Nemucod, a variant named after the dropper used to deliver the malicious payload, targets Windows OS and is distributed via spam emails containing ZIP files which, in turn, contain a JavaScript file. Once executed, the JavaScript file downloads the following 5 files onto the infected system: a.exe,, a1.exe, a2.exe, a.php, and php4ts.dll. The JavaScript file then launches a.exe which interprets the PHP file in order to begin the encryption process using simple XOR. Files encrypted by Nemucod are appended with the extension .crypted. Nemucod demands a ransom payment of 0.37070 Bitcoin.

  • ReaQta has more information about Nemucod here.
  • A free decryption tool for Nemucod is available on GitHub here.
  • Emsisoft also provides a free decryption tool for Nemucod here.