We help IT Professionals succeed at work.

_NEMTY_LVMHFKO_-DECRYPT

wfcrr
wfcrr asked
on
High Priority
57 Views
Last Modified: 2019-10-15
What is this? I have several files with names ending with this: _NEMTY_LVMHFKO_-DECRYPT.  Some are .xlsx files, some are .docx files.  Each has the _NEMTY_LVMHFKO_-DECRYPT following the file name.  We can't find the original Excel or Word files, only these files with _NEMTY_LVMHFKO_-DECRYPT tagged onto the end. The file won't open with any program, but if we navigate to it in Excel and open it, Excel will convert it from a text doc to a jumbled up excel doc.
Comment
Watch Question

Simple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
you are infected with ransomware  .. turn off that computer and check all other computers that share files with this computer.  you can try ransomware tools to remove the infection but those files are gone.. you only recourse is to restore from backup you can boot from a recovery disk or installation disk and recover the un-encrypted files.

UPDATE Actually there is a nemty decryptor available:https://www.tesorion.nl/nemty-update-decryptors-for-nemty-1-5-and-1-6/

follow this on https://www.bleepingcomputer.com/forums/t/703069/nemty-ransomware-nemty-project-support-topic/page-6

Author

Commented:
Using Malwarebytes to remove the viruses.  Any way to figure out how this got on the machine?  This is a new-ish employee. All my other staff seem to be well aware of what to watch for in emails. I am thinking that is how her computer got it.
Dr. KlahnPrincipal Software Engineer
CERTIFIED EXPERT

Commented:
It would be prudent to declare the system a loss, erase the drive using DBAN or equivalent, and restore it from the last known clean backup per David's comment above.

Once a system has been infected that drive can never be trusted again unless it is completely erased.  Polymorphic viruses are exceedingly clever; they can hide in "unused" areas of a drive and pop up again months later.  In addition to that, there is no telling what else the infection downloaded into the machine for later use.

Attempting to recover files from this system runs the risk of dragging the infection right back into the erased and restored system, which puts you even further back than you are now.

Author

Commented:
How do I check files saved on a Shared drive on the server?
David Johnson, CDSimple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
clicking on a link on an email is the primary culprit. Inserting a "found" usb drive in the parking lot is another

Author

Commented:
I emailed csirt@tesorion.nl for the decryptor.  Wonder how long it takes to get it?  Seems like they have to email a link, it isn't downloadable from their page.

Author

Commented:
Found some encrypted files on our file server.  Seems to have encrypted all files on the employees user on her machine, but not other users on that machine...and, it started encrypting files on the "shared" drive on our server.  That started at 2:19 and stopped at 3:41. I assume it stopped at 3:41 because that was when she asked me to look at strangeness on her machine and we had rebooted it.

So, what should I do now?  I plan to keep her machine isolated.  What to do on the server?  For the moment I have moved all the encrypted files to an area where no other employees can get to them, and, I have all employees not logging on to the server.  I also scanned all other workstations and none have the _NEMTY virus. It was only the one employee machine.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.