3 Responses to Nemucod Ransomware Analysis

  1. Hi Jesse,
    Thanks for your article
    But why did Webroot let any exe files to be write in user profile without telling anything ?
    Is it for the pleasure to block it ?
    100% of the infections are created by executable files writing in user profile
    When you open an email attachment, the created file in %temp definitely can’t be a executable file !!!!

  2. Hi Jean,

    Many good programs belong in %userprofile% and infections do not have a set location, they can install into whichever directory they like.

    The created files by this ransomware are placed into %temp% as are most good, legitimate programs.


  3. Oh dear, I stumbled upon a .zip containing one of these viruses. Apparently tried(and failed, since I didn’t run it!) to disguise as a fake Chrome update..

Leave a Reply

Your email address will not be published. Required fields are marked *