruses, including N1N1N1, penetrate through unprotected network settings. This is because users do not use the proper antivirus software. Also, there are cases when the virus comes in the form of an attachment to spam mailing or as an update for any utility or program. Be that as it may, try to use the latest version of the antivirus, if N1N1N1 already encrypted your files, then use our instructions.

First of all, don’t panic. Follow these easy steps below.

1. Start your computer in Safe Mode with networking. To do that, restart your computer before your system starts hit F8 several times. This will stop system from loading and will show Advanced boot options screen. Choose Safe mode with networking option from the options list using up and down arrows on your keyboard and hit Enter.
2. Log in to the system infected with the N1N1N1 ransomware virus. Launch your Internet browser and download a reliable anti-malware program and start a full system scan. Once the scan is complete, review scan results and remove all entries detected.

Recommended Solution:

Norton is a powerful removal tool. It can remove all instances of newest viruses, similar to N1N1N1 ransomware – files, folders, registry keys.


Download Norton*Trial version of Norton provides detection of computer viruses for FREE. To remove malware, you have to purchase the full version of Norton.

You may find more detailed information about antivirus products in our article – Top 5 Antivirus Software for Windows

Restore your files using shadow copies


  1. Download and run Stellar Data Recovery.
  2. Select type of files you want to restore and click Next.
  3. Select the drive and folder where your files are located and date that you want to restore them from and press Scan.
  4. Once the scanning process is done, click Recover to restore your files.
Download Stellar Data Recovery

Step 2: Remove following files and folders of N1N1N1 ransomware:

Related connections or other entries:

No information

Related files:


How to decrypt files infected by N1N1N1 ransomware?

You can try to use manual methods to restore and decrypt your files.

Decrypt files manually

Restore the system using System Restore

system restore

Although latest versions of N1N1N1 ransomware remove system restore files, this method may help you to partially restore your files. Give it a try and use standard System Restore to revive your data.

  1. Initiate the search for ‘system restore
  2. Click on the result
  3. Choose the date before the infection appearance
  4. Follow the on-screen instructions

Roll the files back to the previous version

Previous versions can be copies of files and folders created by Windows Backup (if it is active) or copies of files and folders created by System Restore. You can use this feature to restore files and folders that you accidentally modified or deleted, or that were damaged. This feature is available in Windows 7 and later versions.

windows previous versions

  1. Right-click the file and choose Properties
  2. Open the Previous Version tab
  3. Select the latest version and click Copy
  4. Click Restore

Protect your computer from ransomware

hitmanpro alert with cryptoguard

Most modern antiviruses can protect your PC from ransomware and crypto-trojans, but thousands of people still get infected. There are several programs that use different approach t protect from ransomware and lockers. One of the best is HitmanPro.Alert with CryptoGuard. You may already know HitmanPro as famous cloud-based anti-malware scanner. Check out ultimate active protection software from SurfRight.

Download HitmanPro.Alert with CryptoGuard

Written by Rami Douafi

Leave a Reply

Time limit is exhausted. Please reload CAPTCHA.