Jump to content

Recommended Posts

Posted (edited)

0a65c10e1ae820b6ec742d0a46d5b572.png

 

Victims that had their computers locked by a ransomware that uses the CRYPTED file extension can now free their files using a special decrypter created by Emsisoft security researcher Fabian Wosar, who by the way, should be having a statue by now for the number of ransomware decrypters he created.

 

This particular ransomware, which has yet to receive its own name, is spread via an intense spam campaign that delivers a JavaScript file attachment, which when downloaded and executed will install the Nemucod trojan on a victim's PC.

 

Nemucod previously delivered TeslaCrypt

 

Nemucod is a malware downloader, a trojan virus used to download other malware on infected PCs. While in the past we've seen Nemucod download TeslaCrypt, some time ago, the crooks switched to delivering their own homebrew ransomware that locked files with the CRYPTED extension.

 

As it turned out, this ransomware strain was only encrypting the first 2048 bytes of each file with the XOR algorithm.

 

A user on the Bleeping Computer forums created a Python-based decrypter, and Mr. Wosar stepped in and converted it to a Windows executable, which most non-technical users can run.

 

Using the decrypter is simple

 

Cracking the ransomware's encryption with this decrypter is easy.

Users only need to get a hold of an encrypted file, and a version of the same file retrieved from a backup or an online account.

 

The user then needs to select both files and drag them over the decrypter's icon, like in the GIF below.

This will start a brute-forcing of the ransomware's encryption, which will yield a decryption key.

 

Users can then double-click the decrypter to start it, select the folders where they have encrypted data, feed in the decryption key, and then launch the decryption process.

 

Other malware may also be present on your PC

 

Since encryption algorithms take a while to compute, both processes, of cracking the decryption key, and then decrypting all files might take a while to execute, so just be patient.

 

If you need any help, there a step-by-step tutorial on the Bleeping Computer blog, and users can also request help on this forum thread.

 

Just be aware that besides the homebrew ransomware, Nemucod might also install other malware (known cases included the Kovter downloader/clickfraud trojan) on your PC, which means you might be infected with some other sort of nasty viruses.

You'll probably need to scan your system with an antivirus, or even perform a clean install just to be safe.

 

77d07d00429064a6011a3ff80b471f16.gif

 

 

 

Source:

http://news.softpedia.com/news/nemucod-s-crypted-ransomware-can-be-neutralized-with-this-decrypter-502102.shtml

Edited by starbuck
76c90dd0e79a714317a8daeecc1584d2.png

  • FPCH Admin
Posted

Thanks, Pete!

You always keep us current with all of the security news and malware related information.

Much appreciated.

~I know that you believe you understand what you think I said, but I'm not sure you realize that what you heard is not what I meant.~

~~Robert McCloskey~~

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...