Nemucod is a type of ransomware – malicious software, which has been circulating the web for over two decades now. At first it was only around in Russia, but now it’s more or less everywhere and can infect anyone. Unfortunately, it’s only growing in popularity and the reason for this is largely the crypto currency Bitcoin.
Bitcoins are practically untraceable and the hackers behind Nemucod and others like it have learned to request the ransom for the encryption keys, which you need for accessing your files, in Bitcoins. This makes them more or less unstoppable; otherwise they’d be doing time in prison and wouldn’t be messing with other people’s computers.
If you’ve been infected by Nemucod, you probably already found out about it from a disturbing message on your screen, which let you know exactly just how deep trouble you’re in. Never fear, however, we’re here to help and have designed a guide, which will instruct you to remove this pesky virus from your computer. Keep in mind that removing it won’t restore your files, but we might have got that covered too, as you’ll see if you keep reading.
How exactly Nemucod operates and how it gets into your PC
Let’s start from that last part. The majority of instances of ransomware infection occur via email. Most likely you were sent an email with some attachment or a hyperlink, which when you opened unleashed hell onto your system. Inside there was a Trojan horse, which downloaded – without asking for your permission or acknowledgement – Nemucod onto your PC. There. Once that’s been done, it will go about encrypting your files, going completely unnoticed and then prompting the aforementioned message with the ransom note. Depending on how powerful your processor is and the amount of data stored, you do however stand a chance at catching Nemucod ‘in the deed’. You might notice that your computer is running unusually slow and this should send you searching your Task Manager for suspicious processes. Sort those by memory used, because this baby will be using a whole lot of RAM, and if you see it – it’s lights off. Switch off your PC right that moment and turn to a professional for help.
To pay or not to pay
Well, this one is solely up to you. We would advise you not to, because the drawbacks are more to this than there are positive aspects. Let us go over them and we can begin with the only good side to this.
Pro: You pay the ransom, they give you the encryption key, it works and you have full access to your files again. Great!
Cons: You pay the ransom amount; they don’t send you the key. Not so feisty now, right? Or here’s another one: you pay, they DO send it, and it doesn’t work for all your files. Something tells us, they’re not going to care much. And, not to be playing the moral police here, but by giving criminals money – aren’t you supporting them? And these guys are criminals, even if you can’t see them and they haven’t exactly robbed a bank or threatened to kill someone. But, like we said – it’s up to you. We can only offer you to try out the below steps first, because by the very least they will not cause further damage to your data, even if they don’t succeed in recovering all of it.
How to be safe in the future
It goes without saying that a good, proven anti-malware program must be installed and functioning on your computer. We recommend running virus checks frequently to always be sure no malware has made its way into your system. You should also avoid going to obscure websites, which might be harboring viruses and other unwanted programs. These could include, but aren’t limited to open-source download sites, for example. That being said, you should especially avoid downloading anything from websites like these, because there’s no telling what else can come bundled with your desired software or file. And, of course, be very cautious with emails you receive from unfamiliar sources. If the sender seems far too suspicious – simply don’t open the email, but if you have gone so far already, at least abstain from downloading and opening the attachment(s) and/or following the link inside, should there be one.
|Danger Level||High (Very dangerous, goes unnoticed. Might leave some files encrypted even after decryption)|
|Symptoms||Computer might be running very slow, while files are being encrypted. After this, you will lose access to certain files and will see a ransom note regarding the decryption key.|
|Distribution Method||Typically via email. You might receive a Trojan in the form of an attachment, which when opened will download Nemucod.|
|Detection Tool||Nemucod may be difficult to track down. Use SpyHunter – a professional parasite scanner – to make sure you find all files related to the infection.|
Nemucod Ransomware Removal
Readers are interested in:
Reboot in Safe Mode (use this guide if you don’t know how to do it).
This is the first preparation.
The first thing you must do is Reveal All Hidden Files and Folders.
- Do not skip this. Nemucod may have hidden some of its files.
Hold the Start Key and R – copy + paste the following and click OK:
A new file will open. If you are hacked, there will be a bunch of other IPs connected to you at the bottom. Look at the image below:
If there are suspicious IPs below “Localhost” – write to us in the comments.
Type msconfig in the search field and hit enter. A window will pop-up:
Go in Startup —> Uncheck entries that have “Unknown” as Manufacturer.
Press CTRL + SHIFT + ESC simultaneously. Go to the Processes Tab. Try to determine which ones are a virus. Google them or ask us in the comments.
WARNING! READ CAREFULLY BEFORE PROCEEDING!
Right click on each of the virus processes separately and select Open File Location. End the process after you open the folder, then delete the directories you were sent to.
Type Regedit in the windows search field and press Enter. Once inside, press CTRL and F together and type the virus’s Name.
Search for the ransomware in your registries and delete the entries. Be extremely careful – you can damage your system if you make a big mistake.
Type each of the following in the Windows Search Field:
Delete everything in Temp. The rest just check our for anything recently added. Remember to leave us a comment if you run into any trouble!
How to Decrypt files infected with Nemucod
There is only one known way to remove the virus’ encryption that MAY work (no guarantees) – reversing your files to a previous state. There are two options you have for this:
The first is using a system backup. Search for Backup and Restore in the windows search field —–> “Select another backup to restore files from”
If you have no backups, your option is Recuva
Go to the official site for Recuva and download its free version. When you start the program, select the file types you want to recover. You probably want all files. Next select the location. You probably want Recuva to scan all locations.
Click on the box to enable Deep Scan. The program will now start working and it may take a really long time to finish, so be patient and take a break if necessary.
You will now get a big list of files to pick from. Select all relevant files you need and click Recover.
Did we help? Share your feedback with us so we can help other people in need!