Nemucod, a variant named after the dropper used to deliver the malicious payload, targets Windows OS and is distributed via spam emails containing ZIP files which, in turn, contain a JavaScript file. Once executed, the JavaScript file downloads the following 5 files onto the infected system: a.exe,, a1.exe, a2.exe, a.php, and php4ts.dll. The JavaScript file then launches a.exe which interprets the PHP file in order to begin the encryption process using simple XOR. Files encrypted by Nemucod are appended with the extension .crypted. Nemucod demands a ransom payment of 0.37070 Bitcoin.

UPDATE 07/14/2017: A new version, dubbed NemucodAES, was discovered as part of a recent malicious email campaign masquerading as delivery notices from the United Parcel Service (UPS). This campaign attempts to install both the ransomware and the Kovter trojan on victims' systems.

  • ReaQta has more information about Nemucod here.
  • SANS ISC InfoSec Forums provides more information about NemucodAES here.
  • A free decryption tool for Nemucod is available on GitHub here.
  • Emsisoft also provides a free decryption tool for Nemucod here.
  • Emsisoft provides a free decryption tool for NemucodAES here.