Remove Nemucod-AES(ATTENTION!) Ransomware and Recover Files

Remove Nemucod-AES(ATTENTION!) Ransomware and Recover Files

This article is created to help you remove the latest Nemucod-AES ransomware variant and try to recover the files which have been encrypted via AES-128 cipher.

A new version of the Nemucod ransomware has been reported to roam around in the wild and infect unsuspecting victims, called Nemucod-AES. The ransomware virus utilizes the AES-128 encryption algorithm to render the files on the computer infected by it no longer able to be opened. The virus then drops a ransom note and sets a screenlock both with message that the only way to restore the files is to pay a ransom of 0.11 BTC in order to restore the files that have been encrypted by this ransomware. If you are one of the victims of Nemucod we advise you to read this article instead of paying the ransom.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionThe Nemucod ransomware infection aims to encrypt the files on the computers infected by it and then demand 0.11 BTC as a ransom payoff to get them restored.
Symptoms A “Decrypt.txt” ransom note is dropped on the Desktop of the infected computer and it is accompanied by a White/Red “ATTENTION!” lockscreen.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by Nemucod-AES


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Nemucod-AES.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Does Nemucod-AES Ransomware Infect

The infection method of Nemucod-AES ransomware does differ that much from the 80% of most ransom malware out there. The first method it may use is to slither malicious e-mail attachments within e-mails that pose as important invoices or other notifications. Once the victim is deceived to open the attachment or the malicious web link, his computer immediately becomes infected by this malware. One example of such e-mail, carrying malicious attachment can be seen below:

Other methods by which your computer could turn out to be a victim of the Nemucod-AES ransomware is if it comes via a fake update, fake patches, setups, game cracks or other types of files uploaded online.

Nemucod-AES – Analysis

The Nemucod-AES ransomware is characterized by the multiple malicious files that it infects with. Some of the files pretend to be UPS delivery files and other pose as malicious documents with macros. In total, the files associated with this ransomware look like somewhat the following:

  • {random name}.doc
  • {random name}.exe
  • Cab{random id}.tmp
  • Tar{random id}.tmp
  • UPS-Delivery-32823338.doc.js
  • UPS_Receipt-3883812.doc.js

Most of the files are dropped in the %Temp% Windows directory after an infection takes place. It is believed that they are downloaded from some of the malicious online locations to which the virus connects:


Among the dropped files is the ransom note of the Nemucod-AES ransomware, named Decrypt.txt:

All your documents, photos, databases and other important personal files were encrypted using a combination of strong RSA-2048 and AES-128 algorithms.
The only way to restore your files is to buy decryptor. Please, follow these steps:
1. Create your Bitcoin wallet here:
2. Buy 0.11471 bitcoins here:
3. Send 0.11471 bitcoins to this address:
{BTC address}
4. Open one of the following links in your browser:
{Moldovian and Russian Web Links}
5. Download and run decryptor to restore your files.
You can find this instruction in “DECRYPT” file on your desktop.

Nemucod-AES Ransomware Encryption Process

The encryption process of Nemucod-AES is conducted in a method that allows it to render the files no longer openable by replacing blocks of data from the original file structure with encoded data. This mode is known as ECB encryption mode and it applies the AES algorithm with a bit strength of 128. The virus attacks widely used file types, like the following:


After having done this, the files can no longer be opened and you are demanded to pay the hefty ransom fee. The Nemucod-AES infection does not add any file extension to the encrypted files after it infects your computer.

Remove Nemucod-AES Ransomware and Restore Your Files

Before removing this ransomware infection from your computer, it is strongly advisable to focus on backing your files up, even though they are encrypted, because your system is at risk.

Then, you can follow the removal instructions for Nemucod-AES ransomware in order to isolate the threat and remove it. However, since the virus creates multiple files that may make manual deletion risky, experts recommend using ransomware-specific software to delete Nemucod ransomware automatically. Such anti-malware program will also protect your system in the future as well.

If you are interested in restoring the files encrypted by this virus on your computer, we suggest you to try out the alternative methods for file recovery below in step “2. Restore files encrypted by Nemucod”. They are in no way a 100% solution for this virus, but may help you recover at least some of the encrypted files. You can also attempt to use the decryption instructions for the older version of Nemucod on this web link, but be advised to try them at your own risk and make copies of the files beforehand.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share