first appeared in March 2015, and at its base, the malware is a simple dropper. Droppers, also called malware downloaders, infectors, or loaders, are simplistic malware families specialized in the “infection” process and nothing more. After this occurs, they then download more potent malware.
For this article, when we say Nemucod, we are referring to a custom ransomware variant that researchers observed delivered via the Nemucod dropper alone.
First Nemucod ransomware variant was decryptable
The Nemucod ransomware was seen for the first time, when Emsisoft researcher Fabian Wosar also cracked one of its earlier versions and offered a free decrypter.
Since then, the Nemucod ransomware has been evolving, with new versions appearing at regular intervals, but still using the .crypted extension to signal its presence on infected systems.
According to researchers from Intel Security, the latest version uses a combination of JS & PHP code to lock people’s files.
Nemucod comes with a built-in PHP interpreter
The JS file will download five files on the user’s PC: a.exe, a1.exe, a2.exe, a.php, and php4ts.dll.
As soon as the file downloads end, the JS file launches into execution a.exe, which is the PHP 184.108.40.206 interpreter, and php4ts.dll, which contains various dependencies.
Theoretically, this version of Nemucod should be easy to decrypt
The malicious JS code also feeds the a.php file to a.exe. The a.php file contains the ransomware’s malicious code, which will scan the user’s hard drive, set sensitive folders aside, and then start encrypting files that end with a specific extension.
, the encryption process uses a single-byte XOR, which, in theory, should be easy to reverse-engineer and then unlock user files. At the time of writing, there is no free decrypter available.
Once all operations end, the a.php file creates the a.txt file, which is the ransom note, and places it on the user’s desktop. Crooks are asking victims to pay 0.3707 Bitcoin (~$245).