PCs nowadays often get locked by a ransomware which uses the .CRYPTED file extension. However, now their files can be unlocked by using a special decrypter created by the security researcher Fabian Wosar.
The newly-found ransomware, which has no name yet, is distributed via a massive spam campaign that delivers a JavaScript file attachment. Being downloaded and executed, it will install the Nemucod trojan on the user’s computer.
Nemucod is a malware downloader, known as a trojan virus which used to download other malware on infected PCs. In the past, Nemucod used to download TeslaCrypt, though a while ago the crooks switched to delivering their own home-brew ransomware which locked files with the .CRYPTED extension. This ransomware strain was only encrypting the first 2048 bytes of each file with the XOR algorithm.
When the Python-based decrypter was created, Mr. Fabian Wosar stepped in and converted it to a Windows executable, which most non-technical users can run.
Cracking the ransomware’s encryption with the above-mentioned is easy. The only thing that users should do is to get a hold of an encrypted file, and a version of the same file retrieved from a backup or an online account.
To decrypt .CRYPTED files please follow the steps below:
Step 1:Download the free .CRYPTED decrypter from here: https://decrypter.emsisoft.com/download/nemucod
Step 2. Select one encrypted file and his original, non-encrytped version. Drag them over the decrypter’s icon, like in the GIF below. This will start a brute-forcing of the ransomware’s encryption, which will yield a decryption key.
Step 3. Double-click the decrypter to start it, select the folders containing all .CRYPTED encrypted files, feed in the decryption key, and then launch the decryption process.
Considering the fact that encryption algorithms take a while to compute, both processes, of cracking the decryption key, and then decrypting all files might take a while to execute.
Apart from the above-mentioned, PC users should be aware that besides the home-brew ransomware, Nemucod might also install other malware (known cases included the Kovter downloader/clickfraud trojan) on their computers. This means that they might be infected with some other sort of nasty viruses and should keep their machines protected at all times.
