N3ww4v3/Mimic Ransomware (.n3ww4v3; [random 5-15 char]) Support Topic

Files that are encrypted with most N3ww4v3/Mimic Ransomware variants will have a random 5-15 character alpha-numerical extension appended to the end of the encrypted data filename as explained here by Amigo-A (Andrew Ivanov). These are some examples of random character and email extensions.

.n3ww4v3
.g0eI9
.r0Qp@3M
.1cy931cn9v
.h777XRgNVM777xM
.2n1d4b4fv3

Other variants of N3ww4v3/Mimic append an email address or one of several known extensions to the end of the encrypted data filename to include .crypt, .hicrypt, .HONESTBITCOIN, .Fora, .Hairysquid, .PORTHUB, .QUIETPLACE, .bigspermhorseballs, .KASPERSKY, .shiverer, .darth, .Indianguy, .HONEYHORSELIKESMONEY, .damarans@mail.ru.damarans, .dataland. .processcrypt, .pisunellakonososeila@onionmail.org, .anilorak@onionmail.org, .thaihorsebleepers@onionmail.org, .showrans@mail.ru.show, .FreeWorldEncryption, .PISCOSTRUI, .PANIN, .PODSTAVLIAIPOPKU, .0nk1udlu, .TeaMp0ison, .nemorans@mail.ru.NemoRans, .GREEDYFATHER, .backmydata@inbox.ru.1000USD, .getmydata@list.ru.3000USDAA, .Telegram@datadecrypt, .backmydata@inbox.ru.2000USD, .exe, .NEEDTOPAYTOMYHORSE, .WORM, .ELPACO-team.
 
N3ww4v3/Mimic Ransomware typically will leave files (ransom notes) with various names to include How-to-decrypt.txt, Instructions.txt, What_happened_read_me.txt, HOW_TO_DECRYPT.txt, === Readme.txt, README.txt, ----Read-Me-----.txt, Decrypt_me.txt, ---IMPORTANT---NOTICE---.txt, Contact-Note.txt, Comunicacin.txt, READ_ME_MY_FRIEND.txt, Instruction.txt, DECRYPTION_INFO, OMO_OMO_Decryption.txt, ---BILGILENDIRME----NOTU---.txt, Amigodainapasik_Decryption.txt, rtmlocker_DECRYPTION.txt. A few variants use ransom notes which include the encrypted data extension as part of it's name.

Bigspermhorseballs_Decryption.txt
Kaspersky_Decryption.txt
INDIANGUY_DECRYPTION.txt
Anilorak_Decryption.txt
FreeWorld-Contact.txt
PISCOSTRUI.txt
Datadecrypt.txt
NEED_PAYMENT_README.TXT

In addition, some N3ww4v3/Mimic Ransomware variants create special files such as info.txt, hashlist.txt, and MIMIC_LOG.txt.
 
N3ww4v3/Mimic ransom notes are known to include a long string of alpha-numerical characters comprising a PERSONAL DECRYPTION ID (decryption ID, decrypt ID, unique ID, personal ID, identifier ID, Encryption Number, Contact number, REFERENCE CODE) with an asterisk (*) followed by same extension appended to encrypted data files.

Your decrypt ID is: lpQdH_qHD4LmEC7Hrrt208Pc5ce_aNHNF98mJEeDkwI*9niOpX
Your unique ID is: O28KRMGjKkx_zW7J2TdbdzDe7VluLemi5bv_C9vu7Ww*giapk33vw
Your personal ID: AeqHaNqpUgaHkbEGl7YUpt-e3DTpEWVzY5Q5xus9-kI*ul8dlsj86v
Your identifier (ID) ZeNL5bqnUMCrcKKK_jaHtrsyxuqzJUPU4-Rq6uMjpHM*w9lq64h4
your decryption ID: kV7sbyJMAseAKZH8JBYMLNQI4D36YWOYL0m2ZcCLMjg*Fora
Your decryption ID is rnrwOZmK2CwRUpuT90i7lL9dEIVZNLBjTxcCQTCRZjU*WORM
YOUR DECRYPTION ID - xpoWn-rtwfLA3aemyGwgaqkwKzloeASSCi3wmWSBR0s*NEEDTOPAYTOMYHORSE
Encryption Number : 4L3hC49ng92fRIFuIipkrUXTTVy4v4J8rLPwCELRDlI*dataland
Contact number : NyCu17SY6OqCw60FvjvYTpaKQn0zGQwXY9Uwj_sXDjI*FreeWorldEncryption
=> YOUR REFERENCE CODE <=
mIBN5qQ49n2uDhyk8Q7hACtAmAqARG36c--qGz9-lxU*showrans@mail.ru.show
## YOUR REFERENCE CODE ## 
MKkM8nwey6rJH0lxUA-k6kwGlE0BP_D4LhBhBekhnlE*damarans@mail.ru.damarans

 
 
 
Has anyone come across this new ransomware, the file extension is .n3ww4v3?
 
It leaves a text file named "How-to-decrypt" that pops up when you login.

A ransom note and several encrypted files must be attached to the message in the zip archive.

Edited by Amigo-A, 01 August 2022 - 10:09 AM.

Amigo-A

Here's the link to the text file

https://mega.nz/file/Ec93jQQZ#e1DhrbKjwTC1YXUvO5okYFOT40L6-tRHppjOU1cnQxs

Hi, 

Have any news about this new ransomware ? 

Today i face down with this ransomware and searching more info about that. 

Just a note file is not enough. Need encrypted files to view.

The previous person did not provide them.

I add 3 files like example ( pdf, jpg ) and text file with text "how to decrypt " with all info and decrypt ID,  to 7zip archive 

We transfer link to download https://we.tl/t-xOB4TlYatw

It's funny that the ransomware note you uploaded is different from the one the previous person uploaded. 

I think I can link this case to one of the previous ones, but if the actors is related to the previous extortion group, the ransomware itself may already be different.

Yes you right text in note is different  that previous person uploaded. 

Is there any possibility to get a decrypt tool to this ransomware someday ? 

I think is new ransomware because i can't find any information about this encryption with   " n3ww4v3 " extension. 

Other strange thing is that some folders is missing files just empty, looks like they stolen or hiden.  

Reference this case SHA1: c4537ed7c40707d6dea38e5ad9010b57e02a84c2

Please help to have a look.

extension: n3ww4v3

Edited by jasonmak, 31 August 2022 - 01:47 AM.

I have merged your topic into the primary support topic for victims of this ransomware.

Hello, Is there anyone can help on this

Our crypto malware experts most likely will need a sample of the malware file itself to analyze before the type of infection can be confirmed and ascertain if the encrypted files can even be decrypted. 
 
If you can find the malicious executable that you suspect was involved in causing the infection, you can submit (upload) a sample to VirusTotal and provide a link to the results...this is the safest way of sharing malware since only vetted researchers can access it. Doing that may be helpful with analyzing, investigating, identification of the ransomware and possibly finding a flaw which could be useful for decryption of encrypted data. Refer to my comments in this topic for the most common locations malicious executables are know to hide.