Remove Nemesis Ransomware

I wrote this article to help you remove Nemesis Ransomware. This Nemesis Ransomware removal guide works for all Windows versions.

Nemesis ransomware is a malicious infection which encrypts files. This win-locker belongs to the category of Trojan ransomware. The creators of Nemesis ransomware have copied the patterns of another virus – Cerber. Because of the similarities between the two programs, security experts have made the assumption that they have been developed by the same group of hackers. The authors of Nemesis ransomware have not addressed this situation thus far. Since this is a virus we are talking about, there is no way to know whether there will be disclosure on the subject.

Nemesis ransomware uses AES-256 cipher to lock files. This is a strong encryption algorithm. The win-locker targets text documents, images, videos, audios, databases, compressed archives, zipped folders and other file types. The nefarious program marks the encrypted objects with a custom file extension. There are two known variants of Nemesis ransomware which append a slightly different suffix. The appendices only differ by the number of symbols in the ID and the final characters. The formula is the following: .id-[10 or 9 hexadecimal characters]_[Tor payment website URL].[5 or 4 hexadecimal characters].

Upon completing the encryption process, Nemesis ransomware drops a ransom note on the desktop. The file is titled ### DECRYPT MY FILES ###.html. A copy of the note is placed in every folder which contains encrypted objects. The win-locker also changes the desktop background to a custom wallpaper. The cyber criminals make sure to get the information across to the victim. They make a living by collecting ransom payments from computer users, so it makes sense that they would have their program send out multiple signals for its presence.

Remove Nemesis Ransomware
The Nemesis Ransomware

Judging by the amount of the ransom, the creators of Nemesis ransomware are among the greediest hackers. They demand a payment of 10 Bitcoins in exchange for the decryption software, Nemesis decryptor. This converts to $13,391.50 USD as per the current exchange rate. The fraud artists have taken measures to protect their identity. They require people to pay in Bitcoins because this is a safe payment method. Bitcoins are a cryptocurrency which gives the option for anonymous transactions. The online platforms for trading them do not require users to provide personal details.

Hosting the payment website on the Tor network is another security measure. This browsing client conceals the geographic location. Without this protection, the cyber thieves could be tracked down when accessing their account to collect the ransom money. It should be noted that the proprietors of Nemesis ransomware do not require victims to use the Tor browser when operating on the payment website. It does not matter which web browser people use to access the domain from. This goes to show that the hackers use the platform for their own protection.

Before victims can settle the payment, they have to contact the developers of Nemesis ransomware. This is addressed in a statement on the wallpaper. According to the image, the win-locker has been created by one person alone. The correspondence is to be carried out via email. The listed address is The mailing client is one of the reasons why researchers believe that Nemesis ransomware may be connected to Cerber ransomware. Regardless who the rogue program belongs to, you should not pay the ransom. Cyber crooks cannot be trusted to make good on a deal. They could collect the payment and not provide the decryption tool. Even if they do, the virus may launch a second attack in time.

Nemesis ransomware is distributed via spam emails. Researchers have identified a campaign which spreads the clandestine program. Of course, there may be other campaigns involved. The trick is the same with all spam emails. They contain an attachment. The sender describes it as a document on a certain matter, like a financial transaction, an order, a delivery package, a bill, a fine, etc. The emails which have been found to spread Nemesis ransomware are about an order. The attached file is a .zip archive. Before opening a file from an in-box message, make sure the sender is who he claims to be. Check his email address. You can refer to the official website of the organization the letter has been sent on behalf of.

Nemesis Ransomware Removal

Method 1: Restore your encrypted files using ShadowExplorer
Usually, Nemesis Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.

  1. Download ShadowExplorer from this link:
  2. Install ShadowExplorer
  3. Open ShadowExplorer and select C: drive on the left panelshadowexplorer
  4. Choose at least a month ago date from the date field
  5. Navigate to the folder with encrypted files
  6. Right-click on the encrypted file
  7. Select “Export” and choose a destination for the original file

Method 2: Restore your encrypted files by using System Restore

  1. Go to Start –> All programs –> Accessories –> System tools –> System restore
  2. Click “Nextsystem restore
  3. Choose a restore point, at least a month ago
  4. Click “Next
  5. Choose Disk C: (should be selected by default)
  6. Click “Next“. Wait for a few minutes and the restore should be done.

Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since Nemesis Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:

  1. Recuva
  2. Puran File Recovery
  3. Disk Drill
  4. Glary Undelete

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.