Nemucod Malware Downloader Evolves into Ransomware

Tuesday, April 26, 2016

Ionut Arghire

Fa42af438e58b799189dd26386f5870f

Nemucod, a previously known JavaScript malware family designed to download additional malicious software onto the compromised computers, has evolved into ransomware and is now using 7-Zip to encrypt its victims’ files.

The malware was observed downloading TeslaCrypt and also trying to drop ransomware from its body, Fortinet’s Roland Dela Paz explains. The Nemucod variant was delivered via encrypted JavaScript attachments in spam emails and tried to download an executable file on the user’s temporary directory from compromised websites.

Should the download succeed, the malware downloads the ransom note, then drops and runs a batch file to encrypt user’s data, while adding the .crypted extension to all affected files. As soon as the process is completed, the malicious application displays the ransom text and performs its usual routine: it downloads and executes additional malware to the system.

What researchers discovered last month was that the ransomware didn’t use RSA-1024 to encrypt files, but that it only encrypted the first 2048 bytes of each file with XOR encryption. The ransomware was using a pre-defined 255 long key embedded in the downloaded executable component, and a decryptor was released for it toward the end of March.

Additionally, users could restore their PCs using system restore and could restore files via Volume Shadow Copies. Fortinet researchers also discovered that the ransomware’s code resembles that of KeyBTC, although it has a simpler implementation, although they couldn’t establish a direct relationship between KeyBTC and Nemucod actors.

Most recently, the Nemucod ransomware has received another update, and is now using the 7-Zip application to actually encrypt the files, it seems. Additionally, the malware authors have lowered the ransom from the original 0.60358 Bitcoins (around $267), to 0.49731 Bitcoins (around $220).

A recent post on Bart Blaze’s blog explains that, after the malware’s execution, users can see in Task Manage the following processes: a0.exe (which masquerades 7-Zip), a1.exe, a2.exe, cmd.exe, and wscript.exe. To stop the encryption operation, users should end all of these processes.

The malware is removable with the help of anti-virus programs, but users are advised to maintain a copy of the ransom note, to identify the ransomware. As mentioned above, a Nemucod decryptor exists, but it was designed to the previous variant of the malware, and might not work with the newer one, at least not yet.

Related: Kovter Ad Fraud Trojan Evolves Into Ransomware

Related: Links Found Between Different Ransomware Families

Possibly Related Articles:
14322
malware Javascript Ransomware Nemucod
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.