Remove Nemucod Ransomware and Restore .Crypted Encrypted Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Remove Nemucod Ransomware and Restore .Crypted Encrypted Files

decrypt-text.sensorstechforumA new javascript type of ransomware has been reported to infect users globally. This crypto malware is particularly devastating because it uses an immensely strong cypher to encrypt the files of affected users, making them impossible to decrypt directly even if a very powerful system is used. Nemucod also demands a ransom payment in BTC from affected users which equals to approximately 200 USD. The good news is that Emsisoft researchers have discovered a decryptor and we strongly advise following the step-by-step removal instructions below to remove Nemucod Ransomware and unlock your files.

NameNemucod
TypeRansomware
Short DescriptionEncrypts user files and asks around 0.5 BTC for decryption.
SymptomsThe user may witness a file “DECRYPT.txt” on his desktop and the ransom message to open in a text document every time Windows starts.
Distribution MethodVia malicious urls or email attachments.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by Nemucod
User Experience Join our forum to discuss Nemucod.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Nemucod Ransomware – Distribution

To infect computers, Nemucod may use spam e-mails to redirect users to either website that automatically download and execute a malicious payload carrying file or an infected e-mail attachment. Here is an example of such spam e-mail:

spam-email-sensorstechforum

The infected attachments are usually Micorosoft Office documents or Adobe Reader .PDF files with infected macros. As soon as the macro has been enabled, Nemucod may execute a malicious script that drops its payload.

Nemucod Ransomware In Detail

Symantec researchers report that once activated on the computer; the malicious JavaScript may drop the following modules of Nemucod in several key Windows locations:

In %Temp%
a0.exe
a1.exe
a2.exe
a.txt
On %Desktop% of the User’s Profile
DECRYPT.txt

Nemucod ransomware may also create registry entries to set the malicious executables to run everytime Windows boots up. The keys that are reported are the following:

In HKEY_CLASSES_ROOT
Crypted\shell\open\command\”(Default)”=notepad.exe “%Temp%\a.txt”
.crypted\”(Default)”=Crypted
In HKEY_CURRENT_USER
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”Crypted”=%Temp%\a.txt

These keys are specifically created to run the ransom note (“a.txt”) every time Windows starts.

Nemucod encrypts the most widely used file types. To do this, it uses an escalated command In Windows command prompt. The command for encryption is reported by researchers to be the following:

→ For (var I = 67; I <= 90; i++) { Fp.WriteLine(“dor /B “ + cq + String.fromcharCode(i) + “:” + cs + cq + “ && for /r” + cq + String.fromCharCode(i) + “:” + cs + cq + “ %%i in ( file extensions which Nemucod encrypts ) do (REN “ + cq + “%%i” + cq + “%%i” + cq + “ “ + cq + “%%~nxi.crypted” + cq + “&call “ + fn + “.exe” + cq + “%%i.crypted” + cq + “)”); };

The command creates a call to action for the encryption module of the ransomware. After it, the malware starts looking for files of the following types:

→ .zip .rar .7z .tar .gz .xls .xlsx .doc .docx .pdf .rtf .ppt .pptx .sxi .odm .odt .mpp .ssh .pub .gpg .pgp .kdb .kdbx .als .aup .cpr .npr .cpp .bas .asm .cs .php .pas .vb .vcproj .vbproj .mdb .accdb .mdf .odb .wdb .csv .tsv .psd .eps .cdr .cpt .indd .dwg .max .skp .scad .cad .3ds .blend .lwo .lws .mb .slddrw .sldasm .sldprt .u3d .jpg .tiff .tif .raw .avi .mpg .mp4 .m4v .mpeg .mpe .wmf .wmv .veg .vdi .vmdk .vhd .dsk Source:Symantec

The files encrypted are not fully encoded, instead only a part of them is cyphered (usually 32 or 64 bits of the file), which is more than enough to make them corrupt. Then, the ransomware appends, the .crypted file extension to them. The encrypted files look like the following:

  • New Text Document.txt.crypted

Furthermore, regarding file encryption, the Trojan is believed to use modules from 7zip which it may download via connecting to its command and control domains. The C&C servers of the cyber-criminals are reported to be the following:

  • Ujjwaljeweller(.)com
  • Topikriau(.)com
  • yc4tuna(.)com
  • yingyigoo(.)com
  • xn--oi2bq3ygphw3bbzh(.)com

After encrypting the data, Nemucod executes its ransom note for the affected user to see. The notification is reported to be the following:

→ “ATTENTION!
All your documents, photos, databases and other important personal files were encrypted using strong RSA-1024 algorithm with a unique key.
To restore your files you have to pay 0.52985 BTC(bitcoins).
Please follow this manual:
1.Create Bitcoin wallet here:
https://blockchain.info/wallet/new
2.Buy 0.52985 BTC wth cash, using search here:
https://localbitcoins.com/buy_bitcoins
3.Send 0.52985 BTC to this Bitcoin address:
{cyber-criminals bitcoin address}
4.Open one of the following links in your browser to download decryptor:
{several web links for download that are linked to the cyber-criminals’ domains}
5.Run decryptor to restore your files.
PLEASE REMEMBER:
-If you do not pay in 3 days YOU LOOSE ALL YOUR FILES.
-Nobody can help you except us.
-It’s useless to reinstall Windows, update antivirus software, etc.
-Your files can be decrypted only after you make payment.
-You can find this manual on your desktop (DECRYPT.txt).”

Remove Nemucod Ransomware and Decrypt .Crypted Files

The removal of the ransomware is rather simple than complicated. Since it may have an active connection to several remote servers, we advise following the removal instructions below to break this connection and remove the malicious files and entries. This can happen by downloading an advanced anti-malware tool and scanning the computer in offline Safe Mode with no third-party applications running and no active connection.

If you want to decrypt your files, you are lucky, because this is one of the few ransomware variants that have a working decryptor. The credit for that goes to Emsisoft researchers who have developed Nemucod decrypter. To see how to work with the decryptor and revert your files, please check the instructions in step number 4 below.

1. Boot Your PC In Safe Mode to isolate and remove Nemucod
2. Remove Nemucod with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by Nemucod in the future
4. Restore files encrypted by Nemucod
Optional: Using Alternative Anti-Malware Tools
NOTE! Substantial notification about the Nemucod threat: Manual removal of Nemucod requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.