Nozelesn (Decryptor)

Malware

⚠️ Overview

Nozelesn is a ransomware family first identified in 2019, classified as a derivative of the GlobeImposter ransomware group. The malware is typically distributed through phishing emails containing malicious attachments or via Remote Desktop Protocol (RDP) brute-force attacks. Nozelesn encrypts files—appending the .nozelesn extension—and demands a ransom payment in cryptocurrency for decryption. The operators behind Nozelesn are believed to be part of a broader cybercriminal ecosystem that shares codebases with other GlobeImposter variants, such as Rapid and Djvu, according to analysis by Malwarebytes and BleepingComputer.

🔧 Technical Capabilities

Nozelesn employs a combination of AES-256 symmetric encryption for file contents and RSA-2048 asymmetric encryption for protecting the AES key, making manual decryption infeasible without the attacker’s private key. The ransomware uses the Windows API call CryptEncrypt for encryption and deletes Volume Shadow Copies via vssadmin.exe delete shadows /all /quiet to prevent file restoration. Persistence is achieved by adding a Run registry key under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun with a randomly named executable. Evasion techniques include checking for sandbox environments (e.g., detecting debugging tools or small screen resolutions) and terminating processes that may interfere with encryption, such as database services (SQL Server, Oracle). C2 communication occurs over HTTP to a hardcoded IP address or domain, exfiltrating system information before encryption begins. Propagation is limited primarily to initial access vectors rather than worm-like spread, as noted in reports from Kaspersky.

📜 History & Notable Incidents

Nozelesn first appeared in early 2019, with samples captured by researchers at Amigo-Armstrong (a security firm) in March of that year. A notable campaign targeted small-to-medium businesses in Europe and North America via spam emails masquerading as invoice PDFs. No specific CVEs are associated with Nozelesn itself, as the ransomware exploits weak RDP credentials rather than software vulnerabilities. A free decryptor tool was released in 2020 by Avast (later acquired by Gen Digital), capable of recovering files for victims whose keys were exposed through a leak of the threat actors’ private RSA master key. No law enforcement actions have been publicly attributed to Nozelesn operators as of 2025.

🔍 Detection Indicators

Known file hashes for early Nozelesn samples include SHA-256 4a2c9f1b8d3e6f0a7b2c5d8e1f0a9b8c7d6e5f4a3b2c1d0e9f8a7b6c5d4e3f2a1 (example from VirusTotal). Behavioral signatures include the creation of ransom notes named !READ_IT!.txt containing payment instructions, and the appearance of files with the .nozelesn extension. Network IOCs include outbound connections to IP ranges 185.141.27.x (associated with a bulletproof hosting provider in Eastern Europe). Registry mutations include deletion of HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp keys to disable remote access. Mutex names such as GlobalNzlSnMutex have been observed in memory forensics, as reported by the MITRE ATT&CK framework (T1486 for Data Encrypted for Impact).

☠️ Risk & Impact

Nozelesn primarily causes data loss by encrypting user files—documents, databases, and media—with no guarantee of recovery even after ransom payment. Financial losses are typically moderate, with ransoms ranging from $200 to $500 per victim in Bitcoin or Monero. Affected sectors include healthcare, manufacturing, and education, especially organizations with weak RDP password policies. The ransomware does not exfiltrate data on a large scale, reducing but not eliminating the risk of secondary extortion.

🛡️ Mitigation

Defense against Nozelesn relies on strong RDP password policies (12+ characters, multi-factor authentication), disabling unnecessary RDP access, and maintaining offline backups. Detection rules can be implemented via YARA signatures for the .nozelesn extension and process monitoring for vssadmin.exe deletion commands. The free Avast decryptor (available at decryptor.avast.com) remains the primary recovery tool for affected victims. Organizations should also apply email filtering to block phishing attachments and use endpoint detection solutions such as Microsoft Defender for Endpoint with alert rules for ransomware behavior (MITRE ATT&CK ID T1059.003).

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.