Nemucod Ransomware Removal Guide

Do you know what Nemucod Ransomware is?

Nemucod Ransomware is a new ransomware infection that might sneak onto your computer without permission one day. It has been noticed that this usually happens for those users who do not have a reputable security tool installed on their computers, surf the web on a daily basis, and act rather carelessly, e.g. open spam email attachments, click on all kinds of ads they see, and download software from third-party websites. There is no doubt that you will immediately notice if this ransomware infection sneaks onto your computer. First of all, a bunch of your files will be locked. Secondly, you will see a new file a.txt created. If you are sure that you have become a victim of a ransomware infection, you need to get rid of the threat as soon as possible. Of course, it is not advisable to do that if you are going to pay a ransom it demands. We hope that you are not planning on doing that because there are other ways to unlock files and gain access to them again. Continue reading to find out more about that.

Our security experts have thoroughly tested Nemucod Ransomware in the internal lab and found that this infection is targeted at a bunch of important files, including music files and videos. The full list of files is provided below:

.3gp, .ai, .arc, .arj, .asf, .backup, .bak, .bz, .bz2, .bza, .bzip, .bzip2, .class, .djvu, .fb2, .flv, .gzip, .h, .ice, .img, .iso, .java, .jpeg, .m3u, .mid, .midi, .mkv, .mov, .mp3, .ogg, .pl, .pps, .py, .r00, .r01, .r02, .r03, .rm, .sql, .svg, .vob, .wav, and .wma.

Even though users do not know anything about Nemucod Ransomware and which files it encrypts, they immediately notice when the encryption process is finished because a new filename extension is assigned to each of these files, for example, picture.jpg.crypted and myfavoritesong.mp3.crypted. Of course, users also notice that it is impossible for them to open their files.Nemucod Ransomware Removal GuideNemucod Ransomware screenshot
Scroll down for full removal instructions

Ransomware infections lock all the files not without a reason. Specialists say that they do that in order to get money from users. In order to make sure that users know that they need to pay a ransom, the ransomware infection creates the .txt file with instructions. It will be put on the Desktop. Users find a simple text in this file informing users that their files have been encrypted with the “strong RSA-1024 algorithm with a unique key.” In addition, they are instructed to pay a ransom of 0.52985 BTC. At the time of writing, this ransom equals $235.45. In order to make sure that users pay a ransom and do not think much, Nemucod Ransomware gives only 3 days to do that: “If you do not pay in 3 days YOU LOOSE ALL YOUR FILES.” We understand that your files are very important for you; however, we still do not think that it is the best idea to pay a ransom because it is very likely that nothing will change after you make a payment. Do not worry; it is possible to decrypt files free of charge. We are sure that you will manage to find the decryption tool yourself using Google. In addition, you can easily recover files from a backup you have.

Nemucod Ransomware is not a very unique threat; however, it has been observed that it downloads and installs the Trojan Kovter (Poweliks) alongside unlike other ransomware infections. In addition, it connects from time to time to several different servers, including,, and Finally, it creates the value in the RUN registry key (HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run) to be able to start with Windows. Unfortunately, this also means that Nemucod Ransomware will not disappear anywhere if you reboot your computer, and it might encrypt your new files quickly if you create them.

You should know how ransomware infections are spread in order to be able to ensure the system’s safety in the future. Specialists have found that Nemucod Ransomware usually travels as a .js file in the middle of the archive. This archive is spread via spam emails, so users simply need to download it on their PCs in order to allow ransomware to enter. Of course, ransomware infections might be spread differently too, for instance, they might come together with untrustworthy software, or they might enter systems after users click on bad links or ads. Fortunately, there is a way to protect the system from harm. All you need to do is to acquire and install reputable security software.

It is very hard to get rid of Nemucod Ransomware in a manual way, especially if you are an ordinary computer user. Therefore, we have prepared the manual removal instructions and put them below the article. You can, of course, also use an automatic tool SpyHunter and thus erase this threat automatically. Actually, we suggest using it because it will remove the Trojan infection (Kovter (Poweliks)) Nemucod Ransomware installs alongside as well. In other words, it will make your system perfectly clean.

Delete Nemucod Ransomware

  1. Open the Windows Explorer (Windows key + E).
  2. Enter %TEMP% in the address bar and delete the following files: a0.exe, a2.exe, and a.txt.
  3. Go to %LocalAppData% and remove the Upkfmedia folder.
  4. Launch RUN (Windows key + R).
  5. Enter regedit.exe into the box and click OK.
  6. Move to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  7. Find the Value with a random name, right-click on it, and select Delete.
  8. Find the Upkfmedia Value and delete it.
  9. Empty the Recycle Bin and reboot your PC.
  10. Scan your PC with SpyHunter to remove the Kovter (Poweliks) Trojan.

In non-techie terms:

Unfortunately, ransomware infections are very prevalent these days, which means that you might encounter any of them again if you do not take care of your system’s safety. As we have already mentioned, it is very important to install reputable security software; however, you also need to promise not to visit suspicious websites and download software from them, open spam emails, and click on strange links.