GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → robacarp → nemucod_decrypt

robacarp / nemucod_decrypt

Licence: other
Ruby tool to decrypt Nemucod ransomware

Programming Languages

ruby
36898 projects - #4 most used programming language

Labels

ransomwarenemucod-ransomwaredecryptor

Projects that are alternatives of or similar to nemucod decrypt

Block
Let's make an annoyance free, better open internet, altogether!
Stars: ✭ 1,849 (+8704.76%)
Mutual labels:  ransomware
Osweep
Don't Just Search OSINT. Sweep It.
Stars: ✭ 225 (+971.43%)
Mutual labels:  ransomware
pyhtools
A Python Hacking Library consisting of network scanner, arp spoofer and detector, dns spoofer, code injector, packet sniffer, network jammer, email sender, downloader, wireless password harvester credential harvester, keylogger, download&execute, ransomware, data harvestors, etc.
Stars: ✭ 166 (+690.48%)
Mutual labels:  ransomware
Deathransom
A ransomware developed in python, with bypass technics, for educational purposes.
Stars: ✭ 126 (+500%)
Mutual labels:  ransomware
Online Privacy Test Resource List
Privacy Online Test and Resource Compendium (POTARC) 🕵🏻
Stars: ✭ 185 (+780.95%)
Mutual labels:  ransomware
conti-pentester-guide-leak
Leaked pentesting manuals given to Conti ransomware crooks
Stars: ✭ 772 (+3576.19%)
Mutual labels:  ransomware
Python Ransomware
Python Ransomware Tutorial - YouTube tutorial explaining code + showcasing the ransomware with victim/target roles
Stars: ✭ 96 (+357.14%)
Mutual labels:  ransomware
simple-ransomware
Simple ransomware to troll your friends. Encrypt and Decrypt a Windows computer using a simple xor encryption which is pretty basic!
Stars: ✭ 29 (+38.1%)
Mutual labels:  ransomware
Blackweb
Domains Blocklist for Squid-Cache
Stars: ✭ 189 (+800%)
Mutual labels:  ransomware
passwordstate-decryptor
PowerShell script that decrypts password entries from a Passwordstate server.
Stars: ✭ 19 (-9.52%)
Mutual labels:  decryptor
Malware
Rootkits | Backdoors | Sniffers | Virus | Ransomware | Steganography | Cryptography | Shellcodes | Webshells | Keylogger | Botnets | Worms | Other Network Tools
Stars: ✭ 156 (+642.86%)
Mutual labels:  ransomware
Cry
Cross platform PoC ransomware written in Go
Stars: ✭ 179 (+752.38%)
Mutual labels:  ransomware
Owlyshield
Owlyshield is an EDR framework designed to safeguard vulnerable applications from potential exploitation (C&C, exfiltration and impact))..
Stars: ✭ 281 (+1238.1%)
Mutual labels:  ransomware
The Big List Of Hacked Malware Web Sites
This repository contains a list of all web sites I come across that are either hacked with or purposefully hosting malware, ransomware, viruses or trojans.
Stars: ✭ 125 (+495.24%)
Mutual labels:  ransomware
Keep-It-Secure-File-Encryption
Keep It Secure Private Data Encryption & Decryption Tool
Stars: ✭ 38 (+80.95%)
Mutual labels:  ransomware
Ransom0
Ransom0 is a open source ransomware made with Python, designed to find and encrypt user data.
Stars: ✭ 105 (+400%)
Mutual labels:  ransomware
Umbra
A LKM rootkit targeting 4.x and 5.x kernel versions which opens a backdoor that can spawn a reverse shell to a remote host, launch malware and more.
Stars: ✭ 98 (+366.67%)
Mutual labels:  ransomware
brute-md5
Advanced, Light Weight & Extremely Fast MD5 Cracker/Decoder/Decryptor written in Python 3
Stars: ✭ 16 (-23.81%)
Mutual labels:  decryptor
file-less-ransomware-demo
Demonstrate about file-less malware approach using JavaScript
Stars: ✭ 46 (+119.05%)
Mutual labels:  ransomware
Ransom
Various codes related to Ransomware Developement
Stars: ✭ 119 (+466.67%)
Mutual labels:  ransomware
View All Similar Projects ➔

Nemucod Decrypt

A Ruby tool to decrypt Nemucod ransomware.

Development Status

  • Key derivation and file decryption
  • Passing parameters in from a command line
  • Packaged up as a gem

Usage

Install the uncrypt_nemucod gem following your preference. Also needed is the cli dependency gem, slop.

Assuming a file fruit.pdf.crypted in the local directory, and a non-crypted version of the same file, fruit.pdf, first derive the decrypt key:

$ uncrypt_nemucod --derive-key -k decrypt.key fruit.pdf.crypted fruit.pdf
Recovering key...

Key file is 1024 bytes long and contains 20 NUL bytes.

Now, decrypt all .crypted files in the current directory:

dutero-basilius ~/Desktop> uncrypt_nemucod --decrypt -k decrypt.key *.crypted
Decrypting example_file.pdf.crypted...OK
Decrypting example_file.jpg.crypted...OK
Decrypting example_file.txt.crypted...OK
Decrypting example_file.gif.crypted...OK
Decrypting example_file.doc.crypted...OK
Decrypting example_file.xls.crypted...OK
Decrypting example_file.wav.crypted...OK
Decrypting example_file.mp3.crypted...OK
Decrypting example_file.m4a.crypted...OK
Decrypting example_file.ppt.crypted...OK
Decrypting example_file.mid.crypted...OK
Decrypting example_file.exe.crypted...OK
Decrypting example_file.png.crypted...OK

Finding an unencrypted file

Assuming your hard drive is encrypted, how do you go about finding an unencrypted version of one of your files? How do you know it's the right one?

Start here, and put your detective hat on:

  • Stock files, such as sample pictures or documents that came with the operating system: If one of them has been encrypted, find the same file on another computer or on the internet.
  • Files recently downloaded from the internet: look through your downloads directory for images or recently downloaded from the internet. Find the same file on the internet again.
  • Backups: Check your backups...you do have some backups, right? Ok. Did you ever copy a file to a thumb drive? Or send one over email? Unfortuately printing a file probably won't help.

How do you know you've got the right file?

  • Check the size, in bytes. Both the crypted and uncrypted file should match exactly.

Background

A ransomware dubbed Nemucod or DECRYPT.txt rapidly encrypts files using a weak XOR encryption. Without the key, it is still difficult to recover the ransomed data. However, the XOR encryption key is easily derived by comparing a known good file to its encrypted counterpart. I read about the encryption technique and the possibility of deriving a key and decrypting files manually sounded like a great learning experience, so here it is.

The Nemucod ransomware is easy to identify by a signature text file it leaves on the Windows desktop of a victim computer. I've redacted some parts of this sample:

ATTENTION!

All your documents, photos, databases and other important personal files were encrypted using strong RSA-1024 algorithm with a unique key. To restore your files you have to pay BTC (bitcoins). Please follow this manual:

  1. Create Bitcoin wallet here: https://blockchain.info/wallet/new
  2. Buy BTC with cash, using search here: https://localbitcoins.com/buy_bitcoins
  3. Send BTC to this Bitcoin address:
  4. Open one of the following links in your browser to download decryptor:
  5. Run decryptor to restore your files.

PLEASE REMEMBER:

  • If you do not pay in 3 days YOU LOOSE ALL YOUR FILES.
  • Nobody can help you except us.
  • It's useless to reinstall Windows, update antivirus software, etc.
  • Your files can be decrypted only after you make payment.
  • You can find this manual on your desktop (DECRYPT.txt).

A family member recently became a victim of this scam and asked me for help, but the decryptor available didn't look like it'd run on a mac or linux. I'm always interested in diving into some malware and bit math, so I built this ruby tool to derive the key and decrypt ransomed files.

Send me a note if it proves to be of any use to you.

Sources:

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].