23rd November 2016

SC Magazine: Facebook spam caught delivering Locky ransomware – also distributing Nemucod

28th August 2016

SANS Internet Storm Center: Voice Message Notifications Deliver Ransomware. Despite coming from ‘voicemail@*’ and the attachment having the filename extension ‘’, these are not sound files but, apparently, ransomware. A more recent VirusTotal report indicates that many vendors are associating the campaign with Nemucod.

18th August 2016

ESET: Nemucod serves nasty package: Ransomware and ad-clickers

[17th June 2016] Donnie Maasland for ESET on how Nemucod ups its game. Analysis of the downloader rather than its direct relationship with ransomware.

Roland Dela Paz describes for Fortinet how Nemucod, much spammed malware already well-known for downloading malware including (recently) Teslacrypt, now has the ability to drop ransomware directly (i.e. from its own body) including the ransom note and a batch file to initiate the encryption.

Nemucod Adds Ransomware Routine

The good news is that the ransomware isn’t as effective as the ransom note tries to persuade the victims: not yet, anyway. It’s not the case that ‘Nobody can help you but us.’ That doesn’t mean this will always be the case, though.

Dela Paz notes some resemblance between this ransomware and KeyBTC but notes that it can’t be confirmed at present that there is a direct relationship.

For ESET, Josep Albors includes information on the distribution of Locky and Teslacrypt by Nemucod: Trojan Downloaders on the rise: Don’t let Locky or TeslaCrypt ruin your day.

Softpedia reports that Nemucod’s CRYPTED Ransomware Can Be Neutralized with This Decrypter, Python-based software written by someone on the Bleeping Computer forums and converted to a Windows executable by Emsisoft’s Fabian Wosar.

An article by Reaqta explores the relationship between Kovter and Nemucod: Nemucod meets 7-Zip to launch ransomware attacks

NemucodFR may help recover Nemucod-encrypted files. (Not tested by me.)