The latest version of the Nemucod ransomware uses a combination of JavaScript and PHP code to infect users and encrypt their files.

Nemucod first appeared in March 2015, and at its base, the malware is a simple dropper. Droppers, also called malware downloaders, infectors, or loaders, are simplistic malware families specialized in the “infection” process and nothing more. After this occurs, they then download more potent malware.

For this article, when we say Nemucod, we are referring to a custom ransomware variant that researchers observed delivered via the Nemucod dropper alone.


First Nemucod ransomware variant was decryptable

The Nemucod ransomware was seen for the first time this past March, when Emsisoft researcher Fabian Wosar also cracked one of its earlier versions and offered a free decrypter.

Since then, the Nemucod ransomware has been evolving, with new versions appearing at regular intervals, but still using the .crypted extension to signal its presence on infected systems.

According to researchers from Intel Security, the latest version uses a combination of JS & PHP code to lock people’s files.

Nemucod comes with a built-in PHP interpreter

Nemucod is distributed in the same way as before. Users receive spam emails that contain ZIP files, which, in turn, hold a JavaScript file. Executing this file starts the ransomware’s malicious process.

The JS file will download five files on the user’s PC: a.exe, a1.exe, a2.exe, a.php, and php4ts.dll.

As soon as the file downloads end, the JS file launches into execution a.exe, which is the PHP 4.4.9.9 interpreter, and php4ts.dll, which contains various dependencies.

Theoretically, this version of Nemucod should be easy to decrypt

The malicious JS code also feeds the a.php file to a.exe. The a.php file contains the ransomware’s malicious code, which will scan the user’s hard drive, set sensitive folders aside, and then start encrypting files that end with a specific extension.

According to Intel Security, the encryption process uses a single-byte XOR, which, in theory, should be easy to reverse-engineer and then unlock user files. At the time of writing, there is no free decrypter available.

Once all operations end, the a.php file creates the a.txt file, which is the ransom note, and places it on the user’s desktop. Crooks are asking victims to pay 0.3707 Bitcoin (~$245).

Let’s block ads! (Why?)

Related Posts

Facebook Comments

Return to Top ▲Return to Top ▲