Trojan:W32/NomadSnore.A, Trojan:W32/NomadSnore.B, Ransom32


Trojan:W32/NomadSnore is ransomware that encrypts files stored on the affected machine, then demands payment of a ransom in order to decrypt the files. It is notable for being the first ransomware to be written entirely in JavaScript.


  • In the %temp% folder, delete all folders with names similar to: nw[4 digit number]_[5 digit number].
  • In the %appdata% folder, delete all folders with the name "Chrome Browser".
  • In the Startup folder, delete the "ChromeService" shortcut.
  • Run a full system scan with your F-Secure security product to repair any remaining files.
Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Trojan:W32/NomadSnore is distributed as an auto-extracting WINRAR archive file that uses the extension ".scr". When launched, the contents of the NomadSnore archive file are unpacked by a WINRAR script into the %temp% folder.

During the unpacking, the WINRAR script also sets a value to allow one of the archive file components (misleadingly labelled 'chrome.exe') to run after extraction. This component is actually a JavaScript application (NW.js, previously known as node-webkit) that contains the malicious ransomware code and is able to independently run it. The use of JavaScript in this manner potentially allows NomadSnore to run not just on the Windows operating system, but also on Linux or MacOS X.

Once the ransomware code is run, it searches for and encrypts files of various file types (e.g. *.jpeg, *.doc. *.mp4 etc.) on the affected machine using AES-128 encryption, with CTR as block mode. It then displays an image on the desktop containing a ransom demand (payable in Bitcoins) in return for the decryption key needed to restore the affected files.

Date Created: -

Date Last Modified: -