1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.
    Dismiss Notice

Decrypt latest Nemucod ransomware with Emsisoft’s free decrypter

Discussion in 'Ransomware Decrypters' started by starbuck, Jul 12, 2017.

  1. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    83cfe6327ffe5a01902989472f0f2e14.png

    The Nemucod ransomware family has been around for a while and has gone through several evolutions and changes since then.
    Previous attempts of extorting money were thwarted by the release of our decrypter to help victims release their files for free
    .

    Amidst the noise of the NotPetya ransomware outbreak, a new variant of Nemucod dubbed NemucodAES was released that made changes to the encryption mechanism as well as introduced a facelift of its ransom note.

    Not to be outplayed by cyber criminals our lab promptly went to work and produced a new version of our decrypter to handle NemucodAES and free victim’s files.

    How NemucodAES ransomware works

    The main infection vector of this latest offspring of the Nemucod ransomware family has remained the same, relying on the classic ‘undelivered package’ spam campaign to trick victims to click on the contained attachment and execute the JavaScript contained within.

    Once unsuspecting victims are fooled into running the script, the malware will download its ransomware component as well as the Kovter malware into the %TEMP% folder and where it executes both.

    The NemucodAES ransomware component, which consists of a PHP script and the PHP interpreter, uses the same methods as previous variants to achieve persistence (read more about what ransomware does once it’s on a computer here). Once the interpreter executes the script, it will then start cycling through all possible drive letters (including external and network drives) and starts the encryption process.

    The key difference to previous members of this family is that the encryption has changed from RC4 to a mix of AES-128 in ECB mode and RSA encryption, an infamous combination that we explained in more detail in a recent blog post. In addition, it will not change any file extensions; so victims will only be aware of the damage done once they look at the garbled contents or cryptic error message when trying to open one of their documents.

    NemucodAES ransomware targets the following file extensions:

    In order to keep the system operational and ensure that folders critical to the functioning of the ransomware and later decryption remain intact, it will skip folders containing the following strings:
    Like its predecessors, NemucodAES only encrypts the first 2 KB of every targeted file.
    Unlike its predecessors, however, NemucodAES uses AES encryption with a randomly generated 128-bit per-file key.
    The encrypted data, as well as the file name and the RSA-encrypted AES keys, are then stored within a .db database file inside the %TEMP% directory. NemucodAES then overwrites the original first 2 KB of the file with random data.

    Since the encrypted data is not stored within the files but within a separate database file, the file is essential for the decryption process as explained further down.

    bb8b5987755fe56022cc2b8bd61b9305.png

    Last but not least the ransomware will delete any shadow copies stored on the system and create a ransom note on the victim’s desktop named “DECRYPT.hta”, instructing the victim to pay the equivalent of US $300 in Bitcoin to get back their files.

    Are Emsisoft users protected?

    Short answer: Yes! Our award winning Behavior Blocker technology with Anti-Ransomware layer has been able to stop NemucodAES dead in its tracks without the need for updates:

    4ea71e54cd4a0354a6be332e79673f9b.png

    For all non-Emsisoft customers: Decrypt your files using our free decrypter

    Unfortunately, not everyone is enjoying the state-of-the-art protection Emsisoft products provide and we have seen an increase of victims hitting communities like BleepingComputer and ID Ransomware looking for help.
    For those victims, our lab created a special decrypter application that is able to restore affected files for free.

    As explained in our thorough ransomware removal guide, it’s critical to follow the right steps when dealing with and removing ransomware.
    We suggest to read it before attempting any hasty removal attempts.
    Particularly in this case, as any decrypter needs access to the database file within the %TEMP% folder that the ransomware created in order to restore the files.

    Many popular cleaning and optimizer programs, such as the popular CCleaner, delete files in the temp folder automatically, making the decryption process impossible for both the ransomware author’s as well as our decrypter.
    So deactivate any such programs immediately and resist the temptation to blindly start cleaning
    .

    Victims of NemucodAES ransomware can download our decrypter on our dedicated decrypter download page.


    Source:
    http://blog.emsisoft.com/2017/07/12/nemucodaes-ransomware-removal-decrypt/
     

Share This Page