dtwestoz 0 Posted April 28, 2016 Report Share Posted April 28, 2016 Hello, I've been asked to look at a Nemucod issue that has encrypted files which the Emsisoft decrypter will not decrypt. I've disabled the infection and run the decrypter on the same machine using an encrypted file and an original from a backup. But get the error: "The decrypter could not determine a valid key for your system. Please drag and drop both an encrypted file as well as its unencrypted counterpart on to the decrypter to determine a correct key. Files need to be at least 510 bytes long." Unfortunately there are some important recent files that were not backed up as it looks like the encryption process has been running longer than the backup rotation!! No derogatory comments here as it's not my machine My question is if this is a new variant of this ransomware whats the likelihood and timeframe of an update to a decryption tool being made available to decrypt these files? I've submitted some files to id-ransomware.malwarehunterteam.com which says its Nemucod and "This ransomware may be decryptable under certain circumstances" Thanks in advance for your help Darren Link to post Share on other sites
Elise 276 Posted April 28, 2016 Report Share Posted April 28, 2016 Hello Darren, I am sorry to hear about this. Is there any chance you have the dropper of the infection? Only if we have that, we can verify if decryption is possible or not. Link to post Share on other sites
dtwestoz 0 Posted April 30, 2016 Author Report Share Posted April 30, 2016 Thanks for the response Elisa. From memory the dropper is deleted at the end of the encryption process which looks like it completed. Would it be located in the %TMP% folder? Link to post Share on other sites
dtwestoz 0 Posted April 30, 2016 Author Report Share Posted April 30, 2016 I've got the other executables and dll files but I think they are subsequent malware infections. Link to post Share on other sites
Elise 276 Posted April 30, 2016 Report Share Posted April 30, 2016 Just to be sure, you can upload them to http://www.virustotal.com and send me the link(s) to the scan results. Link to post Share on other sites
dtwestoz 0 Posted April 30, 2016 Author Report Share Posted April 30, 2016 Hi Elise, heres the first lot: vyde.exe: https://www.virustotal.com/en/file/b6a1d2bd1b659cb434d0e9d3701e7ad5948337a23d69e2c291f8e2e8631a03b0/analysis/1462025812/ a2.exe: https://www.virustotal.com/en/file/5fc3bd579565b862660482ede2156b19230b4f7b23c5f21348a4c8e3e38de613/analysis/1462026266/ ggqcujdk.dll: https://www.virustotal.com/en/file/05627202e4890114285b24177512b6a1733c2a0e4af905763b65b92a8fdbb5bb/analysis/1462026398/ pchrekxt.dll: https://www.virustotal.com/en/file/aac8074fe38d05144bfe6d0b3f8eb1ed0c65272b68f0df549858139ed34f71ba/analysis/1462026489/ qbdhanzj.dll: https://www.virustotal.com/en/file/f8ec3616abcb9b467f514b36f62af477d7e8e361f927e58998b7c940d15ce2a1/analysis/1462026552/ vsxsaxgl.dll: https://www.virustotal.com/en/file/06f159440c61eaf05c48f93b3e0433d899cc6950fe2205b8e0c06394d5a6c237/analysis/1462026635/ I'm trying to recover the files from the %TMP% folder which may be more useful Darren Link to post Share on other sites
Elise 276 Posted April 30, 2016 Report Share Posted April 30, 2016 Hello Darren, Thank you for the additional information. Unfortunately if the decrypter was run with two files (one encrypted and one identical but unencrypted file) and no valid key was found, then decryption is not possible in your case. Many ransomware variants are updated to fix bugs/vulnerabilities that various decrypters use in order to help recover files. For that reason it is impossible to say if an updated decrypter will be available. I can help you remove active infection components, but this will not do anything to recover files. Link to post Share on other sites
Kevin Zoll 309 Posted May 4, 2016 Report Share Posted May 4, 2016 Thread Closed Reason: Lack of Response PM either Kevin, Elise, or Arthur to have this thread reopened. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread. Link to post Share on other sites
Recommended Posts