Nemty Ransomware: An Insight Into The Ransomware’s Malicious Activities

• Nemty encrypts only files of specific extensions and appends them with .nemty extension. The file extensions that are not encrypted by Nemty include .log, .cab, .cmd, .com, .cpl, .exe, .ini, .dll, .lnk, .url, and .ttf.
• The complete list of blacklisted countries includes Russia, Belarus, Kazakhstan, Tajikistan, Ukraine, Azerbaijan, Armenia, Kyrgyzstan, and Moldova.

About the ransomware

Nemty is a newly discovered ransomware that was first spotted in August 2019 by security researcher Vitali Kremez.

• This ransomware encrypts only files of specific extensions and appends them with .nemty extension.
• The file extensions that are not encrypted by Nemty include .log, .cab, .cmd, .com, .cpl, .exe, .ini, .dll, .lnk, .url, and .ttf.
• Nemty ransomware deletes the shadow or backup files in order to make it impossible for the victims to recover their files.
• This ransomware demands around $1,000 for decrypting the files.

Malvertising campaign

In September 2019, a security researcher who goes under the name ‘Mol69’ spotted a new malvertising campaign that distributed the Nemty ransomware via the RIG exploit kit (EK). The researcher noted that the attackers behind Nemty targeted outdated vulnerable systems with the RIG exploit kit to distribute the ransomware.

The Nemty ransomware usually appends the ‘.nemty’ extension to the encrypted files, however, this new variant observed by Mol69 adds the ‘._NEMTY_Lct5F3C_’ extension to the encrypted files.

Nemty ransomware v1.4

Security researcher Vitali Kremez uncovered the new variant of the Nemty ransomware version 1.4 that is distributed via fake PayPal site. This fake site promises to return 3-5% from purchases made through the payment system. However, it urges users to download the malware disguised as 'cashback.exe'.

Nemty gets code update

Security researcher Vitali Kremez observed that certain updates have been made to the Nemty ransomware’s code.

• This includes code modifications to kill processes and services to encrypt files that are currently in use.
• The updated code includes nine targeted processes such as WordPad, Microsoft Word, Excel, Outlook Thunderbird email clients, SQL, and the VirtualBox software.
• And the new list of blacklisted countries includes Azerbaijan, Armenia, Kyrgyzstan, and Moldova.

Now, the complete list of blacklisted countries includes Russia, Belarus, Kazakhstan, Tajikistan, Ukraine, Azerbaijan, Armenia, Kyrgyzstan, and Moldova. The ransomware performs an ‘is RU’ check for all the blacklisted countries.

Decryptor released

Researchers from Tesorion have published a decryptor for the Nemty ransomware that allows victims to recover their encrypted files for free. The decryptor currently works only for Nemty versions 1.4 and 1.6, and for certain file types such as AVI, GIF, and MP4 among others. The generation of the decryption key is done on the researchers’ servers to prevent hackers from analyzing the decryptor.

Nemty v1.6

Researchers spotted a new Nemty ransomware variant v1.6 that is distributed via the RIG exploit kit.

• The attackers behind the ransomware target enterprise users who are still using outdated Internet Explorer and Flash Player.
• Such users are redirected to the RIG exploit kit landing page, where the malicious scripts exploit vulnerabilities in the browser to install the Nemty v1.6 ransomware.
• However, the decryptor released by Tesorion can still decrypt files encrypted by the Nemty v1.6 for free.