Nemucod was first noticed in March, last year, and the malware was categorized as a simple dropper. Droppers, also called malware downloaders, infectors, or loaders, are simplistic malware families specialized in the “infection” process and nothing more. When this occurs, they download more potent malware after that.
Nemucod ransomware was noticed by the Emsisoft researcher Fabian Wosar who cracked one of its earlier versions and offered a free decrypter. Nemucod ransomware has been evolving constantly ever since its appearance, with new versions coming out at regular intervals, but still using the .crypted extension to signal its presence on infected systems.
The experts from Intel Security claim that the latest version of the ransomware uses a combination of JS & PHP code to lock people’s files.
The JS file will download five files on the user’s PC: a.exe, a1.exe, a2.exe, a.php, and php4ts.dll. Once the file downloads end, the JS file launches into execution a.exe, which is the PHP 18.104.22.168 interpreter, and php4ts.dll, which contains various dependencies.
The malicious JS code also feeds the a.php file to a.exe. The a.php file contains the ransomware’s malicious code, which will scan the user’s hard drive, set sensitive folders aside, and then start encrypting files that end with a specific extension.
Intel Security claims that the encryption process uses a single-byte XOR, which, in theory, should be easy to reverse-engineer and then unlock user files. However, currently there is no free decrypter available.
As soon as all operations end, the a.php file creates the a.txt file, which is the ransom note, and places it on the user’s desktop. Finally, cyber criminals ask victims to pay 0.3707 Bitcoin (~$245) in order to release their files.