Thursday, April 21, 2016

Nemucod ransomware information



This is a quick post on the recent Nemucod ransomware. Nemucod is (normally) a downloader which uses JavaScript  JScript (thanks Katja) to enter an unsuspecting user's machine and download additional malware (depends on campaign usually).

There's a blog post by Fortinet which explains Nemucod ransomware, so I'm not going to repeat much here: Nemucod Adds Ransomware Routine

It came to our attention that a new, rather peculiar version of Nemucod has been recently landing on users. Nemucod is a well-known JavaScript malware family that arrives via spam email and downloads additional malware to PCs.

This particular campaign is using the lure of a court appeal to spread:










The mail reads:

Notice to Appear,
You have to appear in the Court on the April 22.Please, prepare all the documents relating to the case and bring them to Court on the specified date.Note: If you do not come, the case will be heard in your absence.
The Court Notice is attached to this email.
Yours faithfully,Brian Snider,District Clerk.


It seems Nemucod ransomware got another update, as it now uses 7-zip to actually encrypt the files.

Another change is the slight drop in price. Whereas before it was 0.60358 bitcoins ($267.14 or €236.43), it's now 0.49731 bitcoins ($220.11 or €194.80).

New message reads:

Nemucod ransomware message


























Nemucod encrypting a whole plethora of filetypes, appending the .crypted extension









Disinfection

If you have opened a .JS file (JScript file) from an unknown sender, open Task Manager immediately and stop all the following processes (at least in this version of Nemucod):

a0.exe (actually 7-zip disguised)
a1.exe
a2.exe
cmd.exe
wscript.exe


The faster you do this, the less files will be encrypted. Run a scan with your antivirus program and a scan with another antivirus program to verify the malware has been removed.

Note: It's always useful to keep a copy of the ransomware note handy, as it's easier to identify the ransomware and if it can be decrypted.


Decryption

I'm only briefly reporting on this for those in need, but currently, the known decryptors are suited for this version. However, Fabian from Emsisoft is already working hard to make a decryptor available, so please have patience!

If you have an older version of Nemucod, you can try one of either decryptors:
Emsisoft Decrypter for Nemucod 
nemucod_decrypter (you will need to install Python for this)

You can also try restoring files with Shadow Explorer. (alternate link)

For more information, please visit the following Bleeping Computer topic
.crypted Ransomware (Nemucod) - Decrypt.txt Support and Help Topic



Prevention

In particular for Nemucod, don't open any JScript/JavaScript files from unknown senders.

For more tips on ransomware prevention, be sure to check out this page I've set up:
Ransomware Prevention


Conclusion

Same as with all malware: don't open attachments from unknown senders!

Please find below IOCs and additional resources.



Resources

.crypted Ransomware (Nemucod) - Decrypt.txt Support and Help Topic
ID ransomware
JavaScript-toting spam emails: What should you know and how to avoid them?
JScript
Nemucod ransomware IOCs
Ransomware overview
Ransomware Prevention
TrojanDownloader: JS/Nemucod

2 comments:

  1. Nemucod is written in JScript, not JavaScript. ;)
    They look similar (both ECMA Script), but security-wise it is really a difference.

    ReplyDelete
    Replies
    1. Katja, you are correct. Edited.

      This is what happens when you blog at late hours ;)

      Cheers!

      Delete