NemucodAES Ransomware is Decrypted with Emsisoft Decryptor

The lab researchers of Emisoft has a released a decryptor for Nemucod AES Ransomware. It has been released by Fabian Wosar of Emisoft and later many of other security researchers have confirmed it. Nemucod AES Ransomware used to spread via spam emails that pretend to a delivery notification from UPS. On opening the email, the JS file will download a PHP script. This scripts the scan the System and encrypts the data. Interestingly, it doesn’t modify the extensions or name of the targeted encrypted files. Some of the files extension that it encrypts are:

.123, .602, .dif, .docb, .docm, .dot, .dotm, .dotx, .hwp, .mml, .odg, .odp, .ods, .otg, .otp, .ots, .ott, .pot, .potm, .potx, .ppam, .ppsm, .ppsx, .pptm, .sldm, .sldx, .slk, .stc, .std, .sti, .stw, .sxc, .sxd, .sxm, .sxw, .txt, .uop, .uot, .wb2, .wk1, .wks, .xlc, .xlm, .xlsb, .xlsm, .xlt, .xltm, .xltx, .xlw, .xml, .asp, .bat, .brd, .c, .cmd, .dch, .dip, .jar, .js, .rb, .sch, .sh, .vbs, .3g2, .fla, .m4u, .swf, .bmp, .cgm, .djv, .gif, .nef, .png, .db, .dbf, .frm, .ibd, .ldf, .myd, .myi, .onenotec2, .sqlite3, .sqlitedb, .paq, .tbk, .tgz, .3dm, .asc, .lay, .lay6, .ms11, .ms11, .crt, .csr, .key, .p12, .pem, .qcow2, .vmx, .aes, .zip, .rar, .r00, .r01, .r02, .r03, .7z, .tar, .gz, .gzip, .arc, .arj, .bz, .bz2, .bza, .bzip, .bzip2, .ice, .xls, .xlsx, .doc, .docx, .pdf, .djvu, .fb2, .rtf, .ppt, .pptx, .pps, .sxi, .odm, .odt, .mpp, .ssh, .pub, .gpg, .pgp, .kdb, .kdbx, .als, .aup, .cpr, .npr, .cpp, .bas, .asm, .cs, .php, .pas, .class, .py, .pl, .h, .vb, .vcproj, .vbproj, .java, .bak, .backup, .mdb, .accdb, .mdf, .odb, .wdb, .csv, .tsv, .sql, .psd, .eps, .cdr, .cpt, .indd, .dwg, .ai, .svg, .max, .skp, .scad, .cad, .3ds, .blend, .lwo, .lws, .mb, .slddrw, .sldasm, .sldprt, .u3d, .jpg, .jpeg, .tiff, .tif, .raw, .avi, .mpg, .mp4, .m4v, .mpeg, .mpe, .wmf, .wmv, .veg, .mov, .3gp, .flv, .mkv, .vob, .rm, .mp3, .wav, .asf, .wma, .m3u, .midi, .ogg, .mid, .vdi, .vmdk, .vhd, .dsk, .img, .iso

It stores the ransom note in a file named as Decrypt.hta. that contains all the detail about the ransom amount and instruction for payments.

 How to Decrypt NemucodAES Ransomware

As Emisoft has released a Decryptor for NemucodAES Ransomware, it is better to download it here https://decrypter.emsisoft.com/download/nemucodaes) .  Once downloaded, double click on the executable file to download the decryptor. The decryptor will starts recovering the encrypted files and it may take few hours so patient. Once the recovery process gets completed, it will display a notification stating that the Nemucod file database was recovered. Press on “OK” button to begin the decryption of files using the key. The main decrypter screen will be displayed where the list of encrypted files will be shown. Click on the Decrypt button in order to begin the decryption of Nemucod AES encryption. The will automatically decrypt the encrypted files and makes it accessible for you.