The Nemucod virus has been detected to have a new version that uses a red background for its ransom note and currently demands 0.11471 BTC payment. Nemucod is a data locker ransomware that infiltrates the system to perform various malicious actions that allow it to encrypt target data and renders it inaccessible. Upon encryption, Nemucod ransomware drops a file named Decrypt.txt that contains its ransom message. We firmly advise victims not to rush to pay the ransom and attempt to regain the PC security by removing the threat.
Manual Removal Guide
Recover Encrypted Files
Skip all steps and download anti-malware tool that will safely scan and clean your PC.
SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter
Ways of Distribution of Nemucod Ransomware
Usually, ransomware payload is distributed via spam email campaigns that present the malicious code in two ways. First, Nemucod ransomware may be hidden in a malicious attachment that contains word document with embedded infected macros or a JavaScrips file. Second, the ransomware code may be injected in a compromised website that has a low-security level. Thus a link to this site may be presented in the text of the email. Crooks may use official names of financial services like PayPal or software providers like Microsoft. Nemucod ransomware may also be spread via malicious redirect links, compromised social media profiles and file sharing services.
Details About New Nemucod Ransomware Variant
In case that Nemucod virus has infected your system you should know some primary damages it caused to the PC. The infection begins once Nemucod malicious payload is started on the PC. First, it initiates a scan of all drives aiming to find predefined file types in its code. When it locates a file that matches with its target data list, Nemucod utilizes a combination of two strong cipher algorithms – AES-128 and RSA-2048 to encrypt the file and render it out of order. At this point, no particular malicious file extension is related to this new version of Nemucod ransomware. However, corrupted files which may be documents, photos, images, videos, databases, archives, music, projects, presentations and other frequently used file formats can be recognized by their not working state.
Encrypted files by Nemucod can be restored by applying the unique decryption key generated during the encoding process to the decryptor that should be accessed when following the instructions of the ransom note. The ransom note text is contained in a file Decrypt.txt and it reads the following:
ATTENTION!
All your documents, photos, databases and other important personal files were encrypted using a combination of strong RSA-2048 and AES-128 algorithms.
The only way to restore your files is to buy decryptor. Please, follow these steps:
1. Create your Bitcoin wallet here:
xxxxs://blockchain.info/wallet/new
2. Buy 0.11471 bitcoins here:
https://localbitcoins.com/buy_bitcoins
3. Send 0.11471 bitcoins to this address:
<%ADDRESS%>
4. Open one of the following links in your browser:
xxxx://elita5.md/counter/71GCn9vz73FNDmoVxgxXqjo7dSXyLmfnTDt
xxxx://artdecorfashion.com/counter/71GCn9vz73FNDmoVxgxXqjo7dSXyLmfnTDt
xxxx://goldwingclub.ru/counter/71GCn9vz73FNDmoVxgxXqjo7dSXyLmfnTDt
xxxx://perdasbasalti.it/counter/71GCn9vz73FNDmoVxgxXqjo7dSXyLmfnTDt
xxxx://natiwa.com/counter/71GCn9vz73FNDmoVxgxXqjo7dSXyLmfnTDt
5. Download and run decryptor to restore your files.
You can find this instruction in “DECRYPT” file on your desktop.
The same message is depicted with white text over a red background. That image replaces the desktop wallpaper. For the purpose, Nemucod virus creates values in the Windows registry that modify the auto-execute functionality and enable it to change the desktop wallpaper and furthermore start its malicious executable file each time the Windows system is started.
Read Also: How to Remove and Prevent Facebook Virus Infection
It is also likely that the ransomware deletes shadow volume copies which prevent data recovery by using this method. However, the previous Nemocod version has been successfully cracked by white hats, so they have released a freely available decryption tool for .crypted files. As security experts are currently investigating the case, we hope that the code of this new Nemocod version will be decrypted too soon.
New Nemucod Ransomware Decryptor Available
A malware researcher has created a decryptor for the New Nemucod ransomware that might be able to restore the affected files. It has been developed to work with the captured samples in several attack campaigns. However victims of the malware should not expect it to work with all versions.
Computer viruses such as this one are constantly being updated and the tool may be able to help in all cases. You can download it by clicking here. Beware that the application will ask for elevated privileges by issuing a User Account Control notification prompt. The users need to click on “Yes”. This will start the automated file database recovery. Warning: this might take a few hours depending on your computer.
Once it has been recovered an application frame with the following text is displayed:
The decrypter succesfully recovered the file database on your system.
A license agreement follows, if accepted the decryption process is started.
Remember that file recovery does not remove the virus from the computer, it merely restores some of the affected data. The only way to prevent and remove active infections is to use a quality anti-spyware solution. Refer to our instructions below.
Remove Nemucod Ransomware Virus and Restore Data
WARNING! Manual removal of Nemucod virus requires being familiar with system files and registries. Removing important data accidentally can lead to permanent system damage. If you don’t feel comfortable with manual instructions, download a powerful anti-malware tool that will scan your system for malware and clean it safely for you.
SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter
Nemucod Ransomware Virus – Manual Removal Steps
Start the PC in Safe Mode with Network
This will isolate all files and objects created by the ransomware so they will be removed efficiently. The steps bellow are applicable to all Windows versions.
1. Hit the WIN Key + R
2. A Run window will appear. In it, write msconfig and then press Enter
3. A Configuration box shall appear. In it Choose the tab named Boot
4. Mark Safe Boot option and then go to Network under it to tick it too
5. Apply -> OK
Show Hidden Files
Some ransomware threats are designed to hide their malicious files in the Windows so all files stored on the system should be visible.
1. Open My Computer/This PC
2. Windows 7
- – Click on Organize button
– Select Folder and search options
– Select the View tab
– Go under Hidden files and folders and mark Show hidden files and folders option
3. Windows 8/ 10
- – Open View tab
– Mark Hidden items option
4. Click Apply and then OK button
Enter Windows Task Manager and Stop Malicious Processes
1. Hit the following key combination: CTRL+SHIFT+ESC
2. Get over to Processes
3. When you find suspicious process right click on it and select Open File Location
4. Go back to Task Manager and end the malicious process. Right click on it again and choose End Process
5. Next, you should go folder where the malicious file is located and delete it
Repair Windows Registry
1. Again type simultaneously the WIN Key + R key combination
2. In the box, write regedit and hit Enter
3. Type the CTRL+ F and then write the malicious name in the search type field to locate the malicious executable
4. In case you have discovered registry keys and values related to the name, you should delete them, but be careful not to delete legitimate keys
Click for more information about Windows Registry and further repair help
Recover Encrypted Files
WARNING! All files and objects associated with Nemucod virus should be removed from the infected PC before any data recovery attempts. Otherwise the virus may encrypt restored files. Furthermore, a backup of all encrypted files stored on external media is highly recommendable.
DOWNLOAD Nemucod Virus Removal ToolSpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter
1. Use present backups
2. Use professional data recovery software
Stellar Phoenix Data Recovery – a specialist tool that can restore partitions, data, documents, photos, and 300 more file types lost during various types of incidents and corruption.
3. Using System Restore Point
- – Hit WIN Key
– Select “Open System Restore” and follow the steps
4. Restore your personal files using File History
- – Hit WIN Key
– Type restore your files in the search box
– Select Restore your files with File History
– Choose a folder or type the name of the file in the search bar
– Hit the “Restore” button
