23rd November 2016
SC Magazine: Facebook spam caught delivering Locky ransomware – also distributing Nemucod
28th August 2016
SANS Internet Storm Center: Voice Message Notifications Deliver Ransomware. Despite coming from ‘voicemail@*’ and the attachment having the filename extension ‘wav.zip’, these are not sound files but, apparently, ransomware. A more recent VirusTotal report indicates that many vendors are associating the campaign with Nemucod.
18th August 2016
[17th June 2016] Donnie Maasland for ESET on how Nemucod ups its game. Analysis of the downloader rather than its direct relationship with ransomware.
Roland Dela Paz describes for Fortinet how Nemucod, much spammed malware already well-known for downloading malware including (recently) Teslacrypt, now has the ability to drop ransomware directly (i.e. from its own body) including the ransom note and a batch file to initiate the encryption.
The good news is that the ransomware isn’t as effective as the ransom note tries to persuade the victims: not yet, anyway. It’s not the case that ‘Nobody can help you but us.’ That doesn’t mean this will always be the case, though.
Dela Paz notes some resemblance between this ransomware and KeyBTC but notes that it can’t be confirmed at present that there is a direct relationship.
For ESET, Josep Albors includes information on the distribution of Locky and Teslacrypt by Nemucod: Trojan Downloaders on the rise: Don’t let Locky or TeslaCrypt ruin your day.
Softpedia reports that Nemucod’s CRYPTED Ransomware Can Be Neutralized with This Decrypter, Python-based software written by someone on the Bleeping Computer forums and converted to a Windows executable by Emsisoft’s Fabian Wosar.
An article by Reaqta explores the relationship between Kovter and Nemucod: Nemucod meets 7-Zip to launch ransomware attacks
NemucodFR may help recover Nemucod-encrypted files. (Not tested by me.)