Fabian Wosar of Emisoft has released a free decryptor for the Nemucod .CRYPTED or Decrypt.txt ransomware. A decryptor was previously released by one of our users, macomaco, but required Python in order to generate the decryption key. When Fabian analyzed the ransomware, he saw that it utilized a similar encryption scheme as a previous ransomware and was able to release a Windows decryptor.
If you are infected with this ransomware, simply download decrypt_nemucod.exe from the following link and save it on your desktop:
In order to find your decryption key, you need to drag an encrypted file and unencrypted version of the same file onto the decrypt_nemucod.exe icon at the same time. To do this, you would select both the encrypted and unencrypted version of a file and then drag them both onto the decryptor. If you do not have an an original version of one of your encrypted files, you can usually use a sample picture found in the C:\Users\Public\Pictures folder. Once you determine the key used to encrypt one of your files, you can then use that key to decrypt ALL other encrypted files on your computer.
To show what I mean about dragging both files at the same time, see the image below. To generate the key, I created a folder that contains an encrypted PNG file, a unencrypted version of the same PNG file, and the decrypt_nemucod.exe program. I then dragged both the regular PNG file and the encrypted one onto the executable at the same time.
After you drag the files onto the decrypted, the program will start and you may be presented with a UAC prompt. Please click on Yes button to proceed. The program will now start and attempt to brute force the decryption key. When a key was able to be brute forced, it will display it an a new window like the one below.
When you press the OK button you will be presented with a license agreement you must agree to. To continue, press the OK button. You will now see the main Nemucod Decryptor screen as shown below.
By default, the decryptor is only going to decrypt files on the C: drive. If there are other drives with encrypted files, click on the Add File(s) button to add the drive to the list. When ready, click on the Decrypt button to begin decrypting your files. Once you click Decrypt, the decryptor will decrypt all the encrypted files and display the decryption status in a results screen like the one below.
All of your files should now be decrypted.
It is important to note that Nemucod delivers more than just a ransomware component. The Nemucod TrojanDownloader will also install the Kovter infection and possibly other malware. It is strongly suggested that you scan your computer with an antivirus or antimalware program to make sure there were no other infections downloaded by Nemucod. You can also use this guide to remove Kovter from your computer: Trojan.Win32/Kovter Removal Guide.
For those who wish to know more technical information about this ransomware, you can read the next section. If you need help getting this decrypter to work, please ask in our .CRYPTED Ransomware (Decrypt.txt) - How to Decrypt and Help Topic.
This CMD script will search for files that contain certain file extensions and when it discoverers a targeted file, will rename it to have the .CRYPTED extension, and then launches the %TEMP%\5021052.exe with the file as an argument. The 5021052.exe executable will then encrypt the first 2048 bytes of the file using XOR encryption. This process is continued for each file that has the following extensions:
*.zip *.rar *.7z *.tar *.gz *.xls *.xlsx *.doc *.docx *.pdf *.rtf *.ppt *.pptx *.sxi *.odm *.odt *.mpp *.ssh *.pub *.gpg *.pgp *.kdb *.kdbx *.als *.aup *.cpr *.npr *.cpp *.bas *.asm *.cs *.php *.pas *.vb *.vcproj *.vbproj *.mdb *.accdb *.mdf *.odb *.wdb *.csv *.tsv *.psd *.eps *.cdr *.cpt *.indd *.dwg *.max *.skp *.scad *.cad *.3ds *.blend *.lwo *.lws *.mb *.slddrw *.sldasm *.sldprt *.u3d *.jpg *.tiff *.tif *.raw *.avi *.mpg *.mp4 *.m4v *.mpeg *.mpe *.wmf *.wmv *.veg *.vdi *.vmdk *.vhd *.dsk
After encrypting the files, the CMD script will add various autorun entries to the registry so that the ransom notes are displayed and the ransomware is executed when a user logs into the computer. When the CMD script has finished, it will delete itself from the computer.
Once the encryption routine is done, the ransomware will display the Decrypted.txt ransom note, which can be seen below.
It is important to note that Nemucod delivers more than just a ransomware component. The Nemucod TrojanDownloader will also install the Kovter infection and possibly other malware.
Therefore, be sure to scan your computer with an up-to-date antivirus tool in order to confirm that all infections have been removed.
%Temp%\502105.txt %Temp%\5021052.exe %LocalAppData%\evum\ %LocalAppData%\evum\1QGNQ.2MGvFO %AppData%\BlastoffCounterpoiseDissimilitude %AppData%\ForesideDopattaEmpyrean %AppData%\gangbang.dll %AppData%\htmlhelp.title.xml %AppData%\libertine.dll %AppData%\minimize_hover.png %AppData%\System.dll %Desktop%\Decrypt.txt
HKCU\Software\Classes\.2MGvFO HKCU\Software\Classes\.2MGvFO\ ayC5 HKCU\Software\Classes\ayC5 HKCU\Software\Classes\ayC5\shell HKCU\Software\Classes\ayC5\shell\open HKCU\Software\Classes\ayC5\shell\open\command HKCU\Software\3c1cee05f3 HKCU\Software\Classes\ayC5\shell\open\command\ HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ [unreadable_char] HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Crypted %Temp%\502105.txt HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ [unreadable_char]