Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nemucod / NemucodAES Ransomware (.crypted - Decrypt.txt) Support & Help Topic


  • Please log in to reply
653 replies to this topic

#631 AngelMartin

AngelMartin

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ottawa Canada
  • Local time:07:13 PM

Posted 20 July 2017 - 10:52 AM

I spent 2 hours trying to find a corresponding file but everything prior to it are Photoshop files from an unzipped folder of tools I had never used, that are named by 17-22 jumbled numbers. I have no hope in hell of finding a match. Baaaa!

I do not have another system to run this on, but if I can borrow something...is it safe to move the most important encrypted files to someone else's laptop with the decryption key without risking their files?

BC AdBot (Login to Remove)

 


m

#632 AngelMartin

AngelMartin

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ottawa Canada
  • Local time:07:13 PM

Posted 20 July 2017 - 11:04 AM

i scanned the actual execution file (the original zip file with malware) and it was unrecognized by not only Malwarebytes just for malware, as but both my virus protection (Avast and Panda). Maybe I won't transfer the encrypted files to his laptop after all. He would kill me dead!

Edited by AngelMartin, 20 July 2017 - 04:58 PM.


#633 AngelMartin

AngelMartin

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ottawa Canada
  • Local time:07:13 PM

Posted 20 July 2017 - 12:55 PM

Ok...another curious element. I have deleted everything I can find PS related (the first 50 files are all PS textures etc) and all the folders higher up the list I can live without, further taking them out of the recycling bin, and sub folders, shortcuts, startup command files, and backup preferences files, but the scan is still creating a list with those files exactly where they are no longer there. I did a full C drive search and they can't be found. Is this a system restore partition its reading? I removed everything I could find. I swear this will strip 10 years off my life...lol!

Edited by AngelMartin, 20 July 2017 - 01:15 PM.


#634 sdr5ujxd

sdr5ujxd

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 20 July 2017 - 01:26 PM

The scan probably looks for deleted files on purpose. Deleting a file simply marks it's space on the hard drive as available, until it is overwritten it is still there but search will not list it. Moving the files should be fine depending on where they were. If your not sure scan them with an antivirus that detects nemucod aes.



#635 TechGuru11

TechGuru11

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:13 PM

Posted 09 August 2017 - 09:33 AM

Hello, I've been having difficulty finding a key for this variant using the decrypter. Attached is the .db and several sets of good and bad files on the list.

https://www.sendspace.com/file/y7ftj6

 

Thank you for any assistance provided.



#636 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:13 PM

Posted 09 August 2017 - 09:59 AM

Hello, I've been having difficulty finding a key for this variant using the decrypter. Attached is the .db and several sets of good and bad files on the list.

https://www.sendspace.com/file/y7ftj6

 

Thank you for any assistance provided.

 

I'm trying the key database on my end. ETA 6 hours on my i7.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#637 AngelMartin

AngelMartin

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ottawa Canada
  • Local time:07:13 PM

Posted 09 August 2017 - 10:11 AM

I am also having a problem finding a key. I removed all Malware, ran both Bitfinder, Malwarebytes and SpyHunter 4...no trace left. I can see the execution files in the temp folder and have paired about 25 files of decrypted and not decrypted (had on my phone), yet it cannot find the key. All my clients files are hyjacked, and this is not good for business...ugh!!!

#638 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:13 PM

Posted 09 August 2017 - 03:59 PM

@TechGuru11
 
No dice on my end. Could possibly be a different variant. Can you find the malware and upload it here: https://www.bleepingcomputer.com/submit-malware.php?channel=168
 
It's usually a PHP file in the %TEMP% folder, possibly the same name as the database file was.
 
@AngelMartin
 
Can you also provide the malware at the link above?

Edited by Demonslay335, 11 August 2017 - 07:35 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#639 AngelMartin

AngelMartin

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ottawa Canada
  • Local time:07:13 PM

Posted 09 August 2017 - 06:51 PM

Not quite sure what you mean exactly....The actual JavaScript execution file that was sent in the false email?
I would have to redownload the email file, as I just cleaned that all up with Malware removal. Could I just forward the email to you somewhere safe?

#640 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,731 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:13 PM

Posted 09 August 2017 - 07:03 PM

Demonslay335 means....samples of any suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#641 TechGuru11

TechGuru11

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:13 PM

Posted 11 August 2017 - 12:52 PM

@demonslay335 The link you provided wasn't working, but the zipped files listing from sendspace has every file with the same name as the .db file including the PHP file requested. Let me know if I can provide anything else.

 

https://www.sendspace.com/file/zpik80



#642 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:13 PM

Posted 11 August 2017 - 01:03 PM

@demonslay335 The link you provided wasn't working, but the zipped files listing from sendspace has every file with the same name as the .db file including the PHP file requested. Let me know if I can provide anything else.

 

https://www.sendspace.com/file/zpik80

 

Thanks, I'll take a look later.

 

Sorry, the link I posted was an internal link.  :blush: I've edited it.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#643 AngelMartin

AngelMartin

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ottawa Canada
  • Local time:07:13 PM

Posted 11 August 2017 - 06:09 PM

I cant seem to open the link either, even the edited version? Doh!

I consider myself to be a fairly competent woman with a Business Degree, yet this Nemucod AES Encryption Malware has made me feel like a 4 year old learning to tie her shoes....so frustrating!!!

 

I have redownloaded but not opened the original malware Java Script execution file, and just waiting for the link to upload it to. :)



#644 xenocide122

xenocide122

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 18 August 2017 - 12:02 PM

Hi, I've been having trouble with this variant using the decrypter. My db is attached to the link below but when i run the "decrypt_NemucodAES.exe" decrypter it says it was unable to locate the db file.

https://www.dropbox.com/s/u6m7ch67paaipgz/1FMUwdVRhzUSErZqaDHZbgKHSyGoWZJLnP.db?dl=0

 

The db file is very large and encrypted quite a few files, let me know if you need anything else.

 

Thanks for looking at this for me!



#645 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:13 PM

Posted 18 August 2017 - 12:16 PM

Hi, I've been having trouble with this variant using the decrypter. My db is attached to the link below but when i run the "decrypt_NemucodAES.exe" decrypter it says it was unable to locate the db file.

https://www.dropbox.com/s/u6m7ch67paaipgz/1FMUwdVRhzUSErZqaDHZbgKHSyGoWZJLnP.db?dl=0

 

The db file is very large and encrypted quite a few files, let me know if you need anything else.

 

Thanks for looking at this for me!

 

Can you supply an original file as high up in that list as possible? You can open the .db file as a text file to see the list.

 

Also, the database file must be in %TEMP% for the decrypter to pick it up.


Edited by Demonslay335, 18 August 2017 - 12:17 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users