Nury Virus

*Nury is a variant of Stop/DJVU. Source of claim SH can remove it.


Nury is a Ransomware-based program designed to extort money from web users by keeping their important files hostage. To complete its agenda, Nury applies encryption to a list of files that are located in the infected machine and then places a ransom-demanding message on the screen.

The Nury virus file ransom note

If you have already had a close encounter with this particular form of malware, on this page, we will do our best to help you remove it and recover from its attack. Most probably, you want to know exactly what has happened to your files, how you’ve gotten infected and how to get your information back to normal. That’s why, in the next lines, we will cover all these questions and we will give you some instructions on how to remove Nury and prevent Ransomware infections of this kind in the future.

The Nury virus

The Nury virus is a Ransomware-based virus threat that is programmed to encrypt user data and keep it hostage for a ransom. The contamination with the Nury virus usually occurs when users interact with malicious ads or spam messages.

Spam messages, malicious email attachments, misleading links, torrents, and unauthorized software updates may often act as transmitters for the Ransomware infection. In many cases, this malware may exploit system security holes, such as the absence of antivirus software or the presence of other active infections such as Trojan Horses to sneak inside. It begins to infiltrate the data almost without any symptoms and reveals itself only after the encryption is completed. It does this via a ransom note on the screen of the computer. Unlike some other pieces of malware that exploit, corrupts, or fully delete your data, a Ransomware such as Nury and Nuis doesn’t do that. Such an infection won’t destroy your files, but it will prevent you from accessing them by encoding them with encryption. All the information will remain on the computer, but you simply won’t be able to open or use it unless you apply a secret decryption key.

The Nury file decryption

The Nury file decryption is a method that allows users attacked by Nury to return their encrypted files to their previous state. The Nury file decryption process can begin only after the victims obtain and apply a special key that is held by the hackers behind the Ransomware.

Nury File

The crooks behind the Ransomware usually ask for huge amounts of money in order to send the victims the decryption key. They typically give a short deadline to transfer the required money and threaten to permanently destroy that key if the payment is not made on time. All these are common tactics that are used to scare the users and make them pay as fast as possible, without researching their alternatives.

Paying the ransom, however, only helps the crooks get rich and turn infections like Nury into a lucrative “business” scheme. Besides, there is no guarantee that the decryption key will actually be received and that it will work properly. At the same time, while the Ransomware is still on the computer, the machine is practically unusable for data creation and storage, and may also be vulnerable to other malicious programs. Therefore, before even trying to recover your files, you should focus on how to remove the infection.


Name Nury
Type Ransomware
Detection Tool

*Nury is a variant of Stop/DJVU. Source of claim SH can remove it.

Remove Nury Ransomware


To remove Nury, you may need to restart your computer several times during the steps below. Therefore, if you don’t want to lose this page with removal instructions, we recommend you to first bookmark it in your browser, or open it on another device where you can refer back to it.

Another important thing that you need to do to prepare your computer for the successful removal of the ransomware is to reboot the infected system in Safe Mode. For more details on that, please click on the link and follow the instructions shown there. Once you complete them, get back to this page and proceed to the actual removal steps below.



*Nury is a variant of Stop/DJVU. Source of claim SH can remove it.

Ransomware infections like Nury can be very stealthy and hard to detect. Therefore, to deal with them, you need to carefully check your system for malicious processes that are secretly running in the background and stop them, if you find any.

The easiest way to do that is to press CTRL, SHIFT and ESC keys from the keyboard together in order to open the Windows Task Manager. In it, click on the Processes Tab and try to determine if there are processes that are dangerous. In some cases, the ransomware may hide under a random name, or it may mimic a regular system process. In other cases, the malicious process may consume a lot of Memory and CPU power, which may be a red flag for you.

However, since it can be really hard to determine if a given process is really dangerous just by looking at it, it is best to check its files with a professional scanner. For that, select the process that looks suspicious, right-click it and select Open File Location.


Then, check the files stored there with the free online virus scanner below:

Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
This scanner is free and will always remain free for our website's users.
This file is not matched with any known malware in the database. You can either do a full real-time scan of the file or skip it to upload a new file. Doing a full scan with 64 antivirus programs can take up to 3-4 minutes per file.
Drag and Drop File Here To Scan
Drag and Drop File Here To Scan
Analyzing 0 s
Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
    This scanner is based on VirusTotal's API. By submitting data to it, you agree to their Terms of Service and Privacy Policy, and to the sharing of your sample submission with the security community. Please do not submit files with personal information if you do not want them to be shared.

    If the scanner shows that one or more files are part of the infection or have malicious code, the first thing that you need to do is end the processes related to them, and then delete the dangerous files.

    Note: You can use the scanner on this page to check every process that you believe is dangerous until you are sure there is nothing malicious that is secretly running on your computer.



    If you have a suspicion that your computer has been hacked, we recommend you to do the following:

    Copy the line below, paste it in the Start menu search bar and then press Enter from the keyboard:

    notepad %windir%/system32/Drivers/etc/hosts

    When you do that, you should see a Notepad file named Hosts on your screen. If you are hacked, you will notice a number of suspicious IPs added below Localhost in the text, just like explained on the image:

    hosts_opt (1)


    In case that the IPs you detect are disturbing, please write to us in the comments with a copy of these IPs and we will check them out and let you know if you need to delete them.

    Another place where you need to check for malicious entries related to Nury is the Startup tab in System Configuration. Sometimes, a ransomware like this one may add startup items in the list in order to ensure that it starts running as soon as the computer starts.

    To open System Configuration, type msconfig in the Start menu search bar and hit enter. Then, in the Startup tab, search for entries that look suspicious, have an “Unknown” manufacturer or odd names and if you believe that something is part of the infection, remove its checkmark to disable it. Then click OK to save the changes you  have made.



    *Nury is a variant of Stop/DJVU. Source of claim SH can remove it.

    In this step, you need to search for ransomware traced in the registry of your computer and delete any malicious entries that are found. This, however, will require your full attention because if you are not careful and delete files and folders that are not related to Nury,  you can damage your system and the software installed on it very seriously.

    To avoid that risk, we recommend using a professional removal software, like the one that you can find on this page, or another trusted program specialized in malware-removal.

    If you still want to do it manually, then type Regedit in the Start menu search bar and press Enter

    Next, when the Registry Editor opens on the screen, press CTRL and F at the same time and carefully write the ransomware’s name in the Find dialog box that pops up. Then, click on Find Next to search the registry and carefully delete the entries that are found matching that name.

    After you are sure that you have cleaned the registry from any entries related to Nury, click on the Start menu button and type each of the lines below in the search bar one by one:
    1. %AppData%
    2. %LocalAppData%
    3. %ProgramData%
    4. %WinDir%
    5. %Temp%
    In each of the locations, check for folders and files that have been created somewhere around the time the ransomware infection occurred and if you detect anything suspicious, delete it. Again, be very careful not to delete anything else that is unrelated to the infection. When you open Temp, delete the entire content stored there to remove any temporary files that Nury might have created.
    How to Decrypt Nury files!
    Make sure that you have removed the ransomware completely before you give a try to any file-recovery methods. This is extremely important because if traces of Nury are still found on your computer, any file-backup sources that you connect to the infected system may also be encrypted. The same is valid for the files that you manage to recover. Therefore, we highly recommend that you carefully scan your computer with a free malware scanner or a powerful anti-virus program, like the one on this page, and once you are sure there is no ransomware in it, you can proceed to decrypting your files.
    Depending on the specific ransomware variant that has infected your machine, recovering the files may need a different set of actions. If you want to find out which variant of ransomware was used in your specific case, you can take a look at the file extension of the encrypted files.  

    New Djvu Ransomware

    The most recent variant of the Djvu Ransomware family is known as STOP Djvu. This danger is gradually expanding around the globe, affecting an increasing number of people. You can identify this variant of malware from others by looking for the .Nury extension at the end of the encrypted files.

    Once you have determined that STOP Djvu is the malware responsible for your encryption woes, you may use the decryption program at the URL provided below to try to restore your data. 

    To download the decryptor, go to the URL indicated in the link and click the Download button. In order to successfully decrypt the files, you must first run the decryptor as an administrator and then confirm your action by clicking the Yes button. You must then read the license agreement and the instructions for use before continuing. Simply choose the data you want to decrypt and click the Decrypt button. Files encrypted with unknown offline keys or files encrypted online may not be decipherable with this program.

    Please let us know in the comments if you have any more questions. You can also share with us how this Nury removal tutorial has served you.


    About the author


    Lidia Howler

    Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

    Leave a Comment