Nemucod ransomware information
There’s a blog post by Fortinet which explains Nemucod ransomware, so I’m not going to repeat much here: Nemucod Adds Ransomware Routine
This particular campaign is using the lure of a court appeal to spread:
The mail reads:
Notice to Appear,
You have to appear in the Court on the April 22.Please, prepare all the documents relating to the case and bring them to Court on the specified date.Note: If you do not come, the case will be heard in your absence.
The Court Notice is attached to this email.
Yours faithfully,Brian Snider,District Clerk.
It seems Nemucod ransomware got another update, as it now uses 7-zip to actually encrypt the files.
Another change is the slight drop in price. Whereas before it was 0.60358 bitcoins ($267.14 or €236.43), it’s now 0.49731 bitcoins ($220.11 or €194.80).
New message reads:
|Nemucod ransomware message|
|Nemucod encrypting a whole plethora of filetypes, appending the .crypted extension|
If you have opened a .JS file (JScript file) from an unknown sender, open Task Manager immediately and stop all the following processes (at least in this version of Nemucod):
a0.exe (actually 7-zip disguised)
The faster you do this, the less files will be encrypted. Run a scan with your antivirus program and a scan with another antivirus program to verify the malware has been removed.
Note: It’s always useful to keep a copy of the ransomware note handy, as it’s easier to identify the ransomware and if it can be decrypted.
I’m only briefly reporting on this for those in need, but currently, the known decryptors are suited for this version. However, Fabian from Emsisoft is already working hard to make a decryptor available, so please have patience!
You can also try restoring files with Shadow Explorer. (alternate link)
For more information, please visit the following Bleeping Computer topic
.crypted Ransomware (Nemucod) – Decrypt.txt Support and Help Topic
Same as with all malware: don’t open attachments from unknown senders!