cancel
Showing results for 
Search instead for 
Did you mean: 
jcc
Level 7
Report Inappropriate Content
Message 1 of 5

Files encrypted by Virus.

A techie friend thinks it's from Nemucod and suggested I try to find decrypters.  How does one find a good decryptor?  I tried downloading one but it did not work.  Anyone know about Kaspersky labs?

4 Replies

Re: Files encrypted by Virus.

Ask in kapersky forums / support I suppose. re decryptors If there was 1 that worked well it would be all over the net. someone more knowledgeable re these might pick up the tread

moving to GTI forum/breaking security news

exbrit
Level 21
Report Inappropriate Content
Message 3 of 5

Re: Files encrypted by Virus.

Hayton
Level 18
Report Inappropriate Content
Message 4 of 5

Re: Files encrypted by Virus.

Peter M wrote:

Decryptor Released for the Nemucod Trojan's .CRYPTED Ransomware.

This will probably work, but you need to keep abreast of developments - that was published back in March. There are now two main variants of Nemucod, and the Nemucod-7z one is not decryptable.

Ransomware - All Hope is Not Lost - Protus3

For the earlier version of Nemucod there are two tools which sometimes, but not always, can decrypt some (but not necessarily all) file types. There is a BleepingComputer thread for this which you need to keep an eye on, and in that thread they give links to those tools -

Nemucod Ransomware (.crypted - Decrypt.txt) Support & Help Topic - Page 27 - Ransomware Help & Tech ...  

- see #395 by quietman7 as an example.  Note that the minimum file size for the decryption tools is 510 bytes, not 144.

If you have time read the whole thread.

Be aware also that Nemucod doesn't come alone, and there may be other infections that need removing -

The ransomware removes itself after it completes, but it usually also comes packaged with Kovter, a password-stealing Trojan. MalwareBytes and HitmanPro will usually pickup on any infections left over. They will not remove encrypted files, they are not the threat. Don't worry about the part of the ransom note that mentions files being deleted after x days, it is just a scare tactic.

Hayton
Level 18
Report Inappropriate Content
Message 5 of 5

Re: Files encrypted by Virus.

jcc wrote:

A techie friend thinks it's from Nemucod and suggested I try to find decrypters.  How does one find a good decryptor?  I tried downloading one but it did not work.  Anyone know about Kaspersky labs?

I just re-read your post and three things need answering.

First, if you don't know what the ransomware program is you'll need to upload one or more encrypted files to have them analysed. Send them to https://id-ransomware.malwarehunterteam.com/index.php

Second, there are decryptor tools out there but it's a cat-and-mouse game with the malware authors. A tool works for a while then a new version of the ransomware is launched and it''s back to square one. So I don't absolutely guarantee that any of these tools will work, or decrypt all your files.

Still, here are two useful articles you should read - ignore the advertisements and the "download-this" enticements. What you want is the decryptor information.

http://www.thewindowsclub.com/id-identify-ransomware

http://www.thewindowsclub.com/list-ransomware-decryptor-tools

And third, as you will see Kaspersky's contribution is useful, as far as it goes. No-one has a monopoly in this area, not even McAfee.

Speaking of which, Kaspersky and McAfee partnered in a project called "No More Ransom" which looked promising when it launched. It aimed to be a central point for providing decryptors but hasn't really taken off. You're better off referring to that lsit from thewindowsclub, as long as they keep the list updated.

The No More Ransom Project