The DECRYPT.txt file contains a message stating that files stored on the victim’s computer have been encrypted. Files are encrypted using the RSA-1024 encryption algorithm – this means they can only be decrypted using a private key, which is generated during encryption. This key is supposedly stored on remote servers controlled by cyber criminals. The message states that to restore the files, users must pay a ransom of 0.60358 BitCoin (at time of research, equivalent to $252.53). The file also provides step-by-step payment instructions, however, research shows that the statement regarding the encryption algorithm is false. In fact, this ransomware uses the XOR algorithm, Thus, encryption (embedded in the aforementioned executable, which is downloaded by Nemucod trojan) and decryption keys are identical. Therefore, it is possible to use this key to decrypt files without payment. Furthermore, the ransomware does not delete shadow volume copies. Therefore, these copies and ‘System Restore’ can be used to restore files affected by this ransomware.