New Nemucod Ransomware Virus Removal Guide

The Nemucod virus has been detected to have a new version that uses a red background for its ransom note and currently demands 0.11471 BTC payment. Nemucod is a data locker ransomware that infiltrates the system to perform various malicious actions that allow it to encrypt target data and renders it inaccessible. Upon encryption, Nemucod ransomware drops a file named Decrypt.txt that contains its ransom message. We firmly advise victims not to rush to pay the ransom and attempt to regain the PC security by removing the threat.

Manual Removal Guide
Recover Encrypted Files
Skip all steps and download anti-malware tool that will safely scan and clean your PC.

DOWNLOAD Nemucod Virus Removal Tool

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Ways of Distribution of Nemucod Ransomware

Usually, ransomware payload is distributed via spam email campaigns that present the malicious code in two ways. First, Nemucod ransomware may be hidden in a malicious attachment that contains word document with embedded infected macros or a JavaScrips file. Second, the ransomware code may be injected in a compromised website that has a low-security level. Thus a link to this site may be presented in the text of the email. Crooks may use official names of financial services like PayPal or software providers like Microsoft. Nemucod ransomware may also be spread via malicious redirect links, compromised social media profiles and file sharing services.

Details About New Nemucod Ransomware Variant

In case that Nemucod virus has infected your system you should know some primary damages it caused to the PC. The infection begins once Nemucod malicious payload is started on the PC. First, it initiates a scan of all drives aiming to find predefined file types in its code. When it locates a file that matches with its target data list, Nemucod utilizes a combination of two strong cipher algorithms – AES-128 and RSA-2048 to encrypt the file and render it out of order. At this point, no particular malicious file extension is related to this new version of Nemucod ransomware. However, corrupted files which may be documents, photos, images, videos, databases, archives, music, projects, presentations and other frequently used file formats can be recognized by their not working state.

Encrypted files by Nemucod can be restored by applying the unique decryption key generated during the encoding process to the decryptor that should be accessed when following the instructions of the ransom note. The ransom note text is contained in a file Decrypt.txt and it reads the following:

All your documents, photos, databases and other important personal files were encrypted using a combination of strong RSA-2048 and AES-128 algorithms.
The only way to restore your files is to buy decryptor. Please, follow these steps:
1. Create your Bitcoin wallet here:
2. Buy 0.11471 bitcoins here:
3. Send 0.11471 bitcoins to this address:
4. Open one of the following links in your browser:
5. Download and run decryptor to restore your files.
You can find this instruction in “DECRYPT” file on your desktop.

new nemucod ransomware virus ransom note red colored decrypt.txt bestsecuritysearch

The same message is depicted with white text over a red background. That image replaces the desktop wallpaper. For the purpose, Nemucod virus creates values in the Windows registry that modify the auto-execute functionality and enable it to change the desktop wallpaper and furthermore start its malicious executable file each time the Windows system is started.

Read Also: How to Remove and Prevent Facebook Virus Infection

It is also likely that the ransomware deletes shadow volume copies which prevent data recovery by using this method. However, the previous Nemocod version has been successfully cracked by white hats, so they have released a freely available decryption tool for .crypted files. As security experts are currently investigating the case, we hope that the code of this new Nemocod version will be decrypted too soon.

New Nemucod Ransomware Decryptor Available

A malware researcher has created a decryptor for the New Nemucod ransomware that might be able to restore the affected files. It has been developed to work with the captured samples in several attack campaigns. However victims of the malware should not expect it to work with all versions.

Computer viruses such as this one are constantly being updated and the tool may be able to help in all cases. You can download it by clicking here. Beware that the application will ask for elevated privileges by issuing a User Account Control notification prompt. The users need to click on “Yes”. This will start the automated file database recovery. Warning: this might take a few hours depending on your computer.

Once it has been recovered an application frame with the following text is displayed:

The decrypter succesfully recovered the file database on your system.

A license agreement follows, if accepted the decryption process is started.

Remember that file recovery does not remove the virus from the computer, it merely restores some of the affected data. The only way to prevent and remove active infections is to use a quality anti-spyware solution. Refer to our instructions below.

Remove Nemucod Ransomware Virus and Restore Data

WARNING! Manual removal of Nemucod virus requires being familiar with system files and registries. Removing important data accidentally can lead to permanent system damage. If you don’t feel comfortable with manual instructions, download a powerful anti-malware tool that will scan your system for malware and clean it safely for you.

DOWNLOAD Anti-Malware Tool

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Nemucod Ransomware Virus – Manual Removal Steps

Start the PC in Safe Mode with Network

This will isolate all files and objects created by the ransomware so they will be removed efficiently. The steps bellow are applicable to all Windows versions.

1. Hit the WIN Key + R

2. A Run window will appear. In it, write msconfig and then press Enter

3. A Configuration box shall appear. In it Choose the tab named Boot

4. Mark Safe Boot option and then go to Network under it to tick it too

5. Apply -> OK

Show Hidden Files

Some ransomware threats are designed to hide their malicious files in the Windows so all files stored on the system should be visible.

1. Open My Computer/This PC

2. Windows 7

    – Click on Organize button
    – Select Folder and search options
    – Select the View tab
    – Go under Hidden files and folders and mark Show hidden files and folders option

3. Windows 8/ 10

    – Open View tab
    – Mark Hidden items option

how to make hidden files visible in Windows 8 10 bestsecuritysearch instructions

4. Click Apply and then OK button

Enter Windows Task Manager and Stop Malicious Processes

1. Hit the following key combination: CTRL+SHIFT+ESC

2. Get over to Processes

3. When you find suspicious process right click on it and select Open File Location

4. Go back to Task Manager and end the malicious process. Right click on it again and choose End Process

5. Next, you should go folder where the malicious file is located and delete it

Repair Windows Registry

1. Again type simultaneously the WIN Key + R key combination

2. In the box, write regedit and hit Enter

3. Type the CTRL+ F and then write the malicious name in the search type field to locate the malicious executable

4. In case you have discovered registry keys and values related to the name, you should delete them, but be careful not to delete legitimate keys

Click for more information about Windows Registry and further repair help

Recover Encrypted Files

WARNING! All files and objects associated with Nemucod virus should be removed from the infected PC before any data recovery attempts. Otherwise the virus may encrypt restored files. Furthermore, a backup of all encrypted files stored on external media is highly recommendable.

DOWNLOAD Nemucod Virus Removal Tool

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

1. Use present backups

2. Use professional data recovery software

Stellar Phoenix Data Recovery – a specialist tool that can restore partitions, data, documents, photos, and 300 more file types lost during various types of incidents and corruption.

3. Using System Restore Point

    – Hit WIN Key
    – Select “Open System Restore” and follow the steps


4. Restore your personal files using File History

    – Hit WIN Key
    – Type restore your files in the search box
    – Select Restore your files with File History
    – Choose a folder or type the name of the file in the search bar
    – Hit the “Restore” button

Preventive Security Measures

  • Enable and properly configure your Firewall.
  • Install and maintain reliable anti-malware software.
  • Secure your web browser.
  • Check regularly for available software updates and apply them.
  • Disable macros in Office documents.
  • Use strong passwords.
  • Don’t open attachments or click on links unless you’re certain they’re safe.
  • Backup regularly your data.
  • Was this content helpful?

    Author : Gergana Ivanova

    Gergana Ivanova is a computer security enthusiast who enjoys presenting the latest issues related to cyber security. By doing thorough researches and sharing them on BestSecuritySearch, she hopes that more victims of malware infections will be able to secure their corrupted computer systems properly and eventually recover lost files.

    Related Posts

    Leave a Reply

    Your email address will not be published. Required fields are marked *