Decrypted: Emsisoft Releases a Decryptor for NemucodAES Ransomware

I am pleased to report that Fabian Wosar of Emsisoft released a decryptor for the NemucodAES Ransomware. First spotted by ID-Ransomware’s Michael Gillespie and then later confirmed by security researcher Derek Knight, NemucodAES is distributed via SPAM emails that pretend to missed delivery notifications from UPS.

Fake UPS Missed Delivery SPAM
Fake UPS Missed Delivery SPAM

These SPAM emails contain attachments that when opened, will contain a JS file that will download PHP and a PHP script, which is the actual ransomware component.  Unlike most ransomware, Nemucod is PHP based and source is easily visible.

Once started, the PHP script will scan the drives for targeted files and encrypt them. Unlike most other ransomware infections, NemucodAES does not append a new extension or rename the files that are encrypted.  When encrypting files, it will skip files in the following folders:

winnt, boot, system, windows, tmp, temp, program, appdata, application, roaming, msoffice, temporary, cache, recycle

It will then encrypt any files that have the following extensions:

.123, .602, .dif, .docb, .docm, .dot, .dotm, .dotx, .hwp, .mml, .odg, .odp, .ods, .otg, .otp, .ots, .ott, .pot, .potm, .potx, .ppam, .ppsm, .ppsx, .pptm, .sldm, .sldx, .slk, .stc, .std, .sti, .stw, .sxc, .sxd, .sxm, .sxw, .txt, .uop, .uot, .wb2, .wk1, .wks, .xlc, .xlm, .xlsb, .xlsm, .xlt, .xltm, .xltx, .xlw, .xml, .asp, .bat, .brd, .c, .cmd, .dch, .dip, .jar, .js, .rb, .sch, .sh, .vbs, .3g2, .fla, .m4u, .swf, .bmp, .cgm, .djv, .gif, .nef, .png, .db, .dbf, .frm, .ibd, .ldf, .myd, .myi, .onenotec2, .sqlite3, .sqlitedb, .paq, .tbk, .tgz, .3dm, .asc, .lay, .lay6, .ms11, .ms11, .crt, .csr, .key, .p12, .pem, .qcow2, .vmx, .aes, .zip, .rar, .r00, .r01, .r02, .r03, .7z, .tar, .gz, .gzip, .arc, .arj, .bz, .bz2, .bza, .bzip, .bzip2, .ice, .xls, .xlsx, .doc, .docx, .pdf, .djvu, .fb2, .rtf, .ppt, .pptx, .pps, .sxi, .odm, .odt, .mpp, .ssh, .pub, .gpg, .pgp, .kdb, .kdbx, .als, .aup, .cpr, .npr, .cpp, .bas, .asm, .cs, .php, .pas, .class, .py, .pl, .h, .vb, .vcproj, .vbproj, .java, .bak, .backup, .mdb, .accdb, .mdf, .odb, .wdb, .csv, .tsv, .sql, .psd, .eps, .cdr, .cpt, .indd, .dwg, .ai, .svg, .max, .skp, .scad, .cad, .3ds, .blend, .lwo, .lws, .mb, .slddrw, .sldasm, .sldprt, .u3d, .jpg, .jpeg, .tiff, .tif, .raw, .avi, .mpg, .mp4, .m4v, .mpeg, .mpe, .wmf, .wmv, .veg, .mov, .3gp, .flv, .mkv, .vob, .rm, .mp3, .wav, .asf, .wma, .m3u, .midi, .ogg, .mid, .vdi, .vmdk, .vhd, .dsk, .img, .iso

When done, NemucodAES will display a ransom note named Decrypt.hta, which contains the ransom amount and payment instructions.

NemucodAES Ransom Note
NemucodAES Ransom Note

For those who have been infected by the NemucodAES Ransomware and have files that are encrypted, you can use the guide below to decrypt your files for free. If you need help decrypting your files, feel free to ask in the NemucodAES Ransomware Help Topic.

How to Decrypt the NemucodAES Ransomware

Victims of the NemucodAES ransomware can be identified by Decrypt.hta ransom note that contains a distinctive red background and payment servers that have the “counter” string in their URL. This can be seen in the image of the ransom note above.

To decrypt files encrypted by the NemucodAES ransomware, you need to first download the NemucodAES Decryptor below.


Once downloaded, simply double-click on the executable to start the decryptor and you will be presented with a UAC prompt as shown below. Please click on Yes button to proceed.

UAC Prompt

The decrypter will try to recover the file database. This can take a few hours if not longer, so please be patient while the decryptor tries to recover the database.

Brute Forcing the Decryption Key

When the decryptor has finished, it will display an alert stating that the Nemucod file database was recovered.

Decryption Key Found
Decryption Key Found

To start decrypting your files with this key, please click on the OK button.  You will then be presented with a license agreement that you must click on Yes to continue. You will now see the main Decrypter screen that displays a list of files that will be decrypted..

NemucodAES Decryptor
NemucodAES Decryptor

When ready, click on the Decrypt button to begin decrypting the NemucodAES encrypted files. Once you click Decrypt, the program will decrypt all the encrypted files and display the decryption status in a results screen like the one below.

Decrypting Files
Decrypting Files

When it has finished, the Results tab will state Finished! and all of your files should now be decrypted.

Decryption Finished
Decryption Finished

Though your files are now decrypted, the original encrypted files will still be on your computer. Once you confirm that your files have been properly decrypted, you can use CryptoSearch to move all the encrypted files into one folder so you can delete or archive them.

You can now close the decryptor and use your computer as normal. If you need help using this decrypter, please ask in our NemucodAES Help & Support Topic.

Ransom Note Text:

All your documents, photos, databases and other important personal files were encrypted
using a combination of strong RSA-2048 and AES-128 algorithms.

The only way to restore your files is to buy decryptor. Please, follow these steps:

1. Create your Bitcoin wallet here:

2. Buy 0.13066 bitcoins here:

3. Send 0.13066 bitcoins to this address: [victim_id]

4. Open one of the following links in your browser:[victim_id][victim_id][victim_id][victim_id][victim_id]

5. Download and run decryptor to restore your files. 

You can find this instruction in "DECRYPT" file on your desktop.