Nemty

Nemty is ransomware with an unusually complex encryption algorithm. This malware encrypts user files and demands money so that they can be unlocked again. It may be connected to other famous ransomware, but we don’t know for sure.

Type
Ransomware
Origin
ex-USSR territory
First seen
1 August, 2019
Last seen
28 September, 2020
Also known as
NEMTY PROJECT
Global rank
35
Week rank
25
Month rank
37
IOCs
186

Nemty, also known as NEMTY PROJECT is a ransomware-type of malware. A virus that puts encryption on all files that are stored on infected machines and only allows to restore them if victims pay a certain ransom amount.

Nemty has surfaced not so long ago. It was first observed in the wild in August 2019. Due to some similarities in the code and behavior, researchers think than Nemty might be related to GandCrab and Sodinokibi, though direct correlation hasn’t been proved. In any case, it is safe to assume that this is a very advanced malware.

Additionally, the malware’s code apparently includes an affiliate ID which may indicate that Nemty is available as a Ransomware as a Service. If this information is correct Nemty has the potential to become a very widespread malware due to it’s easy availability.

General description of Nemty

Nemty ransomware is being actively upgraded by its creators. In fact, several versions of the virus have already been released and nothing suggests that this development should stop anytime soon.

Among other upgrades, threat actors employed a very strong encryption algorithm. It is actually so strong that no malware before Nemty has used anything similar. The RSA-8192 used here is 8192-bit encryption which is considered to be an overkill for use in malware. Even though this encryption protocol makes data decryption more difficult it also presents its own complications. For example, it causes longer encryption and key generation times and only encrypts 1024 bytes at a time.

Despite this, researchers have been able to create decryptors that work with versions 1.4, 1.5 and 1.6 of the malware. This means that victims that have been attacked by the version of the malware mentioned above can restore their information without having to pay the ransom the attackers.

Without the decryptors, victims would have to pay a ransom of about $1000 equivalent in Bitcoin to the attackers. The ransom can be paid through a payment portal that is hosted using the TOR network. And if not paid on time, the amount is doubled to a $2000 equivalent.

We don’t know for sure who the people behind Nemty are. The malware has code that checks if the victim is from one of the following countries: Russia, Belarus, Kazakhstan, Tajikistan, or Ukraine.

However, victims from the countries mentioned above can still get attacked by the ransomware. This is strange since usually, viruses that check for the origins of victims terminate execution to avoid getting attention from local law enforcement structures.

In the case of Nemty, users from all over the world are in danger of being infected.

However, there are other interesting oddities in the code that point to a ex-USSR origin of the virus. The code contains a link to a similar picture that was linked in GandCrab’s code. Except, this time it contains on an overlay of the Russian president’s portrait. There are other weird things to be found in the code of this malware. For example, if you dig deep enough you will find a direct message to cybersecurity professionals telling them to, well, “mind their own business” in a less polite form.

More evidence suggesting the x-USSR origin of the malware creators is that the payment page is in the Russian language. Maybe the creators are in fact Russian or they are trying to plant a false lead and mislead researchers.

Malware analysis of Nemty Ransomware

A video recorded in the ANY.RUN malware hunting service allows us to take a look at the execution of this malware in action.

nemty's ransom note

Figure 1: Nemty's ransom note

text report of the Nemty ransomware analysis

Figure 2: Shows a customizable text report generated by the ANY.RUN malware analysis service which allows diving deeper into the details of the Nemty execution process.

Nemty execution process

The execution process of the Nemty ransomware is relatively typical for this type of malware. After the executable file makes its way into an infected system and runs, the main malicious activity begins. Like many other ransomware families, Nemty deletes shadow copy files. It also stops and kills processes from the hardcoded list. The malware creates a text file with a ransom note in every folder with encrypted files.

The interesting thing is that Nemty, as well as Sodinokibi, creates a registry key in which it stores values such as a public key and a file extension for encrypted files.

Nemty Distribution

Initially, Nemty was using RIG and Radio EK exploit kits for distribution purposes. In addition to that, malware authors employed spam email campaigns to distribute the virus primarily in Korea and China. These two countries are where the bulk of all Nemty infections is happening.

However, with the newer versions of the malware coming out, threat actors started using new distribution methods. Possibly they were trying to expand the reach of the malware and gain the ability to infect more victims.

One of such methods is a fake PayPal website that promises to save money with an unusually high cashback. The website is designed to look identical to the genuine PayPal and prompts users to download a file called “cashback.exe”. Although unsuspecting victims might think that they are downloading a PayPal app, in reality, they are installing and executing the Nemty ransomware.

In addition, later versions of the malware are delivered using the Trik botnet. Apparently, the authors of Nemty have partnered up with people behind Trik to increase their range.

How to detect Nemty using ANY.RUN?

To determine whether the sample under review is Nemty or not, you can take a look at the changes that it made in the registry. To do so, open "Advanced details of process" of the malicious process and look at the "Registry changes" tab in the "Events" section. If a process has created values with the names "cfg", "pbkey" or "fid" into the key HKEY_CURRENT_USER\Software\NEMTY, you can be sure that the given sample is Nemty.

changes in registry made by nemty ransomware

Figure 3: Changes in registry made by Nemty ransomware

Conclusion

The constant evolution of distribution methods, as well as regular updates, prove that this malware is at a stage of active development. First seen in 2019, Nemty is a young threat that already shows signs of sophisticated malware.

Coupled with the potential use of the Ransomware as a Service business model that makes this malware available to many threat actors around the globe, these factors demand that this threat is not taken lightly.

One of the primary dangers of this Ransomware lies in the delivery techniques chosen by the attackers. While mail spam helps to reach millions of potential victims easily, heavy use of exploit kits allows attackers to control every step of the infection.

Thus, it is especially important that security researchers can evaluate this ransomware and continue developing countermeasures and encryptors. One tool that can help in this pursuit is the ANY.RUN malware hunting service that will allow studying samples of Nemty in a controlled and safe environment.

IOCs

IP addresses
54.225.66.103
104.26.5.15
104.26.4.15
54.225.215.180
23.21.42.216
174.129.255.253
204.236.231.159
184.73.165.106
50.19.115.217
174.129.223.190
23.21.59.179
184.73.185.65
54.243.186.202
54.225.71.235
54.204.24.179
23.21.83.121
50.16.245.226
54.204.26.223
54.243.147.226
54.225.139.71
Hashes
4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3
c41f14cf5a0c8d407b70cf07f552a5ba26db3b23bfdbfae7b24e7ff8de7ec1a7
aa647fc681fd8d6d30e3c2cba0806841a997bfe5d93255ead639a42ae8a38648
dd52246f8570a4999ab97164e983621e794714fde1fa783d712a47c6117638d8
f27e9c781d3cef22fc3250432ae1c0651efa7f57439fd2d8722e2bf95a8ffe39
f69943bf5f5f8e9f52f7e14ac618334d5f17f30f7b8da8e702391f8127468bc2
affefaf1b5f42ab2d0e81c3f1b1fab9cdb8af95437cd4adf96e0b8030c762100
48bfe73c9270e1174d919fe6e648220d403a976ca9bf4f440c949611341c0deb
a9e866898f343aaab28063977c13dec133ab7dd5c8f155cf90540b71371413ac
a744076ead5dec670c88402a4a3d0be21cc44529a79500384c888c35d85ae7c1
e410854d9c8afe6e691c0ae638dfd04d792c3745dbb9e335f6f949e7a6b298d8
5863fb2740f91bfdcf1ef1a1def23147cbcbf8d201d40ef05cb08502fe7e05ea
57e25a37d8279fe563415d636b1983d447b5521ec6c024e18fd4d578840d2e20
518394d105b9f9f1c375efe6038468e595bfd4e848940b9af6c6f563f00bbe26
32b3df537b2569ca4848b6245a01332ddd6aa1cfd90d6e3ef50f10e611a8e6f9
31ee05823a66851cf6965f32d02e767206785d0bf0c9fa65e7dcf1ffed32c18e
177736d35ad6a35d1ef041b69dfdd3ea919098d4f1ff14f9827c3f325e948d85
0aed298cdbbb21d34f0e21dcfccfb7373d03c85c892e95e3570f86a219348478
0fa90452f44a63c56d29857132ff742e1f2a3d4d53b9512420df8322cd694368
d9796426092ae05f5c6115905aa6fa677ed746713eb1d65b865c70dbe24b7f33
Domains
qaloqum.com
majul.com
qxq.ddns.net
i.kissmetrics.com
isns.net
krupskaya.com
m-onetrading-jp.com
thuocnam.tk
go.techtarget.com
api.db-ip.com
kmccs-201209-cert-2056600847.us-east-1.elb.amazonaws.com
download.db-ip.com
api-mg2.db-ip.com
api-osisoft.db-ip.com
api-netn.db-ip.com
www.beautypaths.eu
cdn.db-ip.com
nagano-19599.herokussl.com
e4280.g.akamaiedge.net

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More