Decrypted: Emsisoft Releases a Decryptor for NemucodAES Ransomware

Decrypted: Emsisoft Releases a Decryptor for NemucodAES Ransomware. These SPAM emails contain attachments that when opened, will contain a JS file that will download PHP and a PHP script, which is the actual ransomware component. When encrypting files, it will skip files in the following folders: winnt, boot, system, windows, tmp, temp, program, appdata, application, roaming, msoffice, temporary, cache, recycle It will then encrypt any files that have the following extensions: .123, .602, .dif, .docb, .docm, .dot, .dotm, .dotx, .hwp, .mml, .odg, .odp, .ods, .otg, .otp, .ots, .ott, .pot, .potm, .potx, .ppam, .ppsm, .ppsx, .pptm, .sldm, .sldx, .slk, .stc, .std, .sti, .stw, .sxc, .sxd, .sxm, .sxw, .txt, .uop, .uot, .wb2, .wk1, .wks, .xlc, .xlm, .xlsb, .xlsm, .xlt, .xltm, .xltx, .xlw, .xml, .asp, .bat, .brd, .c, .cmd, .dch, .dip, .jar, .js, .rb, .sch, .sh, .vbs, .3g2, .fla, .m4u, .swf, .bmp, .cgm, .djv, .gif, .nef, .png, .db, .dbf, .frm, .ibd, .ldf, .myd, .myi, .onenotec2, .sqlite3, .sqlitedb, .paq, .tbk, .tgz, .3dm, .asc, .lay, .lay6, .ms11, .ms11, .crt, .csr, .key, .p12, .pem, .qcow2, .vmx, .aes, .zip, .rar, .r00, .r01, .r02, .r03, .7z, .tar, .gz, .gzip, .arc, .arj, .bz, .bz2, .bza, .bzip, .bzip2, .ice, .xls, .xlsx, .doc, .docx, .pdf, .djvu, .fb2, .rtf, .ppt, .pptx, .pps, .sxi, .odm, .odt, .mpp, .ssh, .pub, .gpg, .pgp, .kdb, .kdbx, .als, .aup, .cpr, .npr, .cpp, .bas, .asm, .cs, .php, .pas, .class, .py, .pl, .h, .vb, .vcproj, .vbproj, .java, .bak, .backup, .mdb, .accdb, .mdf, .odb, .wdb, .csv, .tsv, .sql, .psd, .eps, .cdr, .cpt, .indd, .dwg, .ai, .svg, .max, .skp, .scad, .cad, .3ds, .blend, .lwo, .lws, .mb, .slddrw, .sldasm, .sldprt, .u3d, .jpg, .jpeg, .tiff, .tif, .raw, .avi, .mpg, .mp4, .m4v, .mpeg, .mpe, .wmf, .wmv, .veg, .mov, .3gp, .flv, .mkv, .vob, .rm, .mp3, .wav, .asf, .wma, .m3u, .midi, .ogg, .mid, .vdi, .vmdk, .vhd, .dsk, .img, .iso When done, NemucodAES will display a ransom note named Decrypt.hta, which contains the ransom amount and payment instructions. To decrypt files encrypted by the NemucodAES ransomware, you need to first download the NemucodAES Decryptor below. The decrypter will try to recover the file database. When the decryptor has finished, it will display an alert stating that the Nemucod file database was recovered. When ready, click on the Decrypt button to begin decrypting the NemucodAES encrypted files. Once you click Decrypt, the program will decrypt all the encrypted files and display the decryption status in a results screen like the one below. and all of your files should now be decrypted. Though your files are now decrypted, the original encrypted files will still be on your computer.

I am pleased to report that Fabian Wosar of Emsisoft released a decryptor for the NemucodAES Ransomware. First spotted by ID-Ransomware’s Michael Gillespie and then later confirmed by security researcher Derek Knight, NemucodAES is distributed via SPAM emails that pretend to missed delivery notifications from UPS.

These SPAM emails contain attachments that when opened, will contain a JS file that will download PHP and a PHP script, which is the actual ransomware component. Unlike most ransomware, Nemucod is PHP based and source is easily visible.

Once started, the PHP script will scan the drives for targeted files and encrypt them. Unlike most other ransomware infections, NemucodAES does not append a new extension or rename the files that are encrypted. When encrypting files, it will skip files in the following folders:

winnt, boot, system, windows, tmp, temp, program, appdata, application, roaming, msoffice, temporary, cache, recycle

It will then encrypt any files that have the following extensions:

.123, .602, .dif, .docb, .docm, .dot, .dotm, .dotx, .hwp, .mml, .odg, .odp, .ods, .otg, .otp, .ots, .ott, .pot, .potm, .potx, .ppam, .ppsm, .ppsx, .pptm, .sldm, .sldx, .slk, .stc, .std, .sti, .stw, .sxc, .sxd, .sxm, .sxw, .txt, .uop, .uot, .wb2, .wk1, .wks, .xlc, .xlm, .xlsb, .xlsm, .xlt, .xltm, .xltx, .xlw, .xml, .asp, .bat, .brd, .c, .cmd, .dch, .dip, .jar, .js, .rb, .sch, .sh, .vbs, .3g2, .fla, .m4u, .swf, .bmp, .cgm, .djv, .gif, .nef, .png, .db, .dbf, .frm, .ibd, .ldf, .myd, .myi, .onenotec2, .sqlite3, .sqlitedb, .paq, .tbk, .tgz, .3dm, .asc, .lay, .lay6, .ms11, .ms11, .crt, .csr, .key, .p12, .pem, .qcow2, .vmx, .aes, .zip, .rar, .r00, .r01, .r02, .r03, .7z, .tar, .gz, .gzip, .arc, .arj, .bz, .bz2, .bza, .bzip, .bzip2, .ice, .xls, .xlsx, .doc, .docx, .pdf, .djvu, .fb2, .rtf, .ppt, .pptx, .pps, .sxi, .odm, .odt, .mpp, .ssh, .pub, .gpg, .pgp, .kdb, .kdbx, .als, .aup, .cpr, .npr, .cpp, .bas, .asm, .cs, .php, .pas, .class, .py, .pl, .h, .vb, .vcproj, .vbproj, .java, .bak, .backup, .mdb, .accdb, .mdf, .odb, .wdb, .csv, .tsv, .sql, .psd, .eps, .cdr, .cpt, .indd, .dwg, .ai, .svg, .max, .skp, .scad, .cad, .3ds, .blend, .lwo, .lws, .mb, .slddrw, .sldasm, .sldprt, .u3d, .jpg, .jpeg, .tiff, .tif, .raw, .avi, .mpg, .mp4, .m4v, .mpeg, .mpe, .wmf, .wmv, .veg, .mov, .3gp,...
Tags from the story
, ,
Written By
More from Industry News

45% rise in facility takeovers as fraudsters target customer accounts

Source: BelfastTelegraph.co.uk More than 50% of facility takeovers were carried out over...
Read More

Leave a Reply

Your email address will not be published. Required fields are marked *