{
	"id": "97b04043-40bd-4d7f-96c8-e9acd397d6c3",
	"created_at": "2026-04-06T00:10:26.70675Z",
	"updated_at": "2026-04-10T03:21:57.779321Z",
	"deleted_at": null,
	"sha1_hash": "7ae4e3899d6ecb7765d1a2433becaec8dcb268dc",
	"title": "Nibiru ransomware variant decryptor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 117675,
	"plain_text": "Nibiru ransomware variant decryptor\r\nBy William Largent\r\nPublished: 2020-11-17 · Archived: 2026-04-05 19:17:38 UTC\r\nTuesday, November 17, 2020 13:56\r\nWeak encryption The Nibiru ransomware is a .NET-based malware family. It traverses directories\r\nin the local disks, encrypts files with Rijndael-256 and gives them a .Nibiru extension. Rijndael-256 is a secure encryption algorithm. However, Nibiru uses a hard-coded string \"Nibiru\" to\r\ncompute the 32-byte key and 16-byte IV values. The decryptor program leverages this weakness\r\nto decrypt files encrypted by this variant.\r\nRansomware Nibiru ransomware is a poorly executed ransomware variant. It traverses\r\ndirectories and encrypts files with Rijndael-256. The files are given an extension, .Nibiru, after\r\nencryption. The ransomware targets numerous common file extensions but skips critical\r\ndirectories like Program Files, Windows and System Volume Information.\r\nExtensions targeted by Nibiru:\r\n.doc, .docx, .xls, .xlsx, .ppt, .pptx, .jpg, .jpeg, .png, .psd, .txt, .zip, .rar, .html, .php, .asp, .aspx, .mp4, .avi, .3gp,\r\n.wmv, .MOV, .mp3, .wav, .flac, .wma, .mov, .raw, .apk, .encrypt, .crypted, .ahok, .cs, .vb.\r\nYou can download the decryptor over at the Talos GitHub.\r\nExample hash:\r\ne0a681902f4f331582670e535a7d1eb3d6eff18d3fbed3ffd2433f898219576f\r\nhttps://blog.talosintelligence.com/2020/11/Nibiru-ransomware.html\r\nPage 1 of 2\n\nSource: https://blog.talosintelligence.com/2020/11/Nibiru-ransomware.html\r\nhttps://blog.talosintelligence.com/2020/11/Nibiru-ransomware.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/2020/11/Nibiru-ransomware.html"
	],
	"report_names": [
		"Nibiru-ransomware.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434226,
	"ts_updated_at": 1775791317,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7ae4e3899d6ecb7765d1a2433becaec8dcb268dc.pdf",
		"text": "https://archive.orkl.eu/7ae4e3899d6ecb7765d1a2433becaec8dcb268dc.txt",
		"img": "https://archive.orkl.eu/7ae4e3899d6ecb7765d1a2433becaec8dcb268dc.jpg"
	}
}