It has been discovered that Nemucod ransomware uses the free open source archive software 7-Zip to encrypt files.
Nemucod is a well-known JavaScript malware family which is distributed via spam emails. Previously, this malware only downloaded additional malware and ransomware, such as TeslaCrypt, to virtual machines.
Nevertheless, recently the Nemucod creator has added a new feature to his artwork, which encrypts files itself and uses 7-Zip for the encryption routines.
The version of Nemucod which contains this feature is distributed by spam mails, pretending to be a court appeal. Once a PC user opens the attached JScript file, the new type of ransomware activates itself and starts to encrypt files using 7-Zip. When successfully encrypted, the ransomeware adds the extension .crypted to the infected files.
According to the security researcher Bart Blaze, it’s rather easy to stop the ransomware while it’s doing its job. The ransomware starts the processes called a0.exe, a1.exe or a2.exe, cmd.exe and wscript.exe that once stopped through task manager stop further encryption of files.
In case that’s not enough, then there are some other encryption tools available online.
The users who couldn’t stop the ransomware on time and unable to decrypt their files, can take the risk and pay 0.49731 Bitcoins in order to get the decryption key.
