starbuck Posted March 24, 2016 Posted March 24, 2016 (edited) Victims that had their computers locked by a ransomware that uses the CRYPTED file extension can now free their files using a special decrypter created by Emsisoft security researcher Fabian Wosar, who by the way, should be having a statue by now for the number of ransomware decrypters he created. This particular ransomware, which has yet to receive its own name, is spread via an intense spam campaign that delivers a JavaScript file attachment, which when downloaded and executed will install the Nemucod trojan on a victim's PC. Nemucod previously delivered TeslaCrypt Nemucod is a malware downloader, a trojan virus used to download other malware on infected PCs. While in the past we've seen Nemucod download TeslaCrypt, some time ago, the crooks switched to delivering their own homebrew ransomware that locked files with the CRYPTED extension. As it turned out, this ransomware strain was only encrypting the first 2048 bytes of each file with the XOR algorithm. A user on the Bleeping Computer forums created a Python-based decrypter, and Mr. Wosar stepped in and converted it to a Windows executable, which most non-technical users can run. Using the decrypter is simple Cracking the ransomware's encryption with this decrypter is easy. Users only need to get a hold of an encrypted file, and a version of the same file retrieved from a backup or an online account. The user then needs to select both files and drag them over the decrypter's icon, like in the GIF below. This will start a brute-forcing of the ransomware's encryption, which will yield a decryption key. Users can then double-click the decrypter to start it, select the folders where they have encrypted data, feed in the decryption key, and then launch the decryption process. Other malware may also be present on your PC Since encryption algorithms take a while to compute, both processes, of cracking the decryption key, and then decrypting all files might take a while to execute, so just be patient. If you need any help, there a step-by-step tutorial on the Bleeping Computer blog, and users can also request help on this forum thread. Just be aware that besides the homebrew ransomware, Nemucod might also install other malware (known cases included the Kovter downloader/clickfraud trojan) on your PC, which means you might be infected with some other sort of nasty viruses. You'll probably need to scan your system with an antivirus, or even perform a clean install just to be safe. Source: http://news.softpedia.com/news/nemucod-s-crypted-ransomware-can-be-neutralized-with-this-decrypter-502102.shtml Edited March 24, 2016 by starbuck Quote
FPCH Admin allheart55 Cindy E Posted March 24, 2016 FPCH Admin Posted March 24, 2016 Thanks, Pete! You always keep us current with all of the security news and malware related information. Much appreciated. Quote ~I know that you believe you understand what you think I said, but I'm not sure you realize that what you heard is not what I meant.~ ~~Robert McCloskey~~
Recommended Posts