Remove Nemesis Ransomware and Restore Encrypted Files -Update 2017

Remove Nemesis Ransomware and Restore Encrypted Files

This article aims to inform about Nemesis ransomware and help out to remove it and try to get back encrypted files.

When it comes to ransomware viruses like Nemesis that are focused on attacking servers, the stakes become higher. This particular virus aims to encrypt the files on the compromised servers and computers. What is unusual with Nemesis is that it requires the sum of approximately 10 BTC for the users to pay to get all the data on their devices decrypted. However, since the ransom amount is insanely high, researchers advise not paying a dime to cyber-criminals. Instead, recommendations are to focus on removing the malware yourself and getting the files back using alternative methods. Keep reading this article to learn how to get rid of Nemesis properly and try to revert missing data.

Threat Summary

Name

Nemesis

TypeRansomware
Short DescriptionThe malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom notes and “instructions” linking to a web page and a decryptor. Changed file names and a random file-extension which has unique ID has been used.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Nemesis

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss Nemesis.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Update November 2017! Nemesis ransomware is believed to be a variant of the CryptON ransomware viruses which are decryptable. One possible, even though not certain way to try and decrypt the files is to first remove this virus and then attempt to decrypt those copies using Emsisoft’s CryptON Decrypter.It is preferred that you download the anti-malware tool mentioned above, to make sure the ransomware does not encrypt your files again after decryption.

Nemesis Ransomware – How Does It Perform an Attack

For the virus to attack someone, it may use deceptive tactics. One of those tactics is associated with phishing e-mails. Most phishing e-mails are generated to come from companies, like FedEx, Amazon or some other big and widely known company or organization. The primary distribution of Nemesis, if conducted via e-mail spam may include two types of infection objects:

  • A malicious web link with embedded script.
  • A malicious e-mail attachment.

Usually cyber-criminals may take advantage of multiple infection approaches this way:

  • Usage of malicious JavaScripts.
  • Infection via a malicious macros.
  • Infecting users by making them visit a Dropbox website as well as website for online file sharing that is legitimate. On such websites, the malicious infection file of Nemesis ransomware may be contained.

The spam messages may have different forms and they all aim to deceive the victim into opening the malicious object and hence becoming infected, for example:

After the victim opens the malicious file, infection is inevitable and Nemesis ransomware may drop multiple malicious files on the compromised computer. The files of Nemesis ransomware may be located in the following Windows server folders:

%AppData%
%Windows%
%LocalLow%
%Local%
%Roaming%

However, the case of Nemesis may be different. Since the malware wants approximately $9000 as a ransom payoff to unlock the files, the cyber-criminals may havealso directly targeted the organizations they are aiming at. This means that phishing e-mails may be sent from the inside of organization and may include more detailed information, such as employee names, phone numbers, addresses and other data, to increase the likelihood of the victim opening the virus.

And what is more, other malware may be used, such as Trojans or even Worms that may spread the virus not only to servers, like the ones Nemesis encrypts, but to all computers of the organization.

Nemesis Ransomware – Malicious Activity

The activity of Nemesis ransomware may be composed of multiple different modifications on the servers attacked by the virus. The malware may begin to modify the Windows Registry entries of the servers which can allow it to:

  • Change the wallpaper.
  • Run files on system startup.
  • Lock the screen.
  • Display ransom notes on system start up.

In addition to this activity, the Nemesis virus may also tamper with crucial Windows server processes and also modify policies on the server, but it’s primary purpose is to encrypt files on the servers.

Nemesis Ransomware – Encryption Process

Among the encrypted files by Nemesis ransomware may be the following:

“PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”Source:fileinfo.com

After the encryption process by Nemesis Ransomware has completed, the virus may set a file extension with a unique id number and a file expansion containing 4 a-z 0-9 symbols, like the image below displays:

After this has happened, the virus drop it’s ransom note which asks victims to contact the cyber-criminals via BitMessage:

“ALL YOUR IMPORTANT FILES ARE ENCRYPTED
Your documents, photos, databases and other important files have been encrypted! To decrypt your files you need to buy the special software – <> To obtain decryptor, please, contact me by email: [email protected]
Write me in online: https://bitmsg.me
Address: {BITCOIN ADDRESS}”

One way to contact them is by visiting Nemesis virus’ one of many TOR-based web pages, which requires your unique infection ID to login:

Once logged in, the victims can see a form of chat with the cyber-crooks where they make further demands. Usually the ransom fee amount depends on the organization attacked. Some server administrators have complained it to be approximately 1 BTC while others – less.

Remove Nemesis Ransomware and Try Restoring Your Data

In case you have been affected by this ransomware, the last thing ransomware researchers advise to do is paying the ransom. Cyber-criminals are not to be trusted to get your files back even if you pay, so we recommend not to do it. Instead we advise you to focus on removing Nemesis Ransomware using an advanced anti-malware software to do it completely and trying to restore your files, preferably by following the alternative methods on the removal instructions below.

Manually delete Nemesis from your computer

Note! Substantial notification about the Nemesis threat: Manual removal of Nemesis requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Nemesis files and objects
2.Find malicious files created by Nemesis on your PC

Automatically remove Nemesis by downloading an advanced anti-malware program

1. Remove Nemesis with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Nemesis
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.