Threat Research

Nemucod Adds Ransomware Routine

By Roland Dela Paz | March 16, 2016

It came to our attention that a new, rather peculiar version of Nemucod has been recently landing on users. Nemucod is a well-known JavaScript malware family that arrives via spam email and downloads additional malware to PCs. Most recently, Nemucod has been known to download TeslaCrypt ransomware variants.

However, the last few weeks saw a shift in Nemucod variants--it now has a code to drop ransomware from its body. The sample arrives via a typical Nemucod spam with encrypted JavaScript attachment. 

Upon decrypting the JavaScript, we can see that it attempts to download a file on the user’s temporary directory from compromised websites. The downloaded file is an executable file that is later on used to encrypt the user's files:

If the download is successful, it then drops the ransomware note as text file:

It then proceeds to drop and run a batch file that will encrypt files of certain file types on available drives and complete its system installation:

The target file types are appended with the “.crypted” extension. It calls the initially downloaded executable file and feeds each target file found as the parameter in order to encrypt the file. Once the encryption is done, it proceeds with displaying the ransomware text:

Finally, it proceeds with its normal routine which is to download and execute additional malware to the system, thus an infected user instantly gets two infections:

The Good

The good news, at least as of this writing, is that it does not really use RSA-1024. In fact, it only encrypts the first 2048 bytes of each file with XOR encryption using a pre-defined 255 long key embedded in the downloaded executable component. The following is an opcode from the exe file:


The Bad

While the ransomware implementation is rather simple, it is still able to successfully encrypt files. The bigger question we face, however, is if the Nemucod actors, who has been around (and arguably successful) for a while now, are now jumping into the ransomware business as well? The only clue we have right now is that the ransomware code is directly written in the JavaScript body, but time will tell whether this is the case.

It is also important to note that the dropped ransomware has some resemblance with KeyBTC ransomware but with a simpler implementation. Whether there is a direct relationship between KeyBTC and Nemucod actors or the Nemucod actors simply copied KeyBTC's simplistic approach is something we are unable to confirm for now.

The Funny

As mentioned above, the malware uses XOR encryption which is a symmetric algorithm. This means that the ransom message's claim that they are the only ones who can help you is false. You can do the following to help yourself if you are infected:

  • The encrypted files can be decrypted as long as you have the XOR key that is embedded in the executable component.
  • You can restore your PC using system restore.
  • You can restore your files via Volume Shadow Copies.

Fortinet detects the Nemucod malware family as JS/Nemucod variants.

-= FortiGuard Lion Team =-

Indicators of Compromise

Related hashes:

Added files:
"%User Temp%\{random}.txt"

Added registries:

Crypted = ""


notepad.exe = "%User Temp%\{random}.txt"

Crypted = "%User Temp%\{random}.txt"


"Crypted" = ""


notepad.exe = "%User Temp%\{random}.txt"