Fabian Wosar of Emisoft has released a free decryptor for the Nemucod .CRYPTED or Decrypt.txt ransomware. A decryptor was previously released by one of our users, macomaco, but required Python in order to generate the decryption key. When Fabian analyzed the ransomware, he saw that it utilized a similar encryption scheme as a previous ransomware and was able to release a Windows decryptor.

This ransomware is distributed via the Nemucod Trojan.Downloader, which is sent via email as a javascript (.JS) attachment.  When a user opens this attachment, the javascript will execute and download further malware to the victim's computer. Recently, one of the malware infections that is being downloaded by Nemucod is the .CRYPTED ransomware, which will encrypt your data and then demand ~.4 bitcoins in order to get a decryption key.

Decrypting Nemucod's .CRYPTED Ransomware

If you are infected with this ransomware, simply download decrypt_nemucod.exe from the following link and save it on your desktop:

Emsisoft Decrypter for Nemucod

In order to find your decryption key, you need to drag an encrypted file and unencrypted version of the same file onto the decrypt_nemucod.exe icon at the same time.  To do this, you would select both the encrypted and unencrypted version of a file and then drag them both onto the decryptor.  If you do not have an an original version of one of your encrypted files, you can usually use a sample picture found in the C:\Users\Public\Pictures folder.  Once you determine the key used to encrypt one of your files, you can then use that key to decrypt ALL other encrypted files on your computer.

To show what I mean about dragging both files at the same time, see the image below. To generate the key, I created a folder that contains an encrypted PNG file, a unencrypted version of the same PNG file, and the decrypt_nemucod.exe program. I then dragged both the regular PNG file and the encrypted one onto the executable at the same time.

How to drag the files onto the Decrypter
How to drag the files onto the Decrypter

After you drag the files onto the decrypted, the program will start and you may be presented with a UAC prompt. Please click on Yes button to proceed. The program will now start and attempt to brute force the decryption key. When a key was able to be brute forced, it will display it an a new window like the one below.

Decryption Key Found
Decryption Key Found

When you press the OK button you will be presented with a license agreement you must agree to. To continue, press the OK button. You will now see the main Nemucod Decryptor screen as shown below.

Nemucod Decryptor
Nemucod Decryptor

By default, the decryptor is only going to decrypt files on the C: drive. If there are other drives with encrypted files, click on the Add File(s) button to add the drive to the list. When ready, click on the Decrypt button to begin decrypting your files. Once you click Decrypt, the decryptor will decrypt all the encrypted files and display the decryption status in a results screen like the one below.

Decryption Results
Decryption Results

All of your files should now be decrypted.

It is important to note that Nemucod delivers more than just a ransomware component. The Nemucod TrojanDownloader will also install the Kovter infection and possibly other malware. It is strongly suggested that you scan your computer with an antivirus or antimalware program to make sure there were no other infections downloaded by Nemucod. You can also use this guide to remove Kovter from your computer: Trojan.Win32/Kovter Removal Guide.

For those who wish to know more technical information about this ransomware, you can read the next section. If you need help getting this decrypter to work, please ask in our .CRYPTED Ransomware (Decrypt.txt) - How to Decrypt and Help Topic.

The Nemucod Ransomware Encryption Process 

This ransomware is currently a part of the Nemucod TrojanDownloader and is spread through javascript (.JS) attachments sent via email. The interesting part of this ransomware implementation is that the encryption steps are broken up between two different programs. The Javascript installers generates the various command and batch files, which use a downloaded files to perform the actual encryptions.

When the user opens the JS attachment, the javascript will download and save a ransomware executable to %TEMP%\5021052.exe. This executable, though, is not launched yet. Then the script creates and launches a CMD script that contains the commands that will be used to scan for targeted files and encrypt them.

Nemucod JS Source
Nemucod JS Source

This CMD script will search for files that contain certain file extensions and when it discoverers a targeted file, will rename it to have the .CRYPTED extension, and then launches the %TEMP%\5021052.exe with the file as an argument. The 5021052.exe executable will then encrypt the first 2048 bytes of the file using XOR encryption. This process is continued for each file that has the following extensions:

*.zip *.rar *.7z *.tar *.gz *.xls *.xlsx *.doc *.docx *.pdf *.rtf *.ppt *.pptx *.sxi *.odm *.odt *.mpp *.ssh *.pub *.gpg *.pgp *.kdb *.kdbx *.als *.aup *.cpr *.npr *.cpp *.bas *.asm *.cs *.php *.pas *.vb *.vcproj *.vbproj *.mdb *.accdb *.mdf *.odb *.wdb *.csv *.tsv *.psd *.eps *.cdr *.cpt *.indd *.dwg *.max *.skp *.scad *.cad *.3ds *.blend *.lwo *.lws *.mb *.slddrw *.sldasm *.sldprt *.u3d *.jpg *.tiff *.tif *.raw *.avi *.mpg *.mp4 *.m4v *.mpeg *.mpe *.wmf *.wmv *.veg *.vdi *.vmdk *.vhd *.dsk

After encrypting the files, the CMD script will add various autorun entries to the registry so that the ransom notes are displayed and the ransomware is executed when a user logs into the computer.  When the CMD script has finished, it will delete itself from the computer.

Once the encryption routine is done, the ransomware will display the Decrypted.txt ransom note, which can be seen  below.

Ransom Note
Ransom Note

It is important to note that Nemucod delivers more than just a ransomware component. The Nemucod TrojanDownloader will also install the Kovter infection and possibly other malware.

Kovter Infection
Kovter Infection

Therefore, be sure to scan your computer with an up-to-date antivirus tool in order to confirm that all infections have been removed.


Files related to the Nemucod Trojan


Registry entries related to the Nemucod Trojan

HKCU\Software\Classes\.2MGvFO\	ayC5
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\	[unreadable_char]
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Crypted	%Temp%\502105.txt
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\	[unreadable_char]


Related Articles:

The Week in Ransomware - October 26th 2018 - Decryptors, RaaS, and More

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More

New Ransomware using DiskCryptor With Custom Ransom Message