Decrypt latest Nemucod ransomware with Emsisoft’s free decrypter

Update (July 16th, 2017):
Shortly before we published our article, the NemucodAES threat actors unleashed a new version of their ransomware that wasn’t supported by our original decrypter. We are happy to announce that version and later of our decrypter support this new version now. If you have tried the decrypter before unsuccessfully please download and try it again. Thanks!

The Nemucod ransomware family has been around for a while and has gone through several evolutions and changes since then. Previous attempts of extorting money were thwarted by the release of our decrypter to help victims release their files for free.

Amidst the noise of the NotPetya ransomware outbreak, a new variant of Nemucod dubbed NemucodAES was released that made changes to the encryption mechanism as well as introduced a facelift of its ransom note.

Not to be outplayed by cyber criminals our lab promptly went to work and produced a new version of our decrypter to handle NemucodAES and free victim’s files.

How NemucodAES ransomware works

The main infection vector of this latest offspring of the Nemucod ransomware family has remained the same, relying on the classic ‘undelivered package’ spam campaign to trick victims to click on the contained attachment and execute the JavaScript contained within.

Source code of the JavaScript file that arrives at the victim

Once unsuspecting victims are fooled into running the script, the malware will download its ransomware component as well as the Kovter malware into the %TEMP% folder and where it executes both.

The NemucodAES ransomware component, which consists of a PHP script and the PHP interpreter, uses the same methods as previous variants to achieve persistence (read more about what ransomware does once it’s on a computer here). Once the interpreter executes the script, it will then start cycling through all possible drive letters (including external and network drives) and starts the encryption process.

The key difference to previous members of this family is that the encryption has changed from RC4 to a mix of AES-128 in ECB mode and RSA encryption, an infamous combination that we explained in more detail in a recent blog post. In addition, it will not change any file extensions; so victims will only be aware of the damage done once they look at the garbled contents or cryptic error message when trying to open one of their documents.

Snippet of the code used to enumerates all drives for files to encrypt

NemucodAES ransomware targets the following file extensions:

.123, .602, .dif, .docb, .docm, .dot, .dotm, .dotx, .hwp, .mml, .odg, .odp, .ods, .otg, .otp, .ots, .ott, .pot, .potm, .potx, .ppam, .ppsm, .ppsx, .pptm, .sldm, .sldx, .slk, .stc, .std, .sti, .stw, .sxc, .sxd, .sxm, .sxw, .txt, .uop, .uot, .wb2, .wk1, .wks, .xlc, .xlm, .xlsb, .xlsm, .xlt, .xltm, .xltx, .xlw, .xml, .asp, .bat, .brd, .c, .cmd, .dch, .dip, .jar, .js, .rb, .sch, .sh, .vbs, .3g2, .fla, .m4u, .swf, .bmp, .cgm, .djv, .gif, .nef, .png, .db, .dbf, .frm, .ibd, .ldf, .myd, .myi, .onenotec2, .sqlite3, .sqlitedb, .paq, .tbk, .tgz, .3dm, .asc, .lay, .lay6, .ms11, .ms11, .crt, .csr, .key, .p12, .pem, .qcow2, .vmx, .aes, .zip, .rar, .r00, .r01, .r02, .r03, .7z, .tar, .gz, .gzip, .arc, .arj, .bz, .bz2, .bza, .bzip, .bzip2, .ice, .xls, .xlsx, .doc, .docx, .pdf, .djvu, .fb2, .rtf, .ppt, .pptx, .pps, .sxi, .odm, .odt, .mpp, .ssh, .pub, .gpg, .pgp, .kdb, .kdbx, .als, .aup, .cpr, .npr, .cpp, .bas, .asm, .cs, .php, .pas, .class, .py, .pl, .h, .vb, .vcproj, .vbproj, .java, .bak, .backup, .mdb, .accdb, .mdf, .odb, .wdb, .csv, .tsv, .sql, .psd, .eps, .cdr, .cpt, .indd, .dwg, .ai, .svg, .max, .skp, .scad, .cad, .3ds, .blend, .lwo, .lws, .mb, .slddrw, .sldasm, .sldprt, .u3d, .jpg, .jpeg, .tiff, .tif, .raw, .avi, .mpg, .mp4, .m4v, .mpeg, .mpe, .wmf, .wmv, .veg, .mov, .3gp, .flv, .mkv, .vob, .rm, .mp3, .wav, .asf, .wma, .m3u, .midi, .ogg, .mid, .vdi, .vmdk, .vhd, .dsk, .img, .iso

In order to keep the system operational and ensure that folders critical to the functioning of the ransomware and later decryption remain intact, it will skip folders containing the following strings:

\winnt, \boot, \system, \windows, \tmp, \temp, \program,\appdata, \application, \roaming, \msoffice, \temporary, \cache, recycler

Like its predecessors, NemucodAES only encrypts the first 2 KB of every targeted file. Unlike its predecessors, however, NemucodAES uses AES encryption with a randomly generated 128-bit per-file key. The encrypted data, as well as the file name and the RSA-encrypted AES keys, are then stored within a .db database file inside the %TEMP% directory. NemucodAES then overwrites the original first 2 KB of the file with random data.

Since the encrypted data is not stored within the files but within a separate database file, the file is essential for the decryption process as explained further down.

The NemucodAES ransom note left behind on the system

Last but not least the ransomware will delete any shadow copies stored on the system and create a ransom note on the victim’s desktop named “DECRYPT.hta”, instructing the victim to pay the equivalent of US $300 in Bitcoin to get back their files.

Are Emsisoft users protected?

Short answer: Yes! Our award winning Behavior Blocker technology with Anti-Ransomware layer has been able to stop NemucodAES dead in its tracks without the need for updates:

NemucodAES is no match for our behaviour blocker

If you want to see Emsisoft’s Behavior Blocker in action against a wide variety of ransomware, check out our demonstration on YouTube.

For all non-Emsisoft customers: Decrypt your files using our free decrypter

Unfortunately, not everyone is enjoying the state-of-the-art protection Emsisoft products provide and we have seen an increase of victims hitting communities like BleepingComputer and ID Ransomware looking for help. For those victims, our lab created a special decrypter application that is able to restore affected files for free.

As explained in our thorough ransomware removal guide, it’s critical to follow the right steps when dealing with and removing ransomware. We suggest to read it before attempting any hasty removal attempts. Particularly in this case, as any decrypter needs access to the database file within the %TEMP% folder that the ransomware created in order to restore the files.

Many popular cleaning and optimizer programs, such as the popular CCleaner, delete files in the temp folder automatically, making the decryption process impossible for both the ransomware author’s as well as our decrypter. So deactivate any such programs immediately and resist the temptation to blindly start cleaning.

Victims of NemucodAES ransomware can download our decrypter on our dedicated decrypter download page.

Have a great (ransomware-free) day!

Categories: Emsisoft Lab
Holger :

View Comments (92)

  • Hi - I am dealing with what appears to be Nemucod-AES based on ID Ransomware scan. I just rand the Emisoft Decrypter and it listed a large number of potential files to select from for the database. Not appear to be database-type files or be in a %temp% directory. Is there a way to manually look for the database file? The C:/Temp folder is empty and the C:/Users/ directory doesn't have an "AppData" folder in it. Any advice?

    • The decrypter automatically located the database for you already. All you need to do is go through the list and find an original unencrypted version to any file in the list it displays. It is crucial that you find a file that is as high up on the list as possible. Every 5 files down roughly doubles the time the decrypter will need to figure out the encryption. Once you found an unencrypted, original version, just point the decrypter to it by pressing the button.

      • Good/bad news here. The decryptor finished in about 4 hours and I started the decryption sequence (note to other users, go the extra mile and find a backup file at the beginning of he list). It was running through thousands of files successfully repairing them but at some point maybe 75% thru it had a problem and locked up. The screen listed the file where this happened and had a pop-up "abort" box; however the computer was locked up and I could not do anything other than reboot. Of course when I rebooted the decryptor sequence was lost. I checked the files and it successfully repaired all the files it got to before it locked up. I am rerunning the decryptor because I am not sure how to re-initiate the decryptor without starting from scratch. Fabian if there is a way to do this please let me know! Not sure what will happen when I try to decrypt files that already are repaired but hoping it skips over them and starts back where it left off. Fabian please let me know if you have any advice! Thanks, Mark

        • Most likely problem: You ran out of disk space. So please check if your disk is full. Creating the backups will temporarily double the disk space requirements of your data until you removed the backups. You can simple start the decrypter again and it should restore the file database from the DecryptionKeys.db this time that is located in the same directory as the decrypter.

          • I re-ran the decryptor and it worked perfectly this time skipping the files it had already decrypted and then repairing the rest. Not sure why it stalled, the hard drive was not full but maybe some RAM or buffer thing. An additional point for any readers of these comments is that the decryptor did not initially decrypt file I had on a thumb-drive which was also infected. In consult with Fabian he identified that the drive letter had changed from what it was called at the time of the infection. I renamed the drive from E; to F: and re-ran the decryptor and it repaired the files on the thumb-drive also. I can't thank Fabian enough for this technology and service! My number one advice for anyone reading is to find a file as high up on the list as possible it is worth the efforts!

      • I got impatient and stopped the decryption since it was projected to take more than 10 days. After some detective work I was able to find a video driver zip file from Dell that seems to be from the same laptop build as my model. This file was 3rd on the list. I restarted the decryptor and it is running now with projected 4 hour run time. I will keep you and other readers posted (the recent posts and replies were most helpful to me)

      • Thanks for responding Fabian. We just got back from a trip and I saw your message. I went through the file list and those at the beginning were system and printer files that I didn't back up. While I could potentially find files with the same name online, I assume the file must be identical so I didn't try that. So I went down to the first file on the list appearing from the "My Documents" which was pretty early on the list, found a clean copy from my backup, and set the decrypter working. As you aluded to above, the progress is very slow currently listing "0.57% of key space exhausted". My followup question is whether this will need to reach 100% to be successful and whether the speed is linear from 0 to 100% (it could take over a week at this pace!). Thanks for any further thoughts! Mark

  • How long should the newest (8/1/17) decryption take? Mine says 2786:08:30 -- that's around 116 days!?!?!

    • Try the attack against a file higher up in the list. Every 5 files down the time of the attack roughly doubles.

  • Our computer has been infected by NemucodAES. I downloaded the decrypter, ran it, paired a file in the database with the unencrypted version of the file and it started the process. After about 12 hours, it was still saying that the ETA was 185:27:16. It was varying a bit but staying close to that ETA.It also said that 6.53% of key space exhausted. Is this correct that it will take that long to decrypt the files? Are we on track or is something going wrong?

    • ETA calculations are a bit wonky at times. As long as there is progress you should be good to go.

  • Hi there.. thanks for your wonderful work. I have this Neumcod ransom ware. I downloaded the tools and found out that you have to match a file. The file I found to match was about 500 files in.. and on a back up. I did match up one of the infected files to a file on the back up disk.. and the system started running and has been for five days now.. about 4% of key space is exhausted.. My questions are.

    1. I assume that once I made the match of the files .. the corrupt on my C: drive and the correct one on the backup disk-- that the 'Correct" file is no longer needed.. right? Because to prevent infection of the back up disk I unplugged it after the match was made the recover file database started running. I assume this doesn't disrupt the file recovery process.. right?

    2. I ask the above because the program has been running for 5 days.. Intel I5 8 GB RAM so relatively recent. Do you recommmend stopping the process and trying to find a file closer to the top of the list or continuing to let it run it's course. I noticed you said every 5 files takes one hour.. so if it's getting close to the correct match then I don't want to unplug.. on the other hand it could take a long time.. The curent counter is moving but has been stuck at ETA-- 6472 or so.. for the past 5 days.,

    Thanks very much for all you don and your advice on this.

  • Hi, I have a client with this ransomware on her computer. I've tried running the decrypter, but I get the following message: "The decrypter was unable to locate the file database on your system." I can't see the .db file in the proper temp directory. What can I do ?

  • we are running v.078 and it finds the DB etc we give it a file which matches the infected ones on the list (a good copy) and it starts to chug away after 6 hours it gets to 100% and says it couldn't dycrypt the files ?

      • I also ran v.078 and received the same results. Would it be possible to send you a copy of my *.php file to look at. Thanks.

        • sorry one of the guys here changed the first line of the php file from <?php eval
          to <?php print to try and grab the urls it was downloading from so we could block them if u need me to send the original file again just let me know

  • Decryption started to run and was able to take care of C: drive fine and one of the external drives filled up with before finishing due to the backup files... can I restart it now and it will pick up where it stopped decryption or is it going to attempt to do all the files again?

    • I believe I was able to successfully restart but question about external drives that are affected.... C:? drive is all good now and my personal drive is currently working but there was a flash drive and another hard drive plugged in that are not on the list to decrypt.... what can we do to get those back?

  • hello, my both drives D and E had been encrypted in starting of february 2017.still i am not able to decrypt them after trying many third party software. my important many years ago family videos and pics had been encrypted with extension .aef7 . no software worked for this extension . Any help would be appreciated. thanks

  • Hello,
    someone locked up (rika Mika) locked my Pc and my database *.mdf
    it create an extension *.java
    is nemucode may working on that ?