Should the download succeed, the malware downloads the ransom note, then drops and runs a batch file to encrypt user’s data, while adding the .crypted extension to all affected files. As soon as the process is completed, the malicious application displays the ransom text and performs its usual routine: it downloads and executes additional malware to the system.
What researchers discovered last month was that the ransomware didn’t use RSA-1024 to encrypt files, but that it only encrypted the first 2048 bytes of each file with XOR encryption. The ransomware was using a pre-defined 255 long key embedded in the downloaded executable component, and a decryptor was released for it toward the end of March.
Additionally, users could restore their PCs using system restore and could restore files via Volume Shadow Copies. Fortinet researchers also discovered that the ransomware’s code resembles that of KeyBTC, although it has a simpler implementation, although they couldn’t establish a direct relationship between KeyBTC and Nemucod actors.
Most recently, the Nemucod ransomware has received another update, and is now using the 7-Zip application to actually encrypt the files, it seems. Additionally, the malware authors have lowered the ransom from the original 0.60358 Bitcoins (around $267), to 0.49731 Bitcoins (around $220).
A recent post on Bart Blaze’s blog explains that, after the malware’s execution, users can see in Task Manage the following processes: a0.exe (which masquerades 7-Zip), a1.exe, a2.exe, cmd.exe, and wscript.exe. To stop the encryption operation, users should end all of these processes.
The malware is removable with the help of anti-virus programs, but users are advised to maintain a copy of the ransom note, to identify the ransomware. As mentioned above, a Nemucod decryptor exists, but it was designed to the previous variant of the malware, and might not work with the newer one, at least not yet.