Decrypt latest Nemucod ransomware with Emsisoft’s free decrypter

Decrypt latest Nemucod ransomware with Emsisoft’s free decrypter

nemucodAES-decrypter-blog-banner

Update (July 16th, 2017):
Shortly before we published our article, the NemucodAES threat actors unleashed a new version of their ransomware that wasn’t supported by our original decrypter. We are happy to announce that version 1.0.0.54 and later of our decrypter support this new version now. If you have tried the decrypter before unsuccessfully please download and try it again. Thanks!


The Nemucod ransomware family has been around for a while and has gone through several evolutions and changes since then. Previous attempts of extorting money were thwarted by the release of our decrypter to help victims release their files for free.

Amidst the noise of the NotPetya ransomware outbreak, a new variant of Nemucod dubbed NemucodAES was released that made changes to the encryption mechanism as well as introduced a facelift of its ransom note.

Not to be outplayed by cyber criminals our lab promptly went to work and produced a new version of our decrypter to handle NemucodAES and free victim’s files.

How NemucodAES ransomware works

The main infection vector of this latest offspring of the Nemucod ransomware family has remained the same, relying on the classic ‘undelivered package’ spam campaign to trick victims to click on the contained attachment and execute the JavaScript contained within.

nemucod-javascript-image

Source code of the JavaScript file that arrives at the victim

Once unsuspecting victims are fooled into running the script, the malware will download its ransomware component as well as the Kovter malware into the %TEMP% folder and where it executes both.

The NemucodAES ransomware component, which consists of a PHP script and the PHP interpreter, uses the same methods as previous variants to achieve persistence (read more about what ransomware does once it’s on a computer here). Once the interpreter executes the script, it will then start cycling through all possible drive letters (including external and network drives) and starts the encryption process.

The key difference to previous members of this family is that the encryption has changed from RC4 to a mix of AES-128 in ECB mode and RSA encryption, an infamous combination that we explained in more detail in a recent blog post. In addition, it will not change any file extensions; so victims will only be aware of the damage done once they look at the garbled contents or cryptic error message when trying to open one of their documents.

nemucod-php-code-image

Snippet of the code used to enumerates all drives for files to encrypt

NemucodAES ransomware targets the following file extensions:

.123, .602, .dif, .docb, .docm, .dot, .dotm, .dotx, .hwp, .mml, .odg, .odp, .ods, .otg, .otp, .ots, .ott, .pot, .potm, .potx, .ppam, .ppsm, .ppsx, .pptm, .sldm, .sldx, .slk, .stc, .std, .sti, .stw, .sxc, .sxd, .sxm, .sxw, .txt, .uop, .uot, .wb2, .wk1, .wks, .xlc, .xlm, .xlsb, .xlsm, .xlt, .xltm, .xltx, .xlw, .xml, .asp, .bat, .brd, .c, .cmd, .dch, .dip, .jar, .js, .rb, .sch, .sh, .vbs, .3g2, .fla, .m4u, .swf, .bmp, .cgm, .djv, .gif, .nef, .png, .db, .dbf, .frm, .ibd, .ldf, .myd, .myi, .onenotec2, .sqlite3, .sqlitedb, .paq, .tbk, .tgz, .3dm, .asc, .lay, .lay6, .ms11, .ms11, .crt, .csr, .key, .p12, .pem, .qcow2, .vmx, .aes, .zip, .rar, .r00, .r01, .r02, .r03, .7z, .tar, .gz, .gzip, .arc, .arj, .bz, .bz2, .bza, .bzip, .bzip2, .ice, .xls, .xlsx, .doc, .docx, .pdf, .djvu, .fb2, .rtf, .ppt, .pptx, .pps, .sxi, .odm, .odt, .mpp, .ssh, .pub, .gpg, .pgp, .kdb, .kdbx, .als, .aup, .cpr, .npr, .cpp, .bas, .asm, .cs, .php, .pas, .class, .py, .pl, .h, .vb, .vcproj, .vbproj, .java, .bak, .backup, .mdb, .accdb, .mdf, .odb, .wdb, .csv, .tsv, .sql, .psd, .eps, .cdr, .cpt, .indd, .dwg, .ai, .svg, .max, .skp, .scad, .cad, .3ds, .blend, .lwo, .lws, .mb, .slddrw, .sldasm, .sldprt, .u3d, .jpg, .jpeg, .tiff, .tif, .raw, .avi, .mpg, .mp4, .m4v, .mpeg, .mpe, .wmf, .wmv, .veg, .mov, .3gp, .flv, .mkv, .vob, .rm, .mp3, .wav, .asf, .wma, .m3u, .midi, .ogg, .mid, .vdi, .vmdk, .vhd, .dsk, .img, .iso

In order to keep the system operational and ensure that folders critical to the functioning of the ransomware and later decryption remain intact, it will skip folders containing the following strings:

\winnt, \boot, \system, \windows, \tmp, \temp, \program,\appdata, \application, \roaming, \msoffice, \temporary, \cache, recycler

Like its predecessors, NemucodAES only encrypts the first 2 KB of every targeted file. Unlike its predecessors, however, NemucodAES uses AES encryption with a randomly generated 128-bit per-file key. The encrypted data, as well as the file name and the RSA-encrypted AES keys, are then stored within a .db database file inside the %TEMP% directory. NemucodAES then overwrites the original first 2 KB of the file with random data.

Since the encrypted data is not stored within the files but within a separate database file, the file is essential for the decryption process as explained further down.

nemucodaes-ransom-note

The NemucodAES ransom note left behind on the system

Last but not least the ransomware will delete any shadow copies stored on the system and create a ransom note on the victim’s desktop named “DECRYPT.hta”, instructing the victim to pay the equivalent of US $300 in Bitcoin to get back their files.

Are Emsisoft users protected?

Short answer: Yes! Our award winning Behavior Blocker technology with Anti-Ransomware layer has been able to stop NemucodAES dead in its tracks without the need for updates:

NemucodAES is no match for our behaviour blocker

If you want to see Emsisoft’s Behavior Blocker in action against a wide variety of ransomware, check out our demonstration on YouTube.

For all non-Emsisoft customers: Decrypt your files using our free decrypter

Unfortunately, not everyone is enjoying the state-of-the-art protection Emsisoft products provide and we have seen an increase of victims hitting communities like BleepingComputer and ID Ransomware looking for help. For those victims, our lab created a special decrypter application that is able to restore affected files for free.

As explained in our thorough ransomware removal guide, it’s critical to follow the right steps when dealing with and removing ransomware. We suggest to read it before attempting any hasty removal attempts. Particularly in this case, as any decrypter needs access to the database file within the %TEMP% folder that the ransomware created in order to restore the files.

Many popular cleaning and optimizer programs, such as the popular CCleaner, delete files in the temp folder automatically, making the decryption process impossible for both the ransomware author’s as well as our decrypter. So deactivate any such programs immediately and resist the temptation to blindly start cleaning.

Victims of NemucodAES ransomware can download our decrypter on our dedicated decrypter download page.

Have a great (ransomware-free) day!

CTA_ransomware_EAM_Download

  • Hi, I have a client with this ransomware on her computer. I’ve tried running the decrypter, but I get the following message: “The decrypter was unable to locate the file database on your system.”. I can see the .db file in the proper temp directory, and it has the same number as the file name that’s referenced in the ransom letter. Dragging and dropping the .db file onto the decrypter doesn’t work. Any ideas? Any help would be appreciated.

  • billy weyant

    I am having similar issues. I see obscure file names with .php, .hta, .doc, .bmp, .exe, & .db extensions in temp directory with the same date stamp.

  • billy weyant

    decryptor was unable to locate the file database on your system. the directory it references is the directory the files are in. sorry i hit post before i finished

    • Fabian Wosar

      A new version of the decrypter was released a few minutes ago You will require at least one unencrypted version of one of the files that were encrypted. Preferably one that is very high up the list. The further down the file is in the list the longer it will take to restore the database.

  • jr105

    It also failed for me. It located the directory, but was unable to decrypt the files. When the encryption happened, I had a network computer mapped as Z: drive, which was also affected. When I ran the decrypter, that drive was NOT mapped. I remapped that drive and am running the decrypter again. I don’t know if that could do it, but if you have multiple drives affected, I would make sure they’re still the same drive letter that the database file refers to, and that it’s connected.

    • Fabian Wosar

      Be careful with that. Doing that will try to decrypt files that are already decrypted. As a result, you may end up messing up your data. The decrypter isn’t intended to be used like that.

      • jr105

        I am not sure what you mean. I was under the assumption that the decrypter looked at the files in the database and used that to decrypt. If the drive that was affected isn’t mapped when the decrypter runs, it wouldn’t be able to locate the files. Am I wrong with how it uses the database to decrypt?

    • Fabian Wosar

      I added a check now to prevent additional decryption if a backup file is present, which would indicate that the file has already been decrypted. This should allow you to do what you wanted to do. Make sure you download the new version though.

      • jr105

        Will try that. Thank you!

      • jr105

        I’m assuming 1.0.0.51 is the newest version?

  • Michael Murphy

    Same issue here. Unable to find database error. I have emailed the files per your recommendation below.

  • Eli Grieshop

    I recieved the following message

  • Sintax

    Has anyone figured out how to solve the issue where the database file cannot be found ? I have the database file in the directory it’s looking but for some reason it’s not using it.

    • Sintax

      also the DB file is 1.04GB

    • Fabian Wosar

      Because the database file belongs to a version of the ransomware the decrypter doesn’t support yet.

      • Sintax

        is there a way to find out which version it is?

        • Fabian Wosar

          If the database file is there but the decrypter doesn’t find it, it’s the second variant.

      • Michael Murphy

        Any idea of time frame before the decrypter works? I was assuming the issue of not finding the .db file was just a bug that would be corrected any moment. If that’s not the case, I need to let the client know the data is gone and move on…

        • Fabian Wosar

          The new decrypter was released a few minutes ago. Version 1.0.0.54 and up. You will require at least one unencrypted version of one of the files that were encrypted. Preferably one that is very high up the list. The further down the file is in the list the longer it will take to restore the database.

  • Thank you for the update! I found an unencrypted match as an email attachment and it’s chugging away trying to decrypt everything.

    THANK YOU!

    • Fabian Wosar

      Let me know how things turned out for you :)

      • It took most of the night to figure out the decryption, but when I got up this morning it was ready. Everything decrypted in minutes! She’s going to be so happy. :)

        Thank you again.

        • Fabian Wosar

          Glad it worked and you got your files back :)

  • Support JazzIt

    Hi, I have a client machine with the NemucodAES ransomware. The .db file exists in the TEMP Folder as does the following files:
    1DmvJRq1uHYY . . . . . . dS6v.bmp
    1DmvJRq1uHYY . . . . . . dS6v.db
    1DmvJRq1uHYY . . . . . . dS6v.doc
    1DmvJRq1uHYY . . . . . . dS6v.exe
    1DmvJRq1uHYY . . . . . . dS6v.hta
    1DmvJRq1uHYY . . . . . . dS6v.php

    Malware bytes has been run and only quarenteened files.

    On running decrypt_NemucodAES.exe it give a “Please be patient!” prompt then takes about 3 minutes before returning the promt “Nemucod file database not found” …..

    Is there anything I need to do. Rename the .db file or something to ensure the decypt locates the .db file.

    Sorry if this has already been answered, I though i read all posts on the subject.

    many thanks

  • Sarah Jo Gemmill Shearer

    I am also getting the same error after a few minutes of “The decrypter was unable to locate the file database on your system.” I have checked the appropriate TEMP folder and see a .db file still present along with several other files with the same long and random file name.

    • Fabian Wosar

      Please try the latest version of the decrypter (1.0.0.58 or later).

      • Sarah Jo Gemmill Shearer

        I have the decrypter downloaded and am waiting to try at work this morning. As we have not touched the PC at all really as far as “clean up” goes. Should we run something to remove the ransomware first or decrypt, backup and then format? Thank you for your help.

  • Gabriel Almodovar

    when i run the decryptor it pulls up one file on the E: drive that is encrypted and then asks that i locate an unencrypted version of this file. only problem is the e drive is just the system reserved drive. any way to use 2 files from the main (C:) drive? I have plenty of those!

  • Mossor

    What if the .db file is missing. I believe my customer may have run some type of clean up software but they do not remember which it was.

    • Fabian Wosar

      To put it bluntly: SOL. There is no way to get the files back. The ransomware only encrypts the first 2048 or 100,000 bytes. So depending on the file type, some data may be recoverable using specialised tools. One important bit: Paying the ransom will not help. The ransomware authors can’t bring back the data either without the database file.

  • Kristian Kuharszky

    Hello, I downloaded the 1.0.0.58 version of the decrypter program. It asks me to select which file to use to recover database. I get the following bad file pair message: “The file pair you selected doesn’t appear to match.” I tried to match a lot of different files and always get the same bad file pair message. Am I doing something wrong? How can I find a good pair? Any help would be greatly appreciated.

    • Fabian Wosar

      The error appears if the decrypter thinks, that the file you selected is obviously not an unencrypted version of the file you picked out in the list. The reason for that is, that either the file sizes don’t match up or both the picked out file in the list and the selected file are identical.