New variant of Nemucod/.crypted. Decrypter not working

[dtwestoz 0]

Hello,

 

I've been asked to look at a Nemucod issue that has encrypted files which the Emsisoft decrypter will not decrypt.  I've disabled the infection and run the decrypter on the same machine using an encrypted file and an original from a backup. But get the error: "The decrypter could not determine a valid key for your system. Please drag and drop both an encrypted file as well as its unencrypted counterpart on to the decrypter to determine a correct key. Files need to be at least 510 bytes long."

 

Unfortunately there are some important recent files that were not backed up as it looks like the encryption process has been running longer than the backup rotation!!  No derogatory comments here as it's not my machine

 

My question is if this is a new variant of this ransomware whats the likelihood and timeframe of an update to a decryption tool being made available to decrypt these files?  I've submitted some files to id-ransomware.malwarehunterteam.com which says its Nemucod and "This ransomware may be decryptable under certain circumstances"

 

Thanks in advance for your help

 

Darren 

 

 

[Elise 278]

Hello Darren,

 

I am sorry to hear about this. Is there any chance you have the dropper of the infection? Only if we have that, we can verify if decryption is possible or not. 

[dtwestoz 0]

Thanks for the response Elisa.  From memory the dropper is deleted at the end of the encryption process which looks like it completed.  Would it be located in the %TMP% folder?

[dtwestoz 0]

I've got the other executables and dll files but I think they are subsequent malware infections.

[Elise 278]

Just to be sure, you can upload them to http://www.virustotal.com and send me the link(s) to the scan results. 

[dtwestoz 0]

Hi Elise, heres the first lot:

 

vyde.exe: https://www.virustotal.com/en/file/b6a1d2bd1b659cb434d0e9d3701e7ad5948337a23d69e2c291f8e2e8631a03b0/analysis/1462025812/

a2.exe: https://www.virustotal.com/en/file/5fc3bd579565b862660482ede2156b19230b4f7b23c5f21348a4c8e3e38de613/analysis/1462026266/

ggqcujdk.dll: https://www.virustotal.com/en/file/05627202e4890114285b24177512b6a1733c2a0e4af905763b65b92a8fdbb5bb/analysis/1462026398/

pchrekxt.dll: https://www.virustotal.com/en/file/aac8074fe38d05144bfe6d0b3f8eb1ed0c65272b68f0df549858139ed34f71ba/analysis/1462026489/

qbdhanzj.dll: https://www.virustotal.com/en/file/f8ec3616abcb9b467f514b36f62af477d7e8e361f927e58998b7c940d15ce2a1/analysis/1462026552/

vsxsaxgl.dll: https://www.virustotal.com/en/file/06f159440c61eaf05c48f93b3e0433d899cc6950fe2205b8e0c06394d5a6c237/analysis/1462026635/

 

I'm trying to recover the files from the %TMP% folder which may be more useful

Darren

[Elise 278]

Hello Darren,

Thank you for the additional information. Unfortunately if the decrypter was run with two files (one encrypted and one identical but unencrypted file) and no valid key was found, then decryption is not possible in your case.

 

Many ransomware variants are updated to fix bugs/vulnerabilities that various decrypters use in order to help recover files. For that reason it is impossible to say if an updated decrypter will be available.

 

I can help you remove active infection components, but this will not do anything to recover files.

[Kevin Zoll 309]

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.