Please note that these free tools are provided as-is and without warranty of any kind. The tools may only work with specific ransomware versions, and may not work with versions that were released after a tool was created. Technical support for the tools is available only to customers using a paid Emsisoft product.
NemucodAES is a new variant of the Nemucod ransomware family. Written in a combination of JavaScript and PHP it uses AES and RSA in order to encrypt your files. Encrypted files will keep their original file names and a ransom note named "DECRYPT.hta" can be found on your Desktop. The ransom note reads as follows:
ATTENTION!
All your documents, photos, databases and other important personal files were encrypted
using a combination of strong RSA-2048 and AES-128 algorithms.
The only way to restore your files is to buy decryptor. Please, follow these steps:
Create your Bitcoin wallet here:
https://blockchain.info/wallet/new
Buy 0.13066 bitcoins here:
https://localbitcoins.com/buy_bitcoins
Send 0.13066 bitcoins to this address:
1FeZr4bvMpCf1QTS49VjsdhtnP6zPvMjbP
Open one of the following links in your browser:
http://luxe-limo.ru/counter/?1FeZr4bvMpCf1QTS49VjsdhtnP6zPvMjbP
http://musaler.ru/counter/?1FeZr4bvMpCf1QTS49VjsdhtnP6zPvMjbP
http://vinoteka28.ru/counter/?1FeZr4bvMpCf1QTS49VjsdhtnP6zPvMjbP
http://www.agrimixxshop.com/counter/?1FeZr4bvMpCf1QTS49VjsdhtnP6zPvMjbP
http://sharedocsrl.it/counter/?1FeZr4bvMpCf1QTS49VjsdhtnP6zPvMjbP
Download and run decryptor to restore your files.
You can find this instruction in "DECRYPT" file on your desktop.
To decrypt your files, please run the decrypter on the encrypted system. The decrypter requires various files from your %TEMP% directory of the user that spawned the infection. Therefore it is important not to reformat the system or run any cleanup tools before attempting the decryption.