Victims of the latest version of one of the most common forms of ransomware could now be able to get their files back without giving into cybercriminals’ demands thanks to the release of a new decryption tool.
The Nemucod ransomware family has been active since at least 2015 and has remained one of the most common ransomware threats for much of the time since. Researchers have cracked previous versions of Nemucod, but the malicious operation behind the ransomware doesn’t give up and continually releases new versions in an effort to stay one step ahead of security services.
Indeed, those behind Nemucod released a new version of their ransomware – NemucodAES – delivering the malicious component via a PHP script and PHP interpreter in order to encrypt the victim’s files.
Like previous versions of the ransomware, NemucodAES dupes victims into clicking on a malicious link for delivering the malware by using emails which claim to contain information about an undelivered package.
However, one key difference to previous incarnations is that it has changed the type of encryption from from RC4 to a mix of AES-128 in ECB mode and RSA encryption in order to make the files more difficult to decrypt with a randomly generated 128-bit per-file key.
Those infected with NemucodAES are presented with a ransom note demanding a Bitcoin ransom of $300 in exchange for the return of their files.
However, those who fall foul of this latest version of Numucod may not have to pay the ransom in order to regain access to their system as researchers at Emsisoft have released a free decryption tool for NemucodAES.
“Not to be outplayed by cyber criminals our lab promptly went to work and produced a new version of our decrypter to handle NemucodAES and free victim’s files,” the company said in a blog post.
Emsisoft is part of the No More Ransom initiative, a partnership between law enforcement and cybersecurity firms which provides free keys for unlocking encrypted files and information on how to avoid getting infected with ransomware in the first place.
READ MORE ON RANSOMWARE