• Nemty ransomware’s code has been updated to make it capable of killing processes and services.
  • The update has also added more extended the collection of blacklisted countries.

The threat actors behind Nemty ransomware have made modifications to the existing code but have chosen to retain the version number.

The big picture

Nemty is a relatively new malware and seems to be under active development. Vitali Kremez, a security researcher, noticed that certain updates have been made to the Nemty ransomware’s code.

  • Although the same version number, 1.4, has been retained the code modifications indicate potentially more powerful attacks by the Nemty ransomware.
  • The latest version includes code modifications to kill processes and services to encrypt files that are currently in use.
  • The list of blacklisted countries now includes Azerbaijan, Armenia, Kyrgyzstan, and Moldova.

Code modifications

The updated code includes nine targeted processes — WordPad, Microsoft Word, Excel, Outlook Thunderbird email clients, SQL, and the VirtualBox software.

  • The inclusion of SQL and VirtualBox may suggest potential corporate targets.
  • Also, the complete list of blacklisted countries includes Russia, Belarus, Kazakhstan, Tajikistan, Ukraine, Azerbaijan, Armenia, Kyrgyzstan, and Moldova.
  • Of these, the last four have been added as a result of this code modification.
  • The ransomware performs an ‘is RU’ check for the blacklisted countries. If the check returns true for any of the countries in the list, the encryption process is immediately aborted.

The bottom line

The code modifications and recent Nemty ransomware attacks indicate that the threat actors are hard at work, trying to make this ransomware as powerful as possible.

Cyware Publisher