Decrypt .crypted Files Encrypted by Nemucod Ransomware

NEMUCOD-RANSOMWARE-MAIN-DECRYPT-SENSORSTECHFORUMRansomware virus known as Nemucod was reported during April to infect multiple machines and stop defensive processes of Windows and security software on them to remain active on the infected computer. The virus also encrypts files with a very strong encryption algorithm demanding 200$ from users affected by it.

Fortunately, a free decrypter has been released and in this article, we aim to show you how to work with it to decode your files.

Nemucod Ransomware – More Information

When it was released, Nemucod was reported to take advantage of several methods to infect users. One of the methods reported was spammed e-mails containing attachments or malicious URLs. Another method of distributing this malware may be via social media spammed messages which include files or malicious links as well.

Nemucod was often confused with the legitimate program, dubbed Nemucod. This virus also uses remote locations to which it connects, allowing it to be controlled from there.

The program also may create multiple files in the %AppData% folder along with its main executable that conducts the encryption process.

It has been reported to possibly attack the following types of files and encipher them, making them no longer openable by any type of software:

→ docm, .docx, .dotm, .dotx, .gzip, .html, .index, .java, .jfif, .jpeg, .json, .litcofee, .pages, .php3, .php4, .php5, .7zip, .aspx, .bash, .bookmarks, .class, .config, .csproj, .phps, .phpt, .phtml, .potm, .potx, .ppam, .ppsm, .ppsx, .pptm, .pptx, .prproj, .psm1, .resx, .scpt, .shtml, .sitx, .sldm, .sldx, .splus, .sqlite, .sqlite3, .swift, .tar.gz, .thmx, .tiff, .vcxproj, .xcodeproj, .xhtm, .xhtml, .xlsx, .zipx Source: Infected users

Nemucod Removal Instructions

Fortunately for us, Nemucod is easily decryptable. The only prerequisite for this is to have Nemucod removed from your computer. To do this, follow our removal instructions below:

Manually delete Nemucod from your computer

Note! Substantial notification about the Nemucod threat: Manual removal of Nemucod requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Nemucod files and objects
2. Find malicious files created by Nemucod on your PC
3. Fix registry entries created by Nemucod on your PC

Automatically remove Nemucod by downloading an advanced anti-malware program

1. Remove Nemucod with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Nemucod in the future

Nemucod Decryption Instructions

After you have removed Nemucod from your computer, all you need to do is get one original file and its encrypted version for the decryption to work. If you manage to do so, all you have to do to revert your files is follow these steps:

Step 1: Download Nemucod Decrypter by clicking on the button below:

Download

Nemucod Decrypter

Step 2: Save the Nemucod file somewhere where you can easily find it and open it.

1-nemucod-decrypter-save-sensorstechforum

Step 3: Open the location of Nemucod decrypter after which leave the original and decrypted copies of the files next to it, just like the image shows:

2-nemucod-decrypter-sensorstechforum

N.B.: If you do not have the original version of your encrypted file, you can try getting the default image files in the %Sample Images% folder of Windows. They are usually the same for every Windows PC and you can get the encrypted image from your computer after which get the decrypted image from the infected computer. The default location of the images is the following:

→ C:\Users\Public\Pictures

Step 4: The decryption process. It is very simple. All that you have to do now is mark the encrypted and original files and drag them over the decrypter. This will find the decryption key for files encrypted by Nemucod:

2 i 1-nemucod-key-found-sensorstechforum

Step 5: There is a probability that this key may be the wrong one. This is why you should try to decrypt a couple of files with this key. Click on OK and you will see the main interface of EmsiSoft’s Nemucod decrypter:

3-nemucod-main-ninterface-sensorstechforum

Step 6: From there, click on Add File(s) so that you can be able to add files to the list for decryption.

3-nemucod-main-ninterface-sensorstechforum

Step 7: Click on the Decrypt button like shown on the picture below:

6-nemucod-decrypt-files-sensorstechforum

If the files have been decryption you will see this in the live feed of the decryptor, like shown below:

4-decrypted-files-nemucod-sensorstechfrum

Nemucod Decryption – Conclusion

It is very fortunate that a decryptor has been released for this virus since a lot of ransomware viruses that have started infecting users years ago have not yet been decrypted. Military algorithms are the root reason for this and nowadays staying protected is important because not getting infected is way better than being lucky that there is a decrypter for your files.

This is why we advise you to follow these security tips to strengthen your protection from ransomware viruses like Nemucod:

Advice 1: Make sure to read our general protection tips and try to make them your habit and educated others to do so as well.
Advice 2: Install an advanced anti-malware program that has an often updated real-time shield definitions and ransomware protection.

Advice 3: Seek out and download specific anti-ransomware software which is reliable.

Advice 4: Backup your files using one of the methods in this article.

Advice 5: : Make sure to use a secure web browser while surfing the world wide web.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

  • Antonio Ramos Arroyo

    Problemas con ramsonware .crypted
    Por mas que he intentado descifrar no hay manera, siempre me dice que los archivos son diferentes, he probado con mas de 20 archivos y estoy desesperado, necesito abrir una base de datos unicamente, el resto del disco duro me da igual

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.