National Security Bureau Ransomware

What is National Security Bureau Ransomware?

National Security Bureau Ransomware is a variant of the infamous VirLock Ransomware, which is a true pioneer in the world of ransom-demanding infections. According to the researchers at, this malware might be one of the first ransomware threats to ever emerge, and its creators keep releasing new successfully propagated variants. Although the different versions of this malware have more similarities than differences, differences do exist, and they are discussed further in this report. Needless to say, our goal is to inform you and help you remove National Security Bureau Ransomware, and so if this malware got into your operating system, you want to continue reading. If your operating system is currently malware-free, we suggest reading to learn how to protect yourself against the invasion of malware in the future. Also, note that the comments section is open, and you can add all questions about how to delete the infection and protect your operating system in the future.test

How does National Security Bureau Ransomware work?

Spam emails, fake keygens, malicious downloaders, and unauthorized remote access are among many security backdoors that the creator of National Security Bureau Ransomware can use to propagate the malicious infection successfully. If it manages to slither in, it does that silently, which means that you are unlikely to stop it in time. If the ransomware gets in successfully, it quickly creates copy files to ensure that the attack continues even if the original .exe file is removed. The three copies, according to our research, are created in unique folders with random names. These are found in %ALLUSERSPROFILE% and %USERPROFILE% directories. The names of the copies are random too. National Security Bureau Ransomware also adds registries to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN and HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN. This is nothing new as that is how the original VirLock Ransomware operates as well. Even the unique extension appended to the corrupted files stays the same – “.exe”. You will find it attached to the names of your photos, videos, documents, and other sensitive and personal files. Hopefully, backup copies exist.

There are a few things that are unique about National Security Bureau Ransomware. For one, the ransom note looks different. It is represented via a window entitled “Unauthorized or pirated software has been detected.” Unlike more recent infections that do not hide the activity of cyber criminals, this malware tries to hide behind the credentials of FBI, the Department of Justice, the IPR Center, Homeland Security, and Office of Criminal Investigations. The message informs that if you received the warning, you are accused of copyright infringement, due to which you face up to five years of prison and a fine of $250,000. The accusations are serious, and some victims of National Security Bureau Ransomware are bound to fall for the scam. The goal is to trick victims into paying a ransom of $250 in Bitcoins to a Bitcoin Wallet whose address is 17Zuj1SV7g2ooyPTKP1h1mws4neduoNqGU. If you believe that law enforcement agencies would ever use anonymous crypto-currency to collect fines, you are mistaken. This is what gives the scam away. It is worth mentioning that both the Bitcoin wallet address and the sum could be adjusted randomly. Needless to say, instead of focusing on the payment of the ransom, you need to be focusing on the removal of the infection. Unfortunately, you cannot restore files by deleting the malicious ransomware.

How to remove National Security Bureau Ransomware

The malicious National Security Bureau Ransomware locks the screen and disables the Task Manager to make it impossible for you to access the operating system, check the corrupted files, and, of course, perform the removal of malicious components. That does not mean that there’s nothing you can do. First and foremost, you MUST delete National Security Bureau Ransomware from your operating system, and there cannot be any questions on whether or not you should do it. The only thing you must think about is how you can achieve success. We advise implementing anti-malware software, and you can do that only if you reboot the system to Safe Mode with Networking. You can learn how to do it using the instructions available below. If you want to eliminate the infection manually, you can use the added instructions that show how to delete the ransomware after booting to Safe Mode.

Removal Instructions

Reboot Windows XP/Windows 7/Windows Vista

  1. Restart the PC and wait for BIOS screen to load.
  2. Immediately start tapping F8 to access the boot menu (repeat if that does not work the first time).
  3. Use arrow keys to choose Safe Mode/Safe Mode with Networking.
  4. Tap Enter, allow the system to boot, and then erase ransomware.

Reboot Windows 8/ Windows 8.1/Windows 10

  1. Restart the PC and wait for BIOS screen to load.
  2. Immediately start tapping F8 to access the boot menu (repeat if that does not work the first time).
  3. Select See advanced repair options.
  4. Move to the Troubleshoot menu and then select Advanced options.
  5. Click Startup Settings and then click Restart.
  6. When the boot menu opens, select Safe Mode/Safe Mode with Networking.
  7. Allow the system to boot, and then erase ransomware.

N.B. If you cannot reboot the system using the F8 key on Windows 10, you should try force restarting the computer 3 times in a row. This should automatically launch the Startup Repair window. Select Advanced options and then follow the process starting with step 4.

Remove ransomware components

  1. Simultaneously tap Win+E to launch Windows Explorer.
  2. Show hidden files.
  • Windows 7:
  1. Select Organize on the top-left corner of the page.
  2. Select Folder and search options.
  3. Click the View tab, select Show hidden files, folders, and drives, and then click Apply.
  • Windows 8 and Windows 10:
  1. Click the View tab at the top.
  2. Select Options and click Change folder and search options.
  3. Click the View tab, select Show hidden files, folders, and drives, and then click Apply.
  1. Enter %USERPROFILE% into the bar at the top.
  2. Find a [random name] folder and Delete it if it contains a malicious [random name].exe.
  3. Enter %ALLUSERSPROFILE% into the bar at the top.
  4. Find two [random name] folders and Delete them if they contain two malicious [random name].exe files.
  5. Tap Win+R to launch RUN.
  6. Enter regedit.exe into the dialog box and click OK to launch Registry Editor.
  7. Move to HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
  8. Delete the [random name].exe value whose value data points to the .exe file in %USERPROFILE%.
  9. Move to HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run.
  10. Delete the [random name].exe value whose value data points to the .exe file in %ALLUSERSPROFILE%.
  11. Exit Registry Editor and then Empty Recycle Bin.
  12. Perform a full system scan using a malware scanner to make sure you do not overlook leftovers. 100% FREE spyware scan and
    tested removal of National Security Bureau Ransomware*

Stop these National Security Bureau Ransomware Processes:


Leave a Comment

Enter the numbers in the box to the right *