Nemucod-AES ransomware takes victim's files hostage to demand ransom

Nemucod-AES ransomware [1] is a data-encrypting virus which earned its title by stealthily infiltrating computers, rendering the containing files unreadable with the help of AES-128 and RSA-2048 encryption algorithms, and demanding 0.11471 Bitcoins for their decryption.
The criminals choose cryptocurrency [2] as means of payment deliberately. This method guarantees the anonymity of money transactions and allows the perpetrators to escape prosecution.
That’s why you won’t get any justice if the hackers disappear with your money after you pay for the data recovery key. This should be a sufficient reason to remove Nemucod-AES from the PC rather than collaborate with the criminals.
Typically to most ransomware, the virus developers drop a ransom note on which they list out all the data recovery conditions and instruct victims where they should purchase and transfer the ransom. Here is a transcript of Decrypt.hta file:
ATTENTION!
4. Open one of the following links in your browser:
All your documents, photos, databases and other important personal files were encrypted using a combination of strong RSA-2048 and AES-128 algorithms.
The only way to restore your files is to buy decryptor. Please, follow these steps:
1. Create your Bitcoin wallet here:
xxxxs://blockchain.info/wallet/new
2. Buy 0.11471 bitcoins here:
https://localbitcoins.com/buy_bitcoins
3. Send 0.11471 bitcoins to this address:
xxxx://elita5.md/counter/71GCn9vz73FNDmoVxgxXqjo7dSXyLmfnTDt
xxxx://artdecorfashion.com/counter/71GCn9vz73FNDmoVxgxXqjo7dSXyLmfnTDt
xxxx://goldwingclub.ru/counter/71GCn9vz73FNDmoVxgxXqjo7dSXyLmfnTDt
xxxx://perdasbasalti.it/counter/71GCn9vz73FNDmoVxgxXqjo7dSXyLmfnTDt
xxxx://natiwa.com/counter/71GCn9vz73FNDmoVxgxXqjo7dSXyLmfnTDt
5. Download and run decryptor to restore your files.
You can find this instruction in “DECRYPT” file on your desktop.
Ransom notes can tell a lot about the ransomware developers, their target audience, and their true intentions. In this case, we have to admit that the note is professionally made and detailed, so the hackers behind it are probably native English speakers and serious enough not to leave spelling or grammatical errors on the note.
The ransomware’s target audience is most likely English as well, though it should not stop the virus from infecting users in the European countries, say, Germany or Sweden [3].
Despite where in the world the virus hits, the first thing infected computer owners should do is perform Nemucod-AES removal.
Decrypt files encrypted by Nemucod-AES ransomware for free
Victims who have their files compromised by this ransomware can use a free NemucodAES decryptor to restore all data. The decryptor was successfully created by Emsisoft researchers on July 12th, 2017.
So if your PC was struck by the discussed ransomware and you were hesitating whether to pay up or not, forget these thoughts already. You can restore your files without paying a cent. To find the decryption instructions, look at data recovery section below this post.
The most important thing is to decontaminate the virus and to prevent if from additionally damaging your system. Use the decryptor only after removing the virus from the computer system.

The ransomware is distributed via fraudulent UPS spam
There are several ways Nemucod-AES ransomware can spread around the web. A few of the main vectors may be:
- compromised downloads,
- fake software updates,
- deceptive ads,
- exploit kits.
Nevertheless, the most salient method of Nemucod-AES distribution campaign are spam emails disguised as UPS service notices. In the two examined samples of spam emails, experts found files called UPS ground-Delivery-005156577.doc.js and UPS ground-Receipt-4424638.doc.js which both obfuscated the malicious JavaScript code by imitating regular Word files.
Please remember this deceptive distribution technique the next time you are on your email. Do not download or, not to mention, open the attachments which may have been sent to you by some unfamiliar senders, because it might be that you are allowing a vicious ransomware on your PC.
Suggestions for Nemucod-AES removal
If you have realized that you can no longer access your files anymore and you see a ransom note demanding you to pay money for their recovery, you should wait no longer and start Nemucod-AES removal procedure immediately.
We recommend you take advantage of specialized utilities, such as FortectIntego or MalwarebytesMalwarebytes, to scan your device automatically and locate all the bad components that might be scattered around your system.
The automatic removal will only take a few minutes, if the ransomware does not attempt to block your security utility and prevent its extermination.
Even if it does block these utilities, you can follow virus decontamination instructions below the article and help your antivirus remove Nemucod-AES from the PC.
Was this guide helpful?
Be the first to comment