Decrypt latest Nemucod ransomware with Emsisoft’s free decrypter

Decrypt latest Nemucod ransomware with Emsisoft’s free decrypter


Update (July 16th, 2017):
Shortly before we published our article, the NemucodAES threat actors unleashed a new version of their ransomware that wasn’t supported by our original decrypter. We are happy to announce that version and later of our decrypter support this new version now. If you have tried the decrypter before unsuccessfully please download and try it again. Thanks!

The Nemucod ransomware family has been around for a while and has gone through several evolutions and changes since then. Previous attempts of extorting money were thwarted by the release of our decrypter to help victims release their files for free.

Amidst the noise of the NotPetya ransomware outbreak, a new variant of Nemucod dubbed NemucodAES was released that made changes to the encryption mechanism as well as introduced a facelift of its ransom note.

Not to be outplayed by cyber criminals our lab promptly went to work and produced a new version of our decrypter to handle NemucodAES and free victim’s files.

How NemucodAES ransomware works

The main infection vector of this latest offspring of the Nemucod ransomware family has remained the same, relying on the classic ‘undelivered package’ spam campaign to trick victims to click on the contained attachment and execute the JavaScript contained within.


Source code of the JavaScript file that arrives at the victim

Once unsuspecting victims are fooled into running the script, the malware will download its ransomware component as well as the Kovter malware into the %TEMP% folder and where it executes both.

The NemucodAES ransomware component, which consists of a PHP script and the PHP interpreter, uses the same methods as previous variants to achieve persistence (read more about what ransomware does once it’s on a computer here). Once the interpreter executes the script, it will then start cycling through all possible drive letters (including external and network drives) and starts the encryption process.

The key difference to previous members of this family is that the encryption has changed from RC4 to a mix of AES-128 in ECB mode and RSA encryption, an infamous combination that we explained in more detail in a recent blog post. In addition, it will not change any file extensions; so victims will only be aware of the damage done once they look at the garbled contents or cryptic error message when trying to open one of their documents.


Snippet of the code used to enumerates all drives for files to encrypt

NemucodAES ransomware targets the following file extensions:

.123, .602, .dif, .docb, .docm, .dot, .dotm, .dotx, .hwp, .mml, .odg, .odp, .ods, .otg, .otp, .ots, .ott, .pot, .potm, .potx, .ppam, .ppsm, .ppsx, .pptm, .sldm, .sldx, .slk, .stc, .std, .sti, .stw, .sxc, .sxd, .sxm, .sxw, .txt, .uop, .uot, .wb2, .wk1, .wks, .xlc, .xlm, .xlsb, .xlsm, .xlt, .xltm, .xltx, .xlw, .xml, .asp, .bat, .brd, .c, .cmd, .dch, .dip, .jar, .js, .rb, .sch, .sh, .vbs, .3g2, .fla, .m4u, .swf, .bmp, .cgm, .djv, .gif, .nef, .png, .db, .dbf, .frm, .ibd, .ldf, .myd, .myi, .onenotec2, .sqlite3, .sqlitedb, .paq, .tbk, .tgz, .3dm, .asc, .lay, .lay6, .ms11, .ms11, .crt, .csr, .key, .p12, .pem, .qcow2, .vmx, .aes, .zip, .rar, .r00, .r01, .r02, .r03, .7z, .tar, .gz, .gzip, .arc, .arj, .bz, .bz2, .bza, .bzip, .bzip2, .ice, .xls, .xlsx, .doc, .docx, .pdf, .djvu, .fb2, .rtf, .ppt, .pptx, .pps, .sxi, .odm, .odt, .mpp, .ssh, .pub, .gpg, .pgp, .kdb, .kdbx, .als, .aup, .cpr, .npr, .cpp, .bas, .asm, .cs, .php, .pas, .class, .py, .pl, .h, .vb, .vcproj, .vbproj, .java, .bak, .backup, .mdb, .accdb, .mdf, .odb, .wdb, .csv, .tsv, .sql, .psd, .eps, .cdr, .cpt, .indd, .dwg, .ai, .svg, .max, .skp, .scad, .cad, .3ds, .blend, .lwo, .lws, .mb, .slddrw, .sldasm, .sldprt, .u3d, .jpg, .jpeg, .tiff, .tif, .raw, .avi, .mpg, .mp4, .m4v, .mpeg, .mpe, .wmf, .wmv, .veg, .mov, .3gp, .flv, .mkv, .vob, .rm, .mp3, .wav, .asf, .wma, .m3u, .midi, .ogg, .mid, .vdi, .vmdk, .vhd, .dsk, .img, .iso

In order to keep the system operational and ensure that folders critical to the functioning of the ransomware and later decryption remain intact, it will skip folders containing the following strings:

\winnt, \boot, \system, \windows, \tmp, \temp, \program,\appdata, \application, \roaming, \msoffice, \temporary, \cache, recycler

Like its predecessors, NemucodAES only encrypts the first 2 KB of every targeted file. Unlike its predecessors, however, NemucodAES uses AES encryption with a randomly generated 128-bit per-file key. The encrypted data, as well as the file name and the RSA-encrypted AES keys, are then stored within a .db database file inside the %TEMP% directory. NemucodAES then overwrites the original first 2 KB of the file with random data.

Since the encrypted data is not stored within the files but within a separate database file, the file is essential for the decryption process as explained further down.


The NemucodAES ransom note left behind on the system

Last but not least the ransomware will delete any shadow copies stored on the system and create a ransom note on the victim’s desktop named “DECRYPT.hta”, instructing the victim to pay the equivalent of US $300 in Bitcoin to get back their files.

Are Emsisoft users protected?

Short answer: Yes! Our award winning Behavior Blocker technology with Anti-Ransomware layer has been able to stop NemucodAES dead in its tracks without the need for updates:

NemucodAES is no match for our behaviour blocker

If you want to see Emsisoft’s Behavior Blocker in action against a wide variety of ransomware, check out our demonstration on YouTube.

For all non-Emsisoft customers: Decrypt your files using our free decrypter

Unfortunately, not everyone is enjoying the state-of-the-art protection Emsisoft products provide and we have seen an increase of victims hitting communities like BleepingComputer and ID Ransomware looking for help. For those victims, our lab created a special decrypter application that is able to restore affected files for free.

As explained in our thorough ransomware removal guide, it’s critical to follow the right steps when dealing with and removing ransomware. We suggest to read it before attempting any hasty removal attempts. Particularly in this case, as any decrypter needs access to the database file within the %TEMP% folder that the ransomware created in order to restore the files.

Many popular cleaning and optimizer programs, such as the popular CCleaner, delete files in the temp folder automatically, making the decryption process impossible for both the ransomware author’s as well as our decrypter. So deactivate any such programs immediately and resist the temptation to blindly start cleaning.

Victims of NemucodAES ransomware can download our decrypter on our dedicated decrypter download page.

Have a great (ransomware-free) day!


  • Hi, I have a client with this ransomware on her computer. I’ve tried running the decrypter, but I get the following message: “The decrypter was unable to locate the file database on your system.”. I can see the .db file in the proper temp directory, and it has the same number as the file name that’s referenced in the ransom letter. Dragging and dropping the .db file onto the decrypter doesn’t work. Any ideas? Any help would be appreciated.

  • billy weyant

    I am having similar issues. I see obscure file names with .php, .hta, .doc, .bmp, .exe, & .db extensions in temp directory with the same date stamp.

  • billy weyant

    decryptor was unable to locate the file database on your system. the directory it references is the directory the files are in. sorry i hit post before i finished

    • Fabian Wosar

      A new version of the decrypter was released a few minutes ago You will require at least one unencrypted version of one of the files that were encrypted. Preferably one that is very high up the list. The further down the file is in the list the longer it will take to restore the database.

  • jr105

    It also failed for me. It located the directory, but was unable to decrypt the files. When the encryption happened, I had a network computer mapped as Z: drive, which was also affected. When I ran the decrypter, that drive was NOT mapped. I remapped that drive and am running the decrypter again. I don’t know if that could do it, but if you have multiple drives affected, I would make sure they’re still the same drive letter that the database file refers to, and that it’s connected.

    • Fabian Wosar

      Be careful with that. Doing that will try to decrypt files that are already decrypted. As a result, you may end up messing up your data. The decrypter isn’t intended to be used like that.

      • jr105

        I am not sure what you mean. I was under the assumption that the decrypter looked at the files in the database and used that to decrypt. If the drive that was affected isn’t mapped when the decrypter runs, it wouldn’t be able to locate the files. Am I wrong with how it uses the database to decrypt?

    • Fabian Wosar

      I added a check now to prevent additional decryption if a backup file is present, which would indicate that the file has already been decrypted. This should allow you to do what you wanted to do. Make sure you download the new version though.

      • jr105

        Will try that. Thank you!

      • jr105

        I’m assuming is the newest version?

  • Michael Murphy

    Same issue here. Unable to find database error. I have emailed the files per your recommendation below.

  • Eli Grieshop

    I recieved the following message

  • Sintax

    Has anyone figured out how to solve the issue where the database file cannot be found ? I have the database file in the directory it’s looking but for some reason it’s not using it.

    • Sintax

      also the DB file is 1.04GB

    • Fabian Wosar

      Because the database file belongs to a version of the ransomware the decrypter doesn’t support yet.

      • Sintax

        is there a way to find out which version it is?

        • Fabian Wosar

          If the database file is there but the decrypter doesn’t find it, it’s the second variant.

      • Michael Murphy

        Any idea of time frame before the decrypter works? I was assuming the issue of not finding the .db file was just a bug that would be corrected any moment. If that’s not the case, I need to let the client know the data is gone and move on…

        • Fabian Wosar

          The new decrypter was released a few minutes ago. Version and up. You will require at least one unencrypted version of one of the files that were encrypted. Preferably one that is very high up the list. The further down the file is in the list the longer it will take to restore the database.

  • Thank you for the update! I found an unencrypted match as an email attachment and it’s chugging away trying to decrypt everything.


    • Fabian Wosar

      Let me know how things turned out for you :)

      • It took most of the night to figure out the decryption, but when I got up this morning it was ready. Everything decrypted in minutes! She’s going to be so happy. :)

        Thank you again.

        • Fabian Wosar

          Glad it worked and you got your files back :)

  • Support JazzIt

    Hi, I have a client machine with the NemucodAES ransomware. The .db file exists in the TEMP Folder as does the following files:
    1DmvJRq1uHYY . . . . . . dS6v.bmp
    1DmvJRq1uHYY . . . . . . dS6v.db
    1DmvJRq1uHYY . . . . . . dS6v.doc
    1DmvJRq1uHYY . . . . . . dS6v.exe
    1DmvJRq1uHYY . . . . . . dS6v.hta
    1DmvJRq1uHYY . . . . . . dS6v.php

    Malware bytes has been run and only quarenteened files.

    On running decrypt_NemucodAES.exe it give a “Please be patient!” prompt then takes about 3 minutes before returning the promt “Nemucod file database not found” …..

    Is there anything I need to do. Rename the .db file or something to ensure the decypt locates the .db file.

    Sorry if this has already been answered, I though i read all posts on the subject.

    many thanks

  • Sarah Jo Gemmill Shearer

    I am also getting the same error after a few minutes of “The decrypter was unable to locate the file database on your system.” I have checked the appropriate TEMP folder and see a .db file still present along with several other files with the same long and random file name.

    • Fabian Wosar

      Please try the latest version of the decrypter ( or later).

      • Sarah Jo Gemmill Shearer

        I have the decrypter downloaded and am waiting to try at work this morning. As we have not touched the PC at all really as far as “clean up” goes. Should we run something to remove the ransomware first or decrypt, backup and then format? Thank you for your help.

  • Gabriel Almodovar

    when i run the decryptor it pulls up one file on the E: drive that is encrypted and then asks that i locate an unencrypted version of this file. only problem is the e drive is just the system reserved drive. any way to use 2 files from the main (C:) drive? I have plenty of those!

  • Mossor

    What if the .db file is missing. I believe my customer may have run some type of clean up software but they do not remember which it was.

    • Fabian Wosar

      To put it bluntly: SOL. There is no way to get the files back. The ransomware only encrypts the first 2048 or 100,000 bytes. So depending on the file type, some data may be recoverable using specialised tools. One important bit: Paying the ransom will not help. The ransomware authors can’t bring back the data either without the database file.

  • Kristian Kuharszky

    Hello, I downloaded the version of the decrypter program. It asks me to select which file to use to recover database. I get the following bad file pair message: “The file pair you selected doesn’t appear to match.” I tried to match a lot of different files and always get the same bad file pair message. Am I doing something wrong? How can I find a good pair? Any help would be greatly appreciated.

    • Fabian Wosar

      The error appears if the decrypter thinks, that the file you selected is obviously not an unencrypted version of the file you picked out in the list. The reason for that is, that either the file sizes don’t match up or both the picked out file in the list and the selected file are identical.

      • Kristian Kuharszky

        I ended up using the version and it worked great! Thank you so much. I really appreciate all your help. This is awesome!!!

  • Rodd Stoeger

    Hi, I’ve verified that the %temp%/1MDAoL…etc…db along with a few other file of the same name but different extension exists and when running the decrypt I get the decrypter was unable to locate the file database.
    Are there some instructions or tasks that I still need to perform or is there different varients not covered by this decrypter, I used ID Ransomware to check and most of the article lines up.

    The only difference I can see from the article is that all desktop shortcuts have had their extensions changed to *.hta and there is no decrypt.hta.
    Each *.hta file on the desktop has the same ransom note but there is also no mention of the decrypt.hta instruction within.

    My client confirms that they opened a delivery note and noticed a black window and nothing happened until they tried to open a document and all the icons changed to the *.hta extension.

    This occurred on the 20th July 2017 7:56am (db file time stamp) Australian central time.
    *.hta files show a time stamp of 20th July 2017 7:59am after the last write time to the database.
    As this is a tablet there is a slight possibility that the power had failed on the device before the encryption could complete but I’ve no confirmation of this.
    Database file is around 675 meg in size.

    appreciate the great work so far and that there may be an option still.

  • Sarah Jo Gemmill Shearer

    I am finally getting around to running the newest version and am having some issues understanding what it is wanting me to do. I have a popup that has appeared that asks the following: “Please select which file the decrypter should use to recover the file database. You require the original, unencrypted version of the file to perform the recovery. The further up the file is in the list, the faster the decrypter will be able to recover the database file:” What do I need to be looking for with this? Do I need to find a file i that I know was a backup of the file not infected or what?

    • Fabian Wosar

      You need to find the original version of a file as high up in the list as possible. Then select the encrypted version of the file in the list and select the original version using the button. That’s it. The crucial bit is “as high up in the list as possible”. Every 5 files further down the list adds another hour to decrypting the file database on my system, which is quite fast. On an older system, the difference will be much greater.

  • Kevin Butler

    Good evening,

    I have version This computer was infected on 7/31/2017 at approximately 0830 in the morning with all timestamps showing 0900 as when all files were encrypted. The .db file and associated files are all intact. When I run the decryptor, it states it cannot find the database after sitting there and working for about 10-15 minutes. Is this yet another new variant on an evolving virus? Also, if I have to upload a file, my e-mail won’t sent a 1.5 GB file. Is there a place we can upload files?

    Thank you for all of your help,


    • Fabian Wosar

      You can just pack the file with ZIP, which will likely reduce its size quite a bit. After that, you can upload to any file hoster you want like Dropbox or Google Drive and send me the public link. :)

      • Kevin Butler

        Thank you so much, that did the trick.

        • Fabian Wosar

          Glad it worked :)

  • venkat

    hi, I am using version. When I run the decrypt_NemucodAES.exe I get an error stating cannot find *.db in temp folder where as the file is present.

    • Fabian Wosar

      Can you upload the .db file somewhere so I can have a look at it? Thanks :)

      • venkat

        I have sent the link but it is not visible here

  • tamer ali

    I am using version. When I run the decrypt_NemucodAES.exe I get an error stating cannot find *.db in temp folder where as the file is present. and it about 670 mb can you help

    • Fabian Wosar

      Please try the latest version :)

  • Mark Fellman

    Hi – I am dealing with what appears to be Nemucod-AES based on ID Ransomware scan. I just rand the Emisoft Decrypter and it listed a large number of potential files to select from for the database. Not appear to be database-type files or be in a %temp% directory. Is there a way to manually look for the database file? The C:/Temp folder is empty and the C:/Users/ directory doesn’t have an “AppData” folder in it. Any advice?

    • Fabian Wosar

      The decrypter automatically located the database for you already. All you need to do is go through the list and find an original unencrypted version to any file in the list it displays. It is crucial that you find a file that is as high up on the list as possible. Every 5 files down roughly doubles the time the decrypter will need to figure out the encryption. Once you found an unencrypted, original version, just point the decrypter to it by pressing the button.

      • Mark Fellman

        Thanks for responding Fabian. We just got back from a trip and I saw your message. I went through the file list and those at the beginning were system and printer files that I didn’t back up. While I could potentially find files with the same name online, I assume the file must be identical so I didn’t try that. So I went down to the first file on the list appearing from the “My Documents” which was pretty early on the list, found a clean copy from my backup, and set the decrypter working. As you aluded to above, the progress is very slow currently listing “0.57% of key space exhausted”. My followup question is whether this will need to reach 100% to be successful and whether the speed is linear from 0 to 100% (it could take over a week at this pace!). Thanks for any further thoughts! Mark

      • Mark Fellman

        I got impatient and stopped the decryption since it was projected to take more than 10 days. After some detective work I was able to find a video driver zip file from Dell that seems to be from the same laptop build as my model. This file was 3rd on the list. I restarted the decryptor and it is running now with projected 4 hour run time. I will keep you and other readers posted (the recent posts and replies were most helpful to me)

      • Mark Fellman

        Good/bad news here. The decryptor finished in about 4 hours and I started the decryption sequence (note to other users, go the extra mile and find a backup file at the beginning of he list). It was running through thousands of files successfully repairing them but at some point maybe 75% thru it had a problem and locked up. The screen listed the file where this happened and had a pop-up “abort” box; however the computer was locked up and I could not do anything other than reboot. Of course when I rebooted the decryptor sequence was lost. I checked the files and it successfully repaired all the files it got to before it locked up. I am rerunning the decryptor because I am not sure how to re-initiate the decryptor without starting from scratch. Fabian if there is a way to do this please let me know! Not sure what will happen when I try to decrypt files that already are repaired but hoping it skips over them and starts back where it left off. Fabian please let me know if you have any advice! Thanks, Mark

        • Fabian Wosar

          Most likely problem: You ran out of disk space. So please check if your disk is full. Creating the backups will temporarily double the disk space requirements of your data until you removed the backups. You can simple start the decrypter again and it should restore the file database from the DecryptionKeys.db this time that is located in the same directory as the decrypter.

          • Mark Fellman

            I re-ran the decryptor and it worked perfectly this time skipping the files it had already decrypted and then repairing the rest. Not sure why it stalled, the hard drive was not full but maybe some RAM or buffer thing. An additional point for any readers of these comments is that the decryptor did not initially decrypt file I had on a thumb-drive which was also infected. In consult with Fabian he identified that the drive letter had changed from what it was called at the time of the infection. I renamed the drive from E; to F: and re-ran the decryptor and it repaired the files on the thumb-drive also. I can’t thank Fabian enough for this technology and service! My number one advice for anyone reading is to find a file as high up on the list as possible it is worth the efforts!

  • How long should the newest (8/1/17) decryption take? Mine says 2786:08:30 — that’s around 116 days!?!?!

    • Fabian Wosar

      Try the attack against a file higher up in the list. Every 5 files down the time of the attack roughly doubles.

      • Found a file higher up… Fixed in 3 hrs, vs 116 days.

  • Todd Dutoi

    Our computer has been infected by NemucodAES. I downloaded the decrypter, ran it, paired a file in the database with the unencrypted version of the file and it started the process. After about 12 hours, it was still saying that the ETA was 185:27:16. It was varying a bit but staying close to that ETA.It also said that 6.53% of key space exhausted. Is this correct that it will take that long to decrypt the files? Are we on track or is something going wrong?

    • Fabian Wosar

      ETA calculations are a bit wonky at times. As long as there is progress you should be good to go.

  • Whoo hoo!! It worked!!

  • gordonohara

    Hi there.. thanks for your wonderful work. I have this Neumcod ransom ware. I downloaded the tools and found out that you have to match a file. The file I found to match was about 500 files in.. and on a back up. I did match up one of the infected files to a file on the back up disk.. and the system started running and has been for five days now.. about 4% of key space is exhausted.. My questions are.

    1. I assume that once I made the match of the files .. the corrupt on my C: drive and the correct one on the backup disk– that the ‘Correct” file is no longer needed.. right? Because to prevent infection of the back up disk I unplugged it after the match was made the recover file database started running. I assume this doesn’t disrupt the file recovery process.. right?

    2. I ask the above because the program has been running for 5 days.. Intel I5 8 GB RAM so relatively recent. Do you recommmend stopping the process and trying to find a file closer to the top of the list or continuing to let it run it’s course. I noticed you said every 5 files takes one hour.. so if it’s getting close to the correct match then I don’t want to unplug.. on the other hand it could take a long time.. The curent counter is moving but has been stuck at ETA– 6472 or so.. for the past 5 days.,

    Thanks very much for all you don and your advice on this.

  • Алик Сираев

    Hi, I have a client with this ransomware on her computer. I’ve tried running the decrypter, but I get the following message: “The decrypter was unable to locate the file database on your system.” I can’t see the .db file in the proper temp directory. What can I do ?

  • Gareth Wilson

    we are running v.078 and it finds the DB etc we give it a file which matches the infected ones on the list (a good copy) and it starts to chug away after 6 hours it gets to 100% and says it couldn’t dycrypt the files ?