3 May 2018 NMCrypt Ransomware – Information & Decryption

What is NMCRYPT?

 

NMCRYPT is a high-risk ransomware-type virus similar to NM4. Once infiltrated, NMCRYPT encrypts most stored data using AES-256 and RSA-2048 encryption algorithms. In addition, this malware appends filenames with the “.NMCRYPT” extension. For example, “sample.jpg” is renamed to “sample.jpg.NMCRYPT“. Encrypted files become unusable. Once the encryption process is over, NMCRYPT generates an HTML file (“Recover your files.html“) and places a copy in every existing folder.

The new HTML file contains a long text message informing victims of the encryption and instructing them what to do next – to decrypt data, users must visit NMCRYPT’s website and follow the instructions. As mentioned above, NMCRYPT uses AES and RSA algorithms to encrypt data. Therefore, two unique keys (generated individually for each victim) are necessary to restore data. These keys are stored on a remote server controlled by cyber criminals and users are encouraged to pay a ransom in exchange for their release. The cost is $6705.02 and must be paid in the Bitcoin cryptocurrency. As compared to other ransomware-type viruses, the size of this ransom is extremely high – ransoms typically fluctuate between $500 and $1500. Users are also permitted to send three selected files (DOC/XLS/XML/JPG formats, 2MB in total) to cyber criminals. These are then restored and returned to the victim as a ‘guarantee’ that decryption is possible. In fact, cyber criminals can never be trusted. Research shows that users are often ignored after submitting payments. Paying gives no positive result and users are scammed. Therefore, you are strongly advised to ignore all requests to pay any ransoms. Unfortunately, there are no tools capable of cracking AES/RSA algorithms and restoring files free of charge. Therefore, the only solution is to restore everything from a backup.

Screenshot of a message encouraging users to pay a ransom to decrypt their compromised data:

NMCRYPT decrypt instructions

NMCRYPT is virtually identical to Tron, Iron, Vurten, ScorpionLocker, and dozens of other ransomware-type viruses. All are designed by different cyber criminals, however, their behavior is identical – all encrypt data and make ransom demands. In most cases, ransomware-type viruses have just two major differences: 1) size of ransom, and; 2) type of encryption algorithm used. Unfortunately, most of these viruses employ algorithms that generate unique decryption keys. Therefore, unless the ransomware is not fully developed or has certain bugs/flaws (for example, the key is stored locally, hard-coded or similar), file decryption manually without involvement of developers (contacting these people is not recommended) is impossible. Malware such as NMCRYPT is one of the main reasons why you should keep regular data backups, however, store them on a remote server (e.g., Cloud) or unplugged storage device. If not, backups are encrypted as well.

How did ransomware infect my computer?

 

Ransomware is commonly proliferated via trojans, fake software updaters, spam emails, and third party software download sources. Trojans work simply – most open backdoors for other malware to infiltrate the system. Fake updaters infect the computer by exploiting outdated software bugs/flaws or downloading and installing malware rather than software updates. Spam emails often contain malicious attachments (e.g., MS Office documents, JavaScript files) designed to execute scripts that stealthily download and install malware. Unofficial software download sources (peer-to-peer [P2P] networks, free file hosting websites, freeware download websites, etc.) present malicious executables as legitimate software. Therefore, many users are tricked into downloading and installing malware.

How to protect yourself from ransomware?

 

To prevent system infiltration by ransomware, be very cautious when browsing the Internet. Think twice before opening email attachments. If the file has been sent by a suspicious email address and it seems irrelevant, do not open it and immediately delete the message. We recommend that you download your applications from official sources only, using direct download links rather than third party downloaders/installers. These tools often include malicious apps, and thus should never be used. Keep installed applications updated and use a reputable anti-virus/anti-spyware suite, but update your apps using implemented functions or tools provided by the official developer only – as mentioned before, criminals proliferate malware using fake updaters. The main reasons for computer infections are poor knowledge and careless behavior. The key to safety is caution.

Text presented in NMCRYPT ransomware HTML file (“Recover your files.html“):

Encrypted files!
All your files are encrypted.Using AES256-bit encryption and RSA-2048-bit encryption.
Making it impossible to recover files without the correct private key.
If you are interested in getting is the key and recover your files
You should proceed with the following steps.
The only way to decrypt your files safely is to buy the Descrypt and Private Key software.
Any attempts to restore your files with the third-party software will be fatal for your files!
Important use Firefox or Chrome browser
To proceed with the purchase you must access one of the link below
https://lylh3uqyzay3lhrd.onion.to/
https://lylh3uqyzay3lhrd.onion.link/
If neither of the links is online for a long period of time, there is another way to open it, you should install the Tor Browser
If your personal page is not available for a long period there is another way to open your personal page – installation and use of Tor Browser:

run your Internet browser (if you do not know what it is run the Internet Explorer);
enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER;
wait for the site loading;
on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;
run Tor Browser;
connect with the button ‘Connect’ (if you use the English version);
a normal Internet browser window will be opened after the initialization;
type or copy the address
https://lylh3uqyzay3lhrd.onion
in this browser address bar;
press ENTER;
the site should be loaded; if for some reason the site is not loading wait for a moment and try again.
If you have any problems during installation or use of Tor Browser, please, visit https://www.youtube.com and type request in the search bar ‘Install Tor Browser Windows’ and you will find a lot of training videos about Tor Browser installation and use.
Your Key: –

Screenshot of NMCRYPT website:

NMCRYPT website

Text presented in this website:

Home

Your files have been encrypted because of security holes in your systems. So that this does not happen again, and you need to increase the security of the environment in question by hiring a company that specializes in security. It is not just a virus that has become a secure machine. A backup is also required so that your data is not lost. I look for a security of their systems.
I will send you a private key so you can retrieve your files as soon as a donation to complete, if necessary, I will assist you with the procedure. I do not care about your files just with a donation. If your files are important to you, I’ll do an evaluation, otherwise you can not retrieve them.
I will provide the private key for you to recover your files.
In addition, you need to make a donation of USD 6,705.02 in bitcoin, converting at the current quotation you need to pay 1.0000 Bitcoin
You can check the price of bitcoin at the following site:
hxxp://preev.com/
Only donation will be accepted by BITCOIN, but you have no idea how to buy bitcoin on the internet, you can get help in the menu FAQ Click Here
As a guarantee, send up to three files encrypted as DOCS XLS XML JPG.
With a maximum size of 2mb to make it easy you need to compress the files with winrar or zip.
You should upload the files to any upload site of your choice, you do not know of any that you can use the following site
hxxp://wikisend.com/
Choose the file and click “Upload File” for the uploaded file.
Copy the “Download Link” and inform the download link in the support box next to it.

Screenshot of files encrypted by NMCRYPT (“.NMCRYPT” extension):

Files encrypted by NMCRYPT

What happens after paying the ransom?

 

Luckily, we managed to negotiate with the attacker & managed to send 0.25 BTC, rather than the 0.35 BTC they originally requested.

Remember, there is no guarantee that the attacker will release the decryption software & key after making a bitcoin transfer, so ALWAYS MAKE SURE YOU TAKE A BACK UP OF YOUR DATA REGULARLY.

The attacker has sent us a decryption program, which was automatically detected by ESET, log file below:

Time;Scanner;Object type;Object;Threat;Action;User;Information;Hash;First seen here
02/05/2018 19:48:09;Real-time file system protection;file;C:\Users\XXX\Downloads\Decrypt\DESCRYPTNMCRYPT.exe;a variant of Generik.KIBSDBQ trojan

The decryption program screenshot:

 

After having no choice but to use this software to decrypt the files, I can confirm that it does successfully decrypt the files.

How does the decryption program work?

 

The decryption program could be a lot better, it will scan all local drives, identifying folders / files that have been encrypted with the .NMCrypt extension & will decrypt them using the key.

Unfortunately, you cannot choose what folders, if the program locks up due to not being able to access a file, it will have to start again, although, it will run quicker as it marks the file / folder as ‘done’.

As you can see from above, it checks each individual file & decrypts the files one by one, it takes longer depending on the file size.

The best way to decrypt your files would be to transfer the encrypted data to a sandbox environment (off of the network / internet), run the decryption tool & then transfer the decrypted data back.

What does the key look like?

 

For obvious reasons, I won’t be pasting the key here, but within the .zip file the attacker transferred us, it contained a ‘key.txt’ file, containing a 2344 character key, which is the private key to decrypt the data that had been encrypted. There is no way you will be able to guess / brute force this.

Additional information:

 

If you need any help or assistance with ransomware or malware removal, we can help, please call us to help get your network or business protected.

 

 

 

 

 

Some information has been taken from PCRisk.com, which I will credit here: Click here to visit the page.

 

Please follow and like us:
RSS
Facebook
Facebook
LinkedIn