Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nemucod Ransomware (.crypted - Decrypt.txt) Support & Help Topic


  • Please log in to reply
607 replies to this topic

#601 kmozis

kmozis

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 08 June 2017 - 02:19 AM

Good morning,

 

all the ransom note files are stored in this path:

C:\users\MyUserName\AppData\Roaming\How_To_Decrypt_My_Files

https://www.dropbox.com/s/mkcsfmxsikhq9m0/How_Decrypt_My_Files.zip?dl=0

 

Here is the content of read_me.txt file, thank you for your help and effort in advance:

 

_|___|___|___|___|___|___|___|___|___|___|___|___|___|___|___|___|___|
___|___|___|___|___|___|___|___|___|___|___|___|___|___|___|___|___|__
_|___|___|___|___|___|___|___|___|___|___|___|___|___|___|___|___|___|
___|___|___|___|___|___|___|___|___|___|___|___|___|___|___|___|___|__
 
YOUR PERSONAL FILE ARE ENCRYPTED ! ! !
 
Cannot you find the files you need? Is the content of the files that 
you looked for not readable? It is normal because the data in your 
files have been encrypted.
 
Your documents, photos, databases and other important files have been 
encrypted with strongest encryption and unique key, generated for this 
computer. Private decryption key is stored on a secret Internet server 
and nobody can decrypt your files until you pay and obtain the 
private key.
 
 
WHAT IS ENCRYPTION?
 
Encryption is a reversible modification of information for security 
reasons but providing full access to it for authorized users.
 
To become an authorized user and keep the modification absolutely 
reversible (in other words to have a possibility to decrypt your
files) you should have an individual private key.
 
 
EVERYTHING IS CLEAR FOR ME BUT WHAT SHOULD I DO?
 
The first step is reading these instructions to the end.
 
Your files have been encrypted with with strongest encryption and
unique key; the instructions ("DECRYPT_MY_FILES.html" and
"DECRYPT_MY_FILES.txt") in the folders with your encrypted files
are not viruses, they will help you.
 
After reading this text the most part of people start searching in
the Internet the word "Ransomware" where they find a lot of ideas,
recommendations and instructions.
 
It is necessary to realize that we are the ones who closed the lock
on your files and we are the only ones who have this secret key to
open them.
 
Any attempts to get back your files with the third-party tools can
be fatal for your encrypted files.
 
The most part of the third-party software change data within the
encrypted file to restore it but this causes damage to the files.
 
Finally it will be impossible to decrypt your files.
 
When you make a puzzle but some items are lost, broken or not put
in its place - the puzzle items will never match, the same way the
third-party software will ruin your files completely and irreversibly.
 
You should realize that any intervention of the third-party software
to restore files encrypted with our software may be fatal for your
files.
 
There are several plain steps to restore your files but if you do not
follow them we will not be able to help you, and we will not try since
you have read this warning already.
 
For your information the process to decrypt your files (as well as the
private key provided together) are paid products.
 
If you understand all importance of the situation please follow to 
next point where you will receive the complete instructions and 
guarantees to restore your files.
 
 
HOW TO DECRYPT MY FILES???
 
For recover encrypted files you need to make the following points:
 
1. Copy Bitcoin address to safe place
  
First you need copy in safe place the bitcoin payment address. In case
of loss the bitcoin payment address, you can't decrypt your files. 
Please mark bitcoin address below, copy, and save it in safe place:
 
**********************************************************************
*                                                                    *
*       18VDihvBfXH1k6Z7rhdgVvUvPEB7UgoNFw                           *
*                                                                    *
**********************************************************************
Please mark bitcoin address above, copy, and save it in safe place!!!
 
2. Purchase Bitcoins with Credit Card or Paypal
 
Your decryption key can only be purchased with Bitcoins. Bitcoin is 
a digital currency which can be exchanged from nearly every normal 
currency. There are a lot of exchange platforms on the internet, 
most of them are specialized on a single currency. Today buying 
bitcoins online is very easy and it's getting simpler every day!
 
You have to purchase at least the amount shown below. It is 
recommended to purchase a bit more, to ensure a successfull payment. 
An extra of 2% should be enough. If you already own enough Bitcoins, 
you could skip this step.
 
Demand: 0.06 Bitcoins
 
The following exchanges and marketplaces are recommended:
 
https://www.coinbase.com/ USA, Europe & UK
https://cex.io/ Worldwide, credit or debit card
 
Any kind of Bitcoin-Wallet isn't required, you can transfer the 
purchased bitcoins directly to the payment address. If you want 
create a wallet anyway, http://www.blockchain.com is recommended.
 
If you successfull bought the right amount of Bitcoins, please 
follow the next step.
 
3. Do a bitcoin transaction
 
Now you have to send your purchased Bitcoins to the payment address. 
If you just purchased Bitcoins an a exchange or marketplace site, 
look for a section called "Withdraw" and enter the details shown below. 
If you already own Bitcoins, send the right amount to the payment 
address shown below, directly from the wallet you use.
 
If you have any problems with the transaction, feel free to contact
our Support.
 
Demand:  0.06 Bitcoins
Address: 18VDihvBfXH1k6Z7rhdgVvUvPEB7UgoNFw
 
After you made the payment transaction, you have to wait until we 
manually confirm it. This process usually takes a few hours. 
In some rare cases some payments need more time to get confirmed.
 
4. Decrypt your files
 
Process of decryption files will start automatically after payment
received. The process of decrypting files can take a long time 
depending on the number of files.
 
After purchase of the decrypt process you will be able to:
1. decrypt all your files;
2. work with your documents;
3. view your photos and other media;
4. continue your usual and comfortable work at the computer.
 
We guarantee the restore of your files.
if you have any questions please contact me: decryptme@mail2tor.com
 
_|___|___|___|___|___|___|___|___|___|___|___|___|___|___|___|___|___|
___|___|___|___|___|___|___|___|___|___|___|___|___|___|___|___|___|__
_|___|___|___|___|___|___|___|___|___|___|___|___|___|___|___|___|___|
___|___|___|___|___|___|___|___|___|___|___|___|___|___|___|___|___|__

Edited by kmozis, 08 June 2017 - 02:21 AM.


BC AdBot (Login to Remove)

 


#602 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:57 AM

Posted 08 June 2017 - 05:23 AM

Are you sure it is Nemucod?

Did you submit any samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation? Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#603 kmozis

kmozis

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 08 June 2017 - 06:20 AM

No, I am not sure. ID Ransomware identified it as Nemucod based on the changed file extension .crypted



#604 krysolet

krysolet

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 08 June 2017 - 09:46 AM

Hello, it is exacly the same ransom note as I presented earlier in this thread. It is not Nemucod ... it is called PyCoder or CL ... no cure for this :(  Even worse thing is that mail contact adress is dead :( 

mail2tor domain is almost unreachable ...sorry to tell U



#605 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:57 AM

Posted 08 June 2017 - 01:01 PM

No, I am not sure. ID Ransomware identified it as Nemucod based on the changed file extension .crypted

.crypted is more of a generic extension used by several ransomware variants. The best way to identify the different ransomwares is the ransom note (including it's name), the malware file itself, any obvious extensions appended to the encrypted files, samples of the encrypted files and information related to any email addresses used by the cyber-criminals to request payment.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#606 helac

helac

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 14 June 2017 - 08:24 AM

Looked like we were hit by a new variant of Nemucod (released on beginning of a June). The crypted and uncrypted files differs by 31B. Is it possible? 



#607 erilidon

erilidon

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:57 AM

Posted 19 June 2017 - 07:17 PM

I am having trouble decrypting some files. Any help would be greatly appreciated. I've tried both the Emisoft and the python decryptors without success. I also opened files in a hex editor and didn't see the 7z at the beginning.

 

Link to crypted and original sample files - https://www.dropbox.com/sh/ze8pko7gi31pvkf/AAC5EBTA6-UskvorlpuKuOjLa?dl=0



#608 fccz

fccz

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 22 June 2017 - 05:45 AM

(This post is about PyCoder, as is the first one here; not about Nemucod)

 

Has anyone paid the ransom?

 

It seems that the wallet is used in many infections so I am curious how they identify where to send the decryptor...

 

I am also not sure how the process could "start automatically" as stated in the ransom note... Does the ransomware have to be running on the infected computer all the time?

 

Or am I missing something?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users