• Nemty encrypts files of specific extensions and appends them with .nemty extension.
  • The attackers have hosted the payment portal for the ransomware on the Tor network for anonymity, and it requires users to upload their configuration file.

A new ransomware strain called Nemty has been discovered over the weekend. It only encrypts files on the target device with specific file extensions.

How does it operate?

Discovered by a security researchers Vitali Kremez, Nemty ransomware deletes the shadow or backup files in order to make it impossible for the victims to recover their files. Once the malware is installed and executed on victims’ machines, it encrypts files of specific extensions and appends them with .nemty extension.

The file extensions that are not encrypted by Nemty include .log, .cab, .cmd, .com, .cpl, .exe, .ini, .dll, .lnk, .url, and .ttf. Strangely enough, the ransomware code also contains a reference to the Russian President.

It’s unclear how Nemty is distributed but Kremez has heard from a reliable source that operators deploy it via compromised remote desktop connections.

Which are the victim countries?

Nemty ransomware includes a specific check - ‘isRU’ - which makes it easy to identify computers in Russia, Belarus, Kazakhstan, Tajikistan, and Ukraine. Once it marks the location, Nemty sends the computer name, username, operating system, and computer ID to the attackers.

Bleeping Computer reports that the ransomware’s payment portal is hosted on the Tor network for anonymity. The infected user can decrypt some of their files for free by uploading them to the portal.

However, the full recovery of files can only be done by paying a ransom of 0.09981 BTC, which equates to around $1,000.

Cyware Publisher