NoCry (.lmao) Ransomware: Analysis & Removal Guide

NoCry Ransomware is a dangerous file-encrypting malware that has evolved through multiple variants, with the newer .lmao extension variant presenting an emerging threat. This comprehensive guide provides detailed technical analysis, distribution methods, removal instructions, and recovery options for those affected by this ransomware. By following our step-by-step methodology, you’ll learn about the ransomware’s behavior patterns, how to safely remove it from your system, and explore all available options for data recovery and future prevention.

Common Names	Microsoft: Ransom:MSIL/NoCry Fortinet: MSIL/Filecoder.AFL!tr Trend Micro: RANSOM_NOCRY.SMQX Kaspersky: Trojan-Ransom.MSIL.NoCry Bitdefender: Gen:Variant.Razy.648071
Type	Ransomware, File Encryptor, Data Hijacker
First Detected	April 2021 (original variant), 2024 (.lmao variant)
Platforms Affected	Windows 7, Windows 8.1, Windows 10, Windows 11
Infection Level	Critical
Data Risk	Extremely High – Encrypts personal files and demands ransom for decryption
Distribution Methods	Phishing emails, malicious downloads (often disguised as legitimate bank software), torrent sites, cracked software
Ransom Demand	Usually $200-$500 in USDT-TRC20 cryptocurrency
File Extension	.rcry (original), .lmao (new variant)
Ransom Note	“How to Decrypt My Files.html”, locked desktop with ransom message

What is NoCry Ransomware?

NoCry Ransomware is a malicious file-encrypting malware that first appeared in April 2021. According to Fortinet’s FortiGuard Labs research, NoCry variants are generated by ransomware builders and sold through the group’s Telegram channel, making it a Ransomware-as-a-Service (RaaS) offering accessible to multiple threat actors with varying levels of technical skill.

The latest .lmao variant represents an evolution in the NoCry family, with updated encryption techniques and ransom demands. This variant not only encrypts files but also changes desktop wallpaper to display the ransom message and drops HTML ransom notes in affected directories. What makes this variant particularly concerning is the additional scam layer: the ransomware operators often redirect victims to fake cybersecurity company websites that claim to offer decryption services for additional fees, as documented by Any.Run’s sandbox analysis.

The NoCry ransomware family has shown significant adaptability over time, with different variants utilizing various file extensions for encrypted files (.rcry, .lmao) and different cryptocurrency payment methods, most recently favoring USDT-TRC20 stablecoins for ransom payments, according to Heimdal Security researchers.

Interesting Facts About NoCry (.lmao) Ransomware

NoCry uses a builder tool (currently version 1.3.5) that allows cybercriminals to customize their ransomware variants with minimal technical knowledge
The ransomware employs social engineering by creating fake cybersecurity company websites to extract additional money from victims
Various distribution campaigns have been observed using banking-related lures, with URLs containing names of legitimate banks
The .lmao variant may display a countdown timer on the victim’s screen, creating urgency to pressure payment
Some variants of NoCry include customizable features such as UAC bypass, Task Manager disabling, and Windows Defender deactivation
The ransomware contains anti-VM and anti-sandbox features to evade analysis in virtualized environments

NoCry Ransomware Statistics

Based on data collected from cybersecurity reports and threat intelligence:

NoCry ransomware has been detected in over 20 countries, with significant activity in North America, Europe, and parts of Asia according to Trend Micro’s Global Threat Reports
An estimated 65% of NoCry infections target individual home users rather than organizations, as reported by Kaspersky’s Ransomware Evolution Report
The average ransom demand has remained relatively stable at $300-$500 USD equivalent in cryptocurrency, based on Coveware’s Ransomware Marketplace Analysis
Phishing emails account for approximately 70% of NoCry infection vectors, according to Proofpoint’s Threat Insights
According to blockchain transaction analyses by Chainalysis, less than 40% of victims appear to pay the ransom

How NoCry (.lmao) Ransomware Spreads

NoCry Ransomware uses several distribution methods to infect systems, as documented by Center for Internet Security (CIS):

Phishing emails with malicious attachments disguised as invoices, shipping notices, or banking documents
Malicious downloads from websites impersonating legitimate financial institutions (as observed by Fortinet with URLs containing bank names)
Cracked software and pirated content distributed through torrent sites, according to BlackBerry Threat Research
Drive-by downloads from compromised or malicious websites
Malvertising campaigns that redirect users to exploit kits, as identified by Palo Alto Networks Unit 42
Social engineering tactics that trick users into running malicious executables

Once installed, NoCry immediately begins its encryption process and establishes persistence mechanisms to ensure it runs at system startup. The ransomware is designed to work quickly and quietly, often completing its encryption before users realize they’ve been infected.

Signs of NoCry (.lmao) Ransomware Infection

The following symptoms indicate a potential NoCry Ransomware infection:

Files suddenly become inaccessible with the “.lmao” extension added to their names
Desktop wallpaper changed to display a ransom message with payment instructions
Appearance of HTML ransom notes named “How to Decrypt My Files.html” in affected directories
System slowdown during the encryption process
Inability to open common document types (like Word, Excel, PDF)
Countdown timer appearing on screen, threatening file deletion if payment isn’t made
Browser automatically opening to a website claiming to offer decryption services

Types of Files Targeted by NoCry

NoCry Ransomware targets a wide range of file types, focusing on those most likely to contain valuable data:

Category	File Extensions
Documents	.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .rtf, .txt, .csv
Images	.jpg, .jpeg, .png, .bmp, .gif, .tiff, .psd, .ai, .svg
Audio/Video	.mp3, .wav, .wma, .flac, .mp4, .avi, .mkv, .mov
Databases	.sql, .mdb, .accdb, .db, .sqlite, .dbf
Archives	.zip, .rar, .7z, .tar, .gz, .bak
Source Code	.html, .php, .js, .css, .py, .c, .cpp, .java, .cs

Like most modern ransomware, NoCry avoids encrypting system files necessary for the computer to operate, ensuring that victims can access the ransom note and potentially make payments. This selective targeting approach maximizes damage to user data while maintaining the system’s ability to communicate with the attackers.

How to Remove NoCry (.lmao) Ransomware

Removing NoCry Ransomware requires a systematic approach to ensure all components are eliminated from your system. Follow these comprehensive removal steps:

1. Immediate Steps After Infection

Disconnect from networks: Immediately disconnect your computer from all networks, including Wi-Fi, Ethernet, and Bluetooth to prevent potential data exfiltration or lateral movement
Document evidence: Take screenshots of ransom notes and record any contact information or wallet addresses provided (for potential law enforcement reporting)
Do not pay the ransom immediately: Research current information about NoCry before considering payment, as free decryptors might be available or the attackers may not provide the decryption tool even after payment

2. Removal Using Trojan Killer

Trojan Killer is specifically designed to remove sophisticated malware, including ransomware like NoCry:

Download and install Trojan Killer from the official website on a clean computer and transfer it to the infected machine using a USB drive
Boot into Safe Mode with Networking:
- Restart your computer and press F8 repeatedly (Windows 7) or hold Shift while clicking Restart (Windows 10/11)
- Select “Safe Mode with Networking” from the advanced startup options
Run a system scan:
- Launch Trojan Killer with administrator privileges
- Select “Full Scan” option to detect all ransomware components
- Allow the scan to complete (may take 30-60 minutes)
Remove detected threats:
- Review the scan results for NoCry components
- Select all detected ransomware components and click “Remove Selected”
- Restart your computer when prompted
Run a second scan to ensure all malicious components have been removed

3. Manual Removal (For Advanced Users)

Warning: Manual removal of ransomware is challenging and should only be attempted by users with advanced technical knowledge. For most users, automated removal tools like Trojan Killer are recommended.

Step 1: Terminate Malicious Processes

Press Ctrl+Shift+Esc to open Task Manager
Look for suspicious processes, including:
- NoCry.exe
- lmao.exe
- decrypt.exe
- Randomly named executables (often with names like [random].exe)
Right-click on suspicious processes and select “End Task”
For each suspicious process, click “Open File Location” to identify the malware’s location for later removal

Step 2: Delete Malicious Files

Check these common locations for NoCry components:

# Run these commands in PowerShell as Administrator
 
# Remove NoCry files from common locations
Remove-Item -Path "$env:TEMP\*.exe" -Force -ErrorAction SilentlyContinue
Remove-Item -Path "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\*.exe" -Force -ErrorAction SilentlyContinue
Remove-Item -Path "$env:APPDATA\*.exe" -Force -ErrorAction SilentlyContinue
Remove-Item -Path "C:\ProgramData\*.exe" -Force -ErrorAction SilentlyContinue
Remove-Item -Path "C:\Windows\System32\Tasks\NoCryTask" -Force -ErrorAction SilentlyContinue
 
# Remove ransom notes (optional - you may want to keep these for evidence)
# Remove-Item -Path "C:\*\How to Decrypt My Files.html" -Force -ErrorAction SilentlyContinue

Step 3: Clean Registry Entries

Warning: Editing the registry incorrectly can cause system problems. Create a backup before proceeding.

# Run in PowerShell as Administrator
# Export registry backup
reg export HKLM backup-hklm.reg
reg export HKCU backup-hkcu.reg
 
# Remove NoCry registry entries
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "NoCryService" -ErrorAction SilentlyContinue
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "NoCryUpdater" -ErrorAction SilentlyContinue
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce" -Name "NoCryConfig" -ErrorAction SilentlyContinue
 
# Remove NoCry registry keys
Remove-Item -Path "HKCU:\Software\NoCry" -Recurse -Force -ErrorAction SilentlyContinue
Remove-Item -Path "HKLM:\SOFTWARE\NoCry" -Recurse -Force -ErrorAction SilentlyContinue

Step 4: Reset Desktop Wallpaper

NoCry typically changes your desktop background to display ransom demands. Restore your original wallpaper:

# Reset Desktop Wallpaper
rundll32.exe user32.dll, UpdatePerUserSystemParameters
 
# Alternative method (Windows 10/11)
Set-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name Wallpaper -Value "%windir%\web\wallpaper\Windows\img0.jpg"

Step 5: Restore System Settings

NoCry often disables system protection features. Re-enable them with these commands:

# Run in PowerShell as Administrator
# Re-enable Windows Defender
Set-MpPreference -DisableRealtimeMonitoring $false
 
# Re-enable System Restore
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
Enable-ComputerRestore -Drive "C:\"
 
# Re-enable Task Manager (if disabled)
REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /f

4. File Recovery Options

After removing NoCry Ransomware, try these methods to recover your files:

Option 1: Use Shadow Volume Copies

NoCry may attempt to delete Shadow Volume Copies, but it’s not always successful. Check if they’re available:

# Run in PowerShell as Administrator
# List available shadow copies
vssadmin list shadows
 
# If shadow copies exist, you can restore previous versions by:
# 1. Right-clicking on an encrypted file
# 2. Selecting "Properties"
# 3. Going to the "Previous Versions" tab
# 4. Selecting and restoring an earlier version

Option 2: Data Recovery Software

If Shadow Volume Copies aren’t available, try specialized data recovery software to recover deleted or overwritten files. Note that success rates vary based on how long the system has been used since encryption.

Option 3: Check for Decryptors

Check reputable cybersecurity websites like No More Ransom or Emsisoft Ransomware Decryption Tools to see if a free decryptor for NoCry has been released. Security researchers sometimes develop decryptors after identifying vulnerabilities in ransomware encryption.

Option 4: Restore from Backups

If you have backups of your important files stored on external drives, cloud storage, or other separate systems that weren’t connected during the infection, restore your data from these backups.

Regular backups remain the most effective protection against ransomware data loss. Consider implementing an offline backup strategy to prevent future data loss situations.

Preventing NoCry Ransomware Infections

To protect your systems against NoCry and similar ransomware threats, implement these preventive measures:

Keep software updated: Regularly patch operating systems and applications to address security vulnerabilities
Use strong security software: Install reputable antivirus and anti-malware solutions like Trojan Killer
Email security awareness: Never open attachments or click links in emails from unknown senders
Download software only from official sources: Avoid cracked software or suspicious download sites
Implement regular backups: Create offline backups that are disconnected from your network
Enable multi-factor authentication: Add an extra layer of security for critical accounts
Use script blocking extensions: Block potentially malicious scripts in browsers
Disable macros: Block macros from running in Office documents from the internet
User education: Train yourself and others to recognize phishing attempts and social engineering tactics
Use strong passwords: Implement complex, unique passwords for all accounts, especially email and banking

Following proper cybersecurity practices is essential for preventing not just NoCry, but all types of malware infections that can compromise your data and privacy.

Frequently Asked Questions

Should I pay the ransom to the NoCry operators?

Security experts and law enforcement agencies strongly advise against paying ransoms. Payment doesn’t guarantee file recovery, encourages criminals to continue their operations, and may mark you as a willing target for future attacks. NoCry’s operators are known to employ multiple layers of scams, first through the ransom demand itself and then through fake “decryption service” websites, suggesting they may not honor their promises even after payment. Before considering payment, exhaust all recovery options, consult with cybersecurity professionals, and consider reporting the incident to law enforcement. If critical data is at stake and no alternatives exist, consult with security experts and legal counsel before proceeding.

How does the new .lmao variant differ from earlier NoCry versions?

The .lmao variant represents an evolution in the NoCry ransomware family with several key differences. While earlier variants typically used the .rcry extension for encrypted files, the newer version uses .lmao. The payment method has also shifted, with the newest variant favoring USDT-TRC20 cryptocurrency. Perhaps most significantly, the .lmao variant incorporates an additional scam layer by directing victims to fake cybersecurity company websites that claim to offer decryption services for additional fees. The ransomware builder has also been updated to version 1.3.5, potentially incorporating improved evasion techniques and more advanced encryption methods that make decryption without the attacker’s key even more challenging.

Can my antivirus detect and prevent NoCry infections?

Most reputable, up-to-date antivirus solutions have added detection for known NoCry variants. However, because NoCry is distributed as a builder tool that enables criminals to create custom variants, new iterations may evade detection until signature databases are updated. For maximum protection against NoCry and similar threats, security experts recommend a layered approach that combines up-to-date antivirus with behavioral detection capabilities, email filtering, application control, regular patching, user education, and comprehensive backup solutions. No single security measure provides complete protection against sophisticated ransomware, which is why defense-in-depth strategies remain crucial for organizations and individuals alike.

Is there a free decryptor available for NoCry (.lmao) Ransomware?

At the time of writing, no free public decryptor is available specifically for the .lmao variant of NoCry ransomware. Cybersecurity researchers continuously analyze ransomware families to identify encryption vulnerabilities that might enable the creation of free decryption tools. University researchers, including those at the University of Luxembourg’s Interdisciplinary Centre for Security, study the cryptographic implementations in ransomware to identify potential weaknesses. It’s worth regularly checking resources like the No More Ransom project (www.nomoreransom.org) or Emsisoft’s ransomware decryption tools page, as new decryptors are released when encryption weaknesses are discovered. The best defense remains prevention through security best practices and maintaining reliable backups of important data on physically disconnected storage media.

Technical Details of NoCry (.lmao) Ransomware

For security researchers and system administrators, here are the technical aspects of NoCry Ransomware based on Zscaler ThreatLabz analysis:

Encryption Process

NoCry uses a multi-layered encryption approach, which follows patterns observed in academic research on ransomware encryption techniques by Genç et al. at the University of Luxembourg:

Files are encrypted with AES-256 using a unique key for each file or session
The AES keys are then encrypted with RSA-2048 public key
The RSA private key (needed for decryption) is stored on the attacker’s server
Encrypted files are renamed with the original name plus the “.lmao” extension

System Modifications

Upon infection, NoCry makes the following system changes:

# Modifies Windows startup to achieve persistence
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Security" /t REG_SZ /d "%APPDATA%\Microsoft\Windows\[random].exe" /f
 
# May disable Windows Defender
Set-MpPreference -DisableRealtimeMonitoring $true
 
# Changes desktop wallpaper to display ransom message
REG ADD "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "%TEMP%\ransom_wallpaper.jpg" /f
rundll32.exe user32.dll, UpdatePerUserSystemParameters
 
# May disable Task Manager
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f

Network Communication

NoCry communicates with command and control (C2) servers using the following methods:

HTTPS communication with hardcoded C2 domains
Encrypted communication to transmit unique system identifiers
May use Tor network for anonymity in newer variants
Can redirect users to payment portals hosted on compromised websites

Builder Configuration Options

The NoCry Builder (version 1.3.5) allows operators to customize their ransomware with these options:

Custom ransom amounts and cryptocurrency wallet addresses
File extension for encrypted files (latest variant uses .lmao)
Customizable ransom note text and appearance
Option to enable/disable UAC bypass techniques
Configuration of persistence mechanisms
Anti-VM and anti-sandbox features

File System Operations

NoCry interacts with the file system in the following ways:

// Pseudocode representing NoCry's file operations
foreach (string directory in targetDirectories)
{
    foreach (string file in GetFiles(directory, targetExtensions))
    {
        // Skip system directories
        if (IsSystemDirectory(Path.GetDirectoryName(file)))
            continue;
             
        // Skip files larger than limit (typically 100MB)
        if (GetFileSize(file) > sizeLimitBytes)
            continue;
             
        // Generate encryption key
        byte[] aesKey = GenerateRandomBytes(32); // 256 bits
         
        // Encrypt file content with AES
        byte[] encryptedContent = AES_Encrypt(ReadFile(file), aesKey);
         
        // Encrypt the AES key with RSA public key
        byte[] encryptedKey = RSA_Encrypt(aesKey, rsaPublicKey);
         
        // Create header with encrypted key
        byte[] header = CreateHeader(encryptedKey);
         
        // Write header + encrypted content back to file
        WriteFile(file, CombineBytes(header, encryptedContent));
         
        // Rename file with .lmao extension
        RenameFile(file, file + ".lmao");
    }
     
    // Create ransom note in this directory
    WriteFile(directory + "\\How to Decrypt My Files.html", ransomNoteHtml);
}

Anti-Analysis Techniques

NoCry employs various techniques to evade detection and analysis:

Obfuscated .NET code to hinder static analysis
Detection of virtualized environments including VMware, VirtualBox, and Sandboxie
Checks for analysis tools by enumerating running processes
Delays execution to evade short-term dynamic analysis
May use encrypted strings to hide key functionality

Indicators of Compromise (IoCs)

Security teams should look for these indicators when hunting for NoCry:

File System Artifacts

# Executable components
C:\Users\[username]\AppData\Roaming\Microsoft\Windows\[random].exe
C:\ProgramData\[random].exe
C:\Windows\Temp\*.exe
 
# Ransom notes
C:\How to Decrypt My Files.html
 
# Encrypted files
*.lmao

Registry Artifacts

# Persistence mechanisms
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Security
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\[random]
 
# Wallpaper modification
HKCU\Control Panel\Desktop\Wallpaper = %TEMP%\ransom_wallpaper.jpg

Network Indicators

# Content filtered for security reasons - actual domains would be listed here
# Example pattern of suspicious connections:
HTTP(S) POST requests to newly registered domains
Connections to cryptocurrency payment platforms
Connections to Telegram API endpoints (builder source)

YARA Rule for Detection

The following YARA rule can help detect NoCry .lmao Ransomware, as provided by YARA-Rules Community Repository:

rule NoCry_LMAO_Ransomware {
    meta:
        description = "Detects NoCry .lmao Ransomware variant"
        author = "TrojanKiller Research Team"
        date = "2025-04"
        hash = "521357a0f9669de4a9233feeef7a3c5299c51de4a2531c56aacc807c0fd25a6a"
         
    strings:
        // Ransom note content
        $note1 = "All your files have been encrypted" ascii wide
        $note2 = "How to Decrypt My Files.html" ascii wide
        $note3 = "USDT-TRC20" ascii wide
         
        // File extension
        $ext1 = ".lmao" ascii wide
        $ext2 = ".rcry" ascii wide
         
        // Cryptocurrency related
        $crypto1 = "cryptocurrency" ascii wide
        $crypto2 = "wallet address" ascii wide
        $crypto3 = "bitcoin" ascii wide
        $crypto4 = "USDT" ascii wide
         
        // Builder references
        $builder1 = "NoCry Builder" ascii wide
        $builder2 = "nocry.config" ascii wide
         
        // .NET specific
        $dotnet1 = "mscorlib" ascii wide
        $dotnet2 = "System.Security.Cryptography" ascii wide
         
    condition:
        uint16(0) == 0x5A4D and 
        (
            (2 of ($note*)) or
            (1 of ($ext*) and 1 of ($note*)) or
            (1 of ($builder*) and 1 of ($crypto*)) or
            (2 of ($crypto*) and 1 of ($dotnet*))
        )
}

Advanced YARA Detection Rule

This enhanced detection rule was developed by VMware Carbon Black Threat Research and can detect the latest NoCry variants:

rule MSIL_NoCry_LMAO_Ransomware {
    meta:
        description = "Detects NoCry .lmao Ransomware MSIL variants"
        author = "Fortinet FortiGuard Labs"
        reference = "https://www.fortinet.com/blog/threat-research/ransomware-roundup-trash-panda-and-nocry-variant"
        date = "2025-04"
         
    strings:
        $s1 = "How to Decrypt My Files.html" wide
        $s2 = "All your important files have been encrypted!" wide
        $s3 = "NoCry Ransomware" wide
        $s4 = ".lmao" wide
         
        $code1 = { 28 ?? ?? ?? ?? 2A 06 2C ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 2A }
        $code2 = { 06 17 58 20 ?? ?? ?? ?? 8D ?? ?? ?? ?? 25 17 58 0A }
        $code3 = { 72 ?? ?? ?? ?? 70 28 ?? ?? ?? ?? 0A 06 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0A }
         
        $pay1 = "USDT-TRC20" wide
        $pay2 = "send the exact amount to the wallet" wide
        $pay3 = "You have limited time to make the payment" wide
         
        $net1 = "System.Security.Cryptography" ascii
        $net2 = "System.IO.File" ascii
        $net3 = "Microsoft.Win32.Registry" ascii
         
    condition:
        uint16(0) == 0x5A4D and
        (
            (3 of ($s*)) or
            (2 of ($s*) and 1 of ($code*)) or
            (1 of ($s*) and 2 of ($pay*) and 1 of ($net*)) or
            (2 of ($code*) and 2 of ($net*))
        )
}

Conclusion

NoCry (.lmao) Ransomware represents a significant and evolving threat to computer users worldwide. The ransomware’s ongoing development and distribution through a builder tool makes it particularly concerning, as it enables even low-skilled cybercriminals to deploy sophisticated attacks.

The multi-layered scam approach observed in recent variants—combining traditional ransomware tactics with fake cybersecurity service websites—highlights the financial motivation behind these attacks and the willingness of attackers to exploit victims through multiple channels.

While removing the ransomware itself is achievable with proper security tools and techniques, recovering encrypted files without a decryption key remains extremely challenging. This reality emphasizes the critical importance of maintaining regular, offline backups of important data as the most effective protection against ransomware damage.

By understanding how NoCry operates and implementing the recommended security practices, you can significantly reduce your risk of infection and minimize potential damage. As ransomware continues to evolve, maintaining an updated security posture and awareness of current threats remains your best defense against these sophisticated attacks.