Home / malware Ransom:Win32/Nemreq
First posted on 30 June 2016.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/Nemreq.
Explanation :
Installation
This ransomware drops a copy of itself into the %system% folder.
It modifies the following registry key:
In subkey: HKU\Administrator\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: system service
With data: %system%\.exe
We have seen it use the following file name:
- setap.exe
- payload.exe
Payload
Encrypts your files
This ransomware can search for files in all of the folders (except for those with the following extensions) and then encrypts them:
- .1cd
- .7z
- .bz2
- .dbf
- .doc
- .docx
- .jpg
- .ppt
- .rar
- .xls
- .xlsx
- .zip
After the files are encrypted, the ransomware renames the files by appending ".[alphabet]" and assigning id[hex]{8}.[email].{alphabet} to the affected file extension. For example:
- file.png is renamed to file.png.idabcd1234.nemreq@nemreq.com.nemreq
- file.bin is renamed to file.bin.idabcd1234.nemreq@nemreq.com.nemreq
Note: We have observed this ransomware use more than one extension.
However, this ransomware doesn't encrypt files in the following directories:
- :\windows
It creates the following file in the %desktop% folder:
- how to decrypt your data.txt
Then, it shows a ransom note (how to decrypt your data.txt) in Internet Explorer like the following:
Connects to a remote host
This ransomware does not require internet connection to encrypt your files. However, it might attempt to connect to the following server:
- avtomoika234.cc/crs/pass/index.php (down)
Malware can connect to a remote host to do any of the following:
- Download and run files (including updates or other malware)
- Report a new infection to its author
- Receive configuration or other data
- Receive instructions from a malicious hacker
- Search for your PC location
- Upload information taken from your PC
- Validate a digital certificate]
Analysis by Carmen LiangLast update 30 June 2016
