Remove Nemesis Ransomware and Restore Encrypted Files (2018)

Remove Nemesis Ransomware and Restore Encrypted Files

This article aims to inform about Nemesis ransomware and help out to remove it and try to get back encrypted files.

When it comes to ransomware viruses like Nemesis that are focused on attacking servers, the stakes become higher. This particular virus aims to encrypt the files on the compromised servers and computers. What is unusual with Nemesis is that it requires the sum of approximately 10 BTC for the users to pay to get all the data on their devices decrypted. However, since the ransom amount is insanely high, researchers advise not paying a dime to cyber-criminals. Instead, recommendations are to focus on removing the malware yourself and getting the files back using alternative methods. Keep reading this article to learn how to get rid of Nemesis properly and try to revert missing data.

Threat Summary



Short DescriptionThe malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom notes and “instructions” linking to a web page and a decryptor. Changed file names and a random file-extension which has unique ID has been used.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Nemesis


Malware Removal Tool

User ExperienceJoin our forum to Discuss Nemesis.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Update November 2017! Nemesis ransomware is believed to be a variant of the CryptON ransomware viruses which are decryptable. One possible, even though not certain way to try and decrypt the files is to first remove this virus and then attempt to decrypt those copies using Emsisoft’s CryptON Decrypter.It is preferred that you download the anti-malware tool mentioned above, to make sure the ransomware does not encrypt your files again after decryption.

Nemesis Ransomware – How Does It Perform an Attack

For the virus to attack someone, it may use deceptive tactics. One of those tactics is associated with phishing e-mails. Most phishing e-mails are generated to come from companies, like FedEx, Amazon or some other big and widely known company or organization. The primary distribution of Nemesis, if conducted via e-mail spam may include two types of infection objects:

  • A malicious web link with embedded script.
  • A malicious e-mail attachment.

Usually cyber-criminals may take advantage of multiple infection approaches this way:

  • Usage of malicious JavaScripts.
  • Infection via a malicious macros.
  • Infecting users by making them visit a Dropbox website as well as website for online file sharing that is legitimate. On such websites, the malicious infection file of Nemesis ransomware may be contained.

The spam messages may have different forms and they all aim to deceive the victim into opening the malicious object and hence becoming infected.

After the victim opens the malicious file, infection is inevitable and Nemesis ransomware may drop multiple malicious files on the compromised computer. The files of Nemesis ransomware may be located in the following Windows server folders:


However, the case of Nemesis may be different. Since the malware wants approximately $9000 as a ransom payoff to unlock the files, the cyber-criminals may havealso directly targeted the organizations they are aiming at. This means that phishing e-mails may be sent from the inside of organization and may include more detailed information, such as employee names, phone numbers, addresses and other data, to increase the likelihood of the victim opening the virus.

And what is more, other malware may be used, such as Trojans or even Worms that may spread the virus not only to servers, like the ones Nemesis encrypts, but to all computers of the organization.

Nemesis Ransomware – Malicious Activity

The activity of Nemesis ransomware may be composed of multiple different modifications on the servers attacked by the virus. The malware may begin to modify the Windows Registry entries of the servers which can allow it to:

  • Change the wallpaper.
  • Run files on system startup.
  • Lock the screen.
  • Display ransom notes on system start up.

In addition to this activity, the Nemesis virus may also tamper with crucial Windows server processes and also modify policies on the server, but it’s primary purpose is to encrypt files on the servers.

Nemesis Ransomware – Encryption Process

Among the encrypted files by Nemesis ransomware may be the following:


After the encryption process by Nemesis Ransomware has completed, the virus may set a file extension with a unique id number and a file expansion containing 4 a-z 0-9 symbols, like the image below displays:

After this has happened, the virus drop it’s ransom note which asks victims to contact the cyber-criminals via BitMessage:

Your documents, photos, databases and other important files have been encrypted! To decrypt your files you need to buy the special software – <> To obtain decryptor, please, contact me by email: [email protected]
Write me in online:

One way to contact them is by visiting Nemesis virus’ one of many TOR-based web pages, which requires your unique infection ID to login:

Once logged in, the victims can see a form of chat with the cyber-crooks where they make further demands. Usually the ransom fee amount depends on the organization attacked. Some server administrators have complained it to be approximately 1 BTC while others – less.

Remove Nemesis Ransomware and Try Restoring Your Data

In case you have been affected by this ransomware, the last thing ransomware researchers advise to do is paying the ransom. Cyber-criminals are not to be trusted to get your files back even if you pay, so we recommend not to do it. Instead we advise you to focus on removing Nemesis Ransomware using an advanced anti-malware software to do it completely and trying to restore your files, preferably by following the alternative methods on the removal instructions below.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share