Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nemucod-AES


  • This topic is locked This topic is locked
5 replies to this topic

#1 giselemd

giselemd

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 07 July 2017 - 11:41 PM

Hi, A neighbor brought over his infected PC. It appears to be NEMUCOD-AES - signature red background screen, no extensions, similar decrypt.hta, etc. He was infected on July 4. I have *many* files: encrypted data files; DECRYPT.HTA ransom note; secmod.db, key3.db, cert8.db - all created July 4 at noon when he was hit. If anyone would like the files to play with, I am happy to upload them anywhere. I can't find anyone who has cracked this one yet so any help would be great.
 
Thank you!!!

 
Above is my original post.
 
Virus not standard Nemucod - decryupt_Nemucod did not work even though that appeared to be th signature.
 
I am uploading corrupted files, originals of the same files, ransom note, and all 3 .db files I found.
 
Thank you!
-Gisele

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:32 AM

Posted 08 July 2017 - 06:15 AM

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:32 AM

Posted 08 July 2017 - 12:02 PM

As stated before in other topics, the current decrypters will not work on the new Neumcod-AES. We are still working on it.

 

You will need to locate a *.db file that has a list of encrypted files. The way this ransomware works, is it will encrypt the first 2048 bytes of files, base64 encode them, and store them in this .db file; the original file has 2048 of utter garbage written to it. This is why before/after files are useless for this one, we will need that .db file if there is a solution in the future.

 

Nemucod-AES will drop "DECRYPT.hta" as the note, so it's easier to identify, and comes from fake postal service attachments in spam email. AESMatrix is a bit more obscure, and I doubt you were hit by it. It comes through RDP hacks.


Edited by Demonslay335, 08 July 2017 - 12:05 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 jr105

jr105

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 10 July 2017 - 12:40 PM

I also believe I've been hit by Nemucod-AES.  I used a website to identify the type of ransomware by uploading the corrupt file and the ransom note, and it said Nemucod-AES.  It's got the red "ATTENTION:..." background, decrypt.hta file on the desktop and a lot of files were modified at the exact same time and date.  The file extensions have NOT been modified.  What I find strange is that when I do a command prompt search for encrypted files, I have 0 returns.  I've also used a program called viewmyfiles, and tried searching for encrypted files, and also came up empty.  When trying to open one of these modified files, I get the error basically saying the extension does not match, or the file has been corrupted.  I used Binary Viewer to look at the actual data, and can see where data has been inserted into the file, corrupting it.  I'm not finding the databases others have found, but the anti-malware and virus checks that I ran may have deleted or quarantined them.  I just thought I would share this information.



#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:32 AM

Posted 12 July 2017 - 12:11 PM

Emsisoft has released a decrypter for the latest version. :)

 

http://blog.emsisoft.com/2017/07/12/nemucodaes-ransomware-removal-decrypt/


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:32 AM

Posted 12 July 2017 - 02:21 PM

Any further requests for assistance, comments or questions should be posted in the below support topic discussion.Rather than have everyone with individual topics and to avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users