Nemucod Ransomware

What is Nemucod Ransomware?

Nemucod Ransomware is a malicious program that locks user’s files and in some cases downloads another Trojan infection called Kovter. If these threats managed to enter your system, it is a sign that you have to look for more efficient ways to protect it. The ransomware can do a lot of damage for users who do not backup their data since it encrypts personal files and demands to pay a ransom in exchange for the decryption key. If you are thinking about making the payment, we should tell you that there might be other ways to recover your data. Our researchers at Anti-spyware-101.com confirmed that there are decryptors available on the Internet. Since it will not cost you anything, you might as well try it. You can keep the note that contains the payment details as the last resort, but Nemucod Ransomware and other possible threats should be erased from your system. Thus, keep reading the article and learn how to get rid of the malware.testtesttest

Where does Nemucod Ransomware come from?

It is most likely that Nemucod Ransomware spreads through malicious email attachments that contain Javascript files (.js). For example, the file could be inside an archive that was sent to you from an unfamiliar source. The malware installs itself when you launch a malicious .js file. Afterward, it might download a Trojan known as Kovter as well.

What does Nemucod Ransomware do?

The malware encrypts your data that has the listed extensions: .3gp, .ai, .arc, .arj, .asf, .backup, .bak, .bz, .bz2, .bza, .bzip, .bzip2, .class, .djvu, .fb2, .flv, .gzip, .h, .ice, .img, .iso, .java, .jpeg, .m3u, .mid, .midi, .mkv, .mov, .mp3, .ogg, .pl, .pps, .py, .r00, .r01, .r02, .r03, .rm, .sql, .svg, .vob, .wav, .wma. These files should also have an additional extension, e.g. song.mp3.crypted.

What’s more, it leaves a note that says: “All your documents, photos, databases and other important personal files were encrypted using strong RSA-1024 algorithm with a unique key.” It also states that to unlock your files you must pay the ransom. It seems that the asked price is 0.52985 Bitcoins, which is approximately 236 US dollars. The rest of the note contains the instructions that tell you how to transfer the required amount of Bitcoins to Nemucod Ransomware creator’s account.

As we mentioned before, you can try to recover your data while using available decryptors on the Internet, so paying the ransom should not be your first option. However, no matter what you decide, you should eliminate the malware. Likewise, it is important to delete Kovter and other threats that might have entered your system together with Nemucod Ransomware.

How to erase Nemucod Ransomware?

Since it might be difficult to remove Nemucod Ransomware manually, we would advise users to delete it with an antimalware tool, especially because there might be more malware on your system. A legitimate antimalware tool would erase not only the ransomware, but also Kovter or any other threat. However, if you feel that you are up to the task, you can try to remove this infection with the instructions below the text. For starters, you will have to delete a couple of malware’s created keys in the Windows Registry. Apparently, one of it has a random title, so you will have to identify it according to our instructions. Then you will have to delete a few executable files that are associated with the malicious program. If you have some questions to ask, do not hesitate to leave us a comment below or contact us through social media.

Remove Nemucod Ransomware from system

  1. Press Windows Key+R.
  2. Type regedit and select OK.
  3. Navigate to the following path: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  4. Locate Value name Upkfmedia, check if its Value data has C:\Users\user\AppData\Local\Upkfmedia\a2.exe, if it does right-click Upkfmedia and select Delete.
  5. Find and delete another Value name with a random title; it should have the following Value data: C:\Windows\SysWOW64\regsvr32.exe C:\Users\user\AppData\Local\Upkfmedia\libtext.dll
  6. Close the Registry Editor and open the Explorer.
  7. Go to: %TEMP%
  8. Find and erase listed files: a0.exe, a2.exe, a.txt.
  9. Navigate to: %LocalAppData%
  10. Locate folder titled as Upkfmedia and right-click to delete it.
  11. Close the Explorer and empty Recycle bin.
100% FREE spyware scan and
tested removal of Nemucod Ransomware*
Disclaimer
Disclaimer

Leave a Comment

Enter the numbers in the box to the right *