Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Removing added file extension by crypto virus

  • This topic is locked This topic is locked
1 reply to this topic

#1 newcenturycs


  • Members
  • 1 posts
  • Local time:11:16 PM

Posted 02 December 2016 - 01:36 AM

I have a customer that got a crypto virus or something similar on their computer. I think I've removed all traces of the virus/malware on the PC. I've seen many cases such as this where the files aren't actually encrypted, just renamed from "picture.jpg" to "picture.jpg.crypted" for example. I've been using a program called Bulk Extension Changer to rename several files at once but all it does is replace the ".crypted" with ".jpg" and the file looks like, "picture.jpg.jpg". This is quicker than changing all the files manually obviously but I was wanting to figure out a way to just strip the, ".crypted" extension from all files in all user folders. This would be much faster. (Especially in folders with a mix of file types) I'd appreciate any advice. Once I remove the ".crypted" extension from the files, the file is back to normal and works fine. Has anyone else seen this type of malware? Perhaps it's a rip off of a real crypto virus because the files aren't actually encrypted but just simply renamed. Thanks in advance for any help or ideas.



Mod Edit

Moved to a more appropriate forum by NickAu

Edited by NickAu, 02 December 2016 - 02:04 AM.
Moved to a more appropriate forum

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,937 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:16 AM

Posted 02 December 2016 - 07:07 AM

Any files that are encrypted with Nemucod Ransomware will have the .crypted extension appended to the end of the encrypted data filename and leave files (ransom notes) named DECRYPT.TXT.

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.

Fabian Wosar released a decryptor solution for this type of infection.
  • Decryptor Released for the Nemucod Trojan's .CRYPTED Ransomware

    In order to find your decryption key, you need to drag an encrypted file and unencrypted version of the same file onto the decrypt_nemucod.exe icon at the same time. To do this, you would select both the encrypted and unencrypted version of a file and then drag them both onto the decryptor.

  • Emsisoft Decrypter for Nemucod

    To use the decrypter you will require an encrypted file of at least 144 bytes in size as well as its unencrypted version. To start the decrypter select both the encrypted and unencrypted file and drag and drop them onto the decrypter executable.


Note: In some cases Nemucod will skip encrypting files despite appending the extension...it adds the extension first, then encrypts in a different manner so renaming the file and removing the .crypted extension should retore the file. Emsisoft's Decrypter for Nemucod has been updated to handle the files that are not really encrypted and only need to be renamed.

Trend Micro has a Ransomware File Decryptor for victims of Nemucod infections.
Antelox has a NemucodFR python script with information on how to extract the key and use it to recover encrypted files by Nemucod Ransomware.

Unfortunately, there is no known way at this time to decrypt files encrypted by the version of Nemucod which uses 7-zip to encrypt the files without paying the ransom.

There is an ongoing discussion in this topic where you can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users