Nemucod Ransomware

Posted: April 27, 2016

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Ranking:	14,710
Threat Level:	10/10
Infected PCs:	1,583

First Seen:	April 27, 2016
Last Seen:	February 6, 2025
OS(es) Affected:	Windows

The Nemucod Ransomware is a revision of the Nemucod, a Trojan family dedicated solely to installing other threats previously. This new variant conducts traditional file-encrypting attacks and ransom attempts, but not to the exclusion of its Trojan downloader function. The multiple angles of attack by the Nemucod Ransomware force malware researchers to recommend scanning your entire system with anti-malware tools for both removing the Nemucod Ransomware and its payloads while other methods can restore your encrypted data freely.

The Trojan that Expanded Its Horizons

Most threats dedicate themselves to a single purpose, with any further specialization accomplished through the addition of independent plugins or other software. It's rare for threatening software to display two completely unrelated specialties and even rarer for such a feature's inclusion after a long history of its omission. Despite all the above, the Nemucod Ransomware is breaking new ground as a fully-functional Trojan downloader that also includes the standard payloads of a file encryptor.

The Nemucod Ransomware still uses the previous infection methods preferred by its family, which consist of disguised e-mail spam, with accompanying attachments providing the threat with its installation. The Trojan also continues using JavaScript but has been patched to take extra steps before initiating its traditional payload.

First, the Nemucod Ransomware downloads a second file for the actual encryption agent. It then generates a text file that includes the ransom message (claiming that an RSA-1024 algorithm has encrypted your data, and demanding Bitcoin payments for a decryptor), although it does not display the message immediately. After scanning all available hard drives for files of various types, such as spreadsheets or documents, the Nemucod Ransomware submits each appropriate file to the encryptor, which uses a symmetric XOR algorithm. Victims should note that this algorithm is not the same as the one claimed in the ransom message, and is potentially crackable.

Only after these procedures does the Nemucod Ransomware finally display its ransom note, which asks for Bitcoin payments in exchange for a decryption routine that gives your files back to you. The affected files are identifiable by eye due to an extra '.crypted' extension. Malware researchers also emphasize that the Nemucod Ransomware still drops additional threats onto your PC afterward, completely separate from its ransom-based attacks.

Dousing the Revenue of Hopeful Trojan Developers

On multiple fronts, the Nemucod Ransomware shows some of the clearest trends in threat development in 2016. Like many of the simpler, less professionally-coded threats, the Nemucod Ransomware does not use the nigh-impossible to break encryption methods named in its ransom instructions. The Nemucod Ransomware also makes no attempt to delete even local backup data, which is a mistake that a dedicated file encryptor family would be unlikely to make. Consequentially, victims can use multiple means of restoring backups without buying the Nemucod Ransomware's decryption service. The straightforward decryption solution also means that various PC security entities may be able to develop free decryptor apps in short notice.

At the same time, the Nemucod Ransomware still functions effectively as a threat that denies you access to your files, and, perhaps most dangerously, will install other threats with different purposes. You should assume that all the Nemucod and other Trojan downloader-based infections are multi-threat scenarios, potentially including threats such as rootkits or spyware. Use general system scans as provided by your local anti-malware products for identifying these programs and deleting them, along with deleting the Nemucod Ransomware.

The evolving nature of its payloads aside, the Nemucod Ransomware does still using traditional infection methods that you may halt by something as simple as double-checking the authenticity of an e-mail message. Even scanning a suspicious attachment can be the easiest way to keep your files from being the latest to wear a '.crypted' extension.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Nemucod Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner*

* See Free Trial offer below. EULA and Privacy/Cookie Policy. * See Free Trial offer below. EULA and Privacy/Cookie Policy.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%LOCALAPPDATA%\Uxtqmedia\c0fde8fd84767083f1facce2c3cc5316.exe

File name: c0fde8fd84767083f1facce2c3cc5316.exe
Size: 167.93 KB (167936 bytes)
MD5: c0fde8fd84767083f1facce2c3cc5316
Detection count: 215
File type: Executable File
Mime Type: unknown/exe
Path: %LOCALAPPDATA%\Uxtqmedia
Group: Malware file
Last Updated: February 14, 2020

%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nuke.jse

File name: nuke.jse
Size: 402.64 KB (402640 bytes)
MD5: e56ac7e5354df06673495d6da96cd8ef
Detection count: 90
Mime Type: unknown/jse
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: October 5, 2017

file.js

File name: file.js
Size: 9.17 KB (9176 bytes)
MD5: ba44cb88fb6b3d68a0198ad29ad9f27b
Detection count: 80
File type: JavaScript file
Mime Type: unknown/js
Group: Malware file
Last Updated: May 3, 2017

%TEMP%\a2.exe

File name: a2.exe
Size: 73.21 KB (73216 bytes)
MD5: 3e1634d65e61bec012dffed6eef042c2
Detection count: 40
File type: Executable File
Mime Type: unknown/exe
Path: %TEMP%
Group: Malware file
Last Updated: July 27, 2016

More files

Registry Modifications

The following newly produced Registry Values are:

Regexp file mask%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\adobe[RANDOM CHARACTERS]upd.jse%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\def.jse%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\fb.jse%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\mn.jse%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\nuke.jse%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\skype_upd.jse%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\xer64x.jse

Additional Information

The following directories were created:

%LOCALAPPDATA%\Upkfmedia