14 DAY TRIAL // The latest version of the Nemucod ransomware uses a combination of JavaScript and PHP code to infect users and encrypt their files.
Nemucod first appeared in March 2015, and at its base, the malware is a simple dropper. Droppers, also called malware downloaders, infectors, or loaders, are simplistic malware families specialized in the "infection" process and nothing more. After this occurs, they then download more potent malware.
For this article, when we say Nemucod, we are referring to a custom ransomware variant that researchers observed delivered via the Nemucod dropper alone.
First Nemucod ransomware variant was decryptable
The Nemucod ransomware was seen for the first time this past March, when Emsisoft researcher Fabian Wosar also cracked one of its earlier versions and offered a free decrypter.
Since then, the Nemucod ransomware has been evolving, with new versions appearing at regular intervals, but still using the .crypted extension to signal its presence on infected systems.
According to researchers from Intel Security, the latest version uses a combination of JS & PHP code to lock people's files.
Nemucod comes with a built-in PHP interpreter
Nemucod is distributed in the same way as before. Users receive spam emails that contain ZIP files, which, in turn, hold a JavaScript file. Executing this file starts the ransomware's malicious process.
The JS file will download five files on the user's PC: a.exe, a1.exe, a2.exe, a.php, and php4ts.dll.
As soon as the file downloads end, the JS file launches into execution a.exe, which is the PHP 4.4.9.9 interpreter, and php4ts.dll, which contains various dependencies.
Theoretically, this version of Nemucod should be easy to decrypt
The malicious JS code also feeds the a.php file to a.exe. The a.php file contains the ransomware's malicious code, which will scan the user's hard drive, set sensitive folders aside, and then start encrypting files that end with a specific extension.
According to Intel Security, the encryption process uses a single-byte XOR, which, in theory, should be easy to reverse-engineer and then unlock user files.
Once all operations end, the a.php file creates the a.txt file, which is the ransom note, and places it on the user's desktop. Crooks are asking victims to pay 0.3707 Bitcoin (~$245).
UPDATE [Juen 21, 2016]: Leveraging on @MalwareHunterTeam's extensive experience with malware reverse engineering, the researcher told us this might be the first desktop-targeting ransomware that uses PHP for the encryption operations. Previously, PHP-based ransomware have targeted only Web servers.
Furthermore, the first one to spot Nemucod's PHP variant was a security researcher named @Antelox, who penned a blog post for ReaQta two weeks ago, and created a free decrypter that can help you unlock your files for free. Additionally, there's this report from Forcepoint.