Remove Nemucod-AES(ATTENTION!) Ransomware and Recover Files
THREAT REMOVAL

Remove Nemucod-AES(ATTENTION!) Ransomware and Recover Files

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by Nemucod-AES and other threats.
Threats such as Nemucod-AES may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

This article is created to help you remove the latest Nemucod-AES ransomware variant and try to recover the files which have been encrypted via AES-128 cipher.

A new version of the Nemucod ransomware has been reported to roam around in the wild and infect unsuspecting victims, called Nemucod-AES. The ransomware virus utilizes the AES-128 encryption algorithm to render the files on the computer infected by it no longer able to be opened. The virus then drops a ransom note and sets a screenlock both with message that the only way to restore the files is to pay a ransom of 0.11 BTC in order to restore the files that have been encrypted by this ransomware. If you are one of the victims of Nemucod we advise you to read this article instead of paying the ransom.

Threat Summary

NameNemucod-AES
TypeRansomware, Cryptovirus
Short DescriptionThe Nemucod ransomware infection aims to encrypt the files on the computers infected by it and then demand 0.11 BTC as a ransom payoff to get them restored.
Symptoms A “Decrypt.txt” ransom note is dropped on the Desktop of the infected computer and it is accompanied by a White/Red “ATTENTION!” lockscreen.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by Nemucod-AES

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Nemucod-AES.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Does Nemucod-AES Ransomware Infect

The infection method of Nemucod-AES ransomware does differ that much from the 80% of most ransom malware out there. The first method it may use is to slither malicious e-mail attachments within e-mails that pose as important invoices or other notifications. Once the victim is deceived to open the attachment or the malicious web link, his computer immediately becomes infected by this malware. One example of such e-mail, carrying malicious attachment can be seen below:

Other methods by which your computer could turn out to be a victim of the Nemucod-AES ransomware is if it comes via a fake update, fake patches, setups, game cracks or other types of files uploaded online.

Nemucod-AES – Analysis

The Nemucod-AES ransomware is characterized by the multiple malicious files that it infects with. Some of the files pretend to be UPS delivery files and other pose as malicious documents with macros. In total, the files associated with this ransomware look like somewhat the following:

  • {random name}.doc
  • {random name}.exe
  • Cab{random id}.tmp
  • Tar{random id}.tmp
  • UPS-Delivery-32823338.doc.js
  • UPS_Receipt-3883812.doc.js

Most of the files are dropped in the %Temp% Windows directory after an infection takes place. It is believed that they are downloaded from some of the malicious online locations to which the virus connects:

  • 217.26.160.15
  • 62.109.17.210
  • 77.222.61.227

Among the dropped files is the ransom note of the Nemucod-AES ransomware, named Decrypt.txt:

ATTENTION!
All your documents, photos, databases and other important personal files were encrypted using a combination of strong RSA-2048 and AES-128 algorithms.
The only way to restore your files is to buy decryptor. Please, follow these steps:
1. Create your Bitcoin wallet here:
xxxxs://blockchain.info/wallet/new
2. Buy 0.11471 bitcoins here:
https://localbitcoins.com/buy_bitcoins
3. Send 0.11471 bitcoins to this address:
{BTC address}
4. Open one of the following links in your browser:
{Moldovian and Russian Web Links}
5. Download and run decryptor to restore your files.
You can find this instruction in “DECRYPT” file on your desktop.

Nemucod-AES Ransomware Encryption Process

The encryption process of Nemucod-AES is conducted in a method that allows it to render the files no longer openable by replacing blocks of data from the original file structure with encoded data. This mode is known as ECB encryption mode and it applies the AES algorithm with a bit strength of 128. The virus attacks widely used file types, like the following:

→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”Source:fileinfo.com

After having done this, the files can no longer be opened and you are demanded to pay the hefty ransom fee. The Nemucod-AES infection does not add any file extension to the encrypted files after it infects your computer.

Remove Nemucod-AES Ransomware and Restore Your Files

Before removing this ransomware infection from your computer, it is strongly advisable to focus on backing your files up, even though they are encrypted, because your system is at risk.

Then, you can follow the removal instructions for Nemucod-AES ransomware in order to isolate the threat and remove it. However, since the virus creates multiple files that may make manual deletion risky, experts recommend using ransomware-specific software to delete Nemucod ransomware automatically. Such anti-malware program will also protect your system in the future as well.

If you are interested in restoring the files encrypted by this virus on your computer, we suggest you to try out the alternative methods for file recovery below in step “2. Restore files encrypted by Nemucod”. They are in no way a 100% solution for this virus, but may help you recover at least some of the encrypted files. You can also attempt to use the decryption instructions for the older version of Nemucod on this web link, but be advised to try them at your own risk and make copies of the files beforehand.

Note! Your computer system may be affected by Nemucod-AES and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as Nemucod-AES.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove Nemucod-AES follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove Nemucod-AES files and objects
2. Find files created by Nemucod-AES on your PC

IMPORTANT!
Before starting the Automatic Removal below, please boot back into Normal mode, in case you are currently in Safe Mode.
This will enable you to install and use SpyHunter 5 successfully.

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by Nemucod-AES

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...