Threat description




Trojan:W32/NomadSnore is ransomware that encrypts files stored on the affected machine, then demands payment of a ransom in order to decrypt the files. It is notable for being the first ransomware to be written entirely in JavaScript.


  • In the %temp% folder, delete all folders with names similar to: nw[4 digit number]_[5 digit number].
  • In the %appdata% folder, delete all folders with the name "Chrome Browser".
  • In the Startup folder, delete the "ChromeService" shortcut.
  • Run a full system scan with your F-Secure security product to repair any remaining files.

Technical Details

Trojan:W32/NomadSnore is distributed as an auto-extracting WINRAR archive file that uses the extension ".scr". When launched, the contents of the NomadSnore archive file are unpacked by a WINRAR script into the %temp% folder.

During the unpacking, the WINRAR script also sets a value to allow one of the archive file components (misleadingly labelled 'chrome.exe') to run after extraction. This component is actually a JavaScript application (NW.js, previously known as node-webkit) that contains the malicious ransomware code and is able to independently run it. The use of JavaScript in this manner potentially allows NomadSnore to run not just on the Windows operating system, but also on Linux or MacOS X.

Once the ransomware code is run, it searches for and encrypts files of various file types (e.g. *.jpeg, *.doc. *.mp4 etc.) on the affected machine using AES-128 encryption, with CTR as block mode. It then displays an image on the desktop containing a ransom demand (payable in Bitcoins) in return for the decryption key needed to restore the affected files.

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Scan & Clean Your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

More Info