It seems as more and more of these ransomware infections come out, the good guys are starting to be able to get decryptors made to get files returned to their working state.
We were recently approached by a small company who found themselves infected with a newer strain of ransomware known as Nemucod .Crypted. (In the past, Nemucod has spread other strains – Teslacrypt, for example.) They came to us reporting that they could not access any documents on their PC and a window would pop up at startup with instructions to send money to get a decryption key. The vast majority of the documents on the PC had their file extensions changed to .crypted. Even after attempting to return the extension to what it was originally, the file was still inaccessible.
The instructions included links to pages to buy bitcoins and to send them to a unique wallet for this infection.
At the current exchange rate, 0.48178 BTC is around 250 USD. When considering the mission critical files that have been rendered unusable, it would be easy to bend to the demands of the same people who infected you…
Instead of doing that, we did some searching around and found a decryptor created by EMSISoft.
A description of Nemucod and the decryptor can be found at https://www.bleepingcomputer.com/news/security/decryptor-released-for-the-nemucod-trojans-crypted-ransomware/
EMSISoft has a history with these decryptors, having put out several for different iterations over the last few years. https://decrypter.emsisoft.com/
Before running any decryption, it is necessary to run virus scans on the PC to ensure it is not going to get reinfected as soon as you’re done.
This decryptor is designed to brute force decryption attempts against the encrypted file by using a clean version of the file as a base. Once it is able to unlock the file, it opens up and allows you to select an entire drive or specific files for decryption. We had no issues decrypting every encrypted file on this PC.
While it was simple enough to get everything decrypted this time, it is still no replacement for a proper backup. These decryptors take some time after new infections come out before they’re created. Some ransomware still hasn’t been cracked. In those cases, the only way to recover data is to restore from a backup or pay the ransom and hope that works out.
As always, the best defense against these types of infections are:
1. Suspicious caution and thought before opening attachments or visiting web pages
2. A good antivirus/anti-malware package, updated frequently
3. A reliable backup with lots of history, tested frequently
If you need help with an infection, or a backup strategy, contact us.