- Dec 3, 2015
- 938
Researchers discovered an updated version of Nemucod ransomware that uses both JavaScript and PHP code to infect users’ devices and encrypt files.
Researchers initially found cyber criminals using Nemucod malware in March 2015 as a malware dropper. A Nemucod ransomware variant delivered via the Nemucod dropper was uncovered in March 2016.
However, a researcher was able to find a method to crack the initial Nemucod ransomware variant, and he offered victims a free decrypting device.
The developers behind Nemucod have continued to evolve the ransomware with new versions to evade the decryption methods. The latest version reportedly uses a combination of JavaScript and PHP code to encrypt and lock a victim’s files.
Cyber criminals are pushing Nemucod ransomware to users through phishing emails that contain ZIP files with the malicious JavaScript file. When victims execute the JavaScript file, the ransomware begins its infection process on the targeted computer.
The JavaSript file downloads five additional files onto the victim’s computer, including a.exe, a1.exe, a.php and php4ts.dll. Once these files finish loading onto the device, the JavaScript file executes the a.exe file and php4ts.dll, with the former as the PHP 4.4.9.9 interpreter and the latter carries various dependencies.
The JavaScript file also feeds the a.php file, which contains the ransomware coding, to the a.exe. The encryption process leverages a single-byte XOR, which the researcher claim should be easy to reverse-engineer and unlock the victim’s files.
The a.php file reportedly produces the a.txt file with the ransom note of roughly $245 worth in Bitcoin. The researchers claim the new Nemucod variant may be the first desktop ransomware in the wild to leverage PHP for the encryption process.
Cyber criminals using ransomware based on PHP code have mainly targeted Web servers in the past.
Researchers initially found cyber criminals using Nemucod malware in March 2015 as a malware dropper. A Nemucod ransomware variant delivered via the Nemucod dropper was uncovered in March 2016.
However, a researcher was able to find a method to crack the initial Nemucod ransomware variant, and he offered victims a free decrypting device.
The developers behind Nemucod have continued to evolve the ransomware with new versions to evade the decryption methods. The latest version reportedly uses a combination of JavaScript and PHP code to encrypt and lock a victim’s files.
Cyber criminals are pushing Nemucod ransomware to users through phishing emails that contain ZIP files with the malicious JavaScript file. When victims execute the JavaScript file, the ransomware begins its infection process on the targeted computer.
The JavaSript file downloads five additional files onto the victim’s computer, including a.exe, a1.exe, a.php and php4ts.dll. Once these files finish loading onto the device, the JavaScript file executes the a.exe file and php4ts.dll, with the former as the PHP 4.4.9.9 interpreter and the latter carries various dependencies.
The JavaScript file also feeds the a.php file, which contains the ransomware coding, to the a.exe. The encryption process leverages a single-byte XOR, which the researcher claim should be easy to reverse-engineer and unlock the victim’s files.
The a.php file reportedly produces the a.txt file with the ransom note of roughly $245 worth in Bitcoin. The researchers claim the new Nemucod variant may be the first desktop ransomware in the wild to leverage PHP for the encryption process.
Cyber criminals using ransomware based on PHP code have mainly targeted Web servers in the past.
