BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
67
Global rank
60 infographic chevron month
Month rank
55 infographic chevron week
Week rank
129
IOCs

Nemty is ransomware with an unusually complex encryption algorithm. This malware encrypts user files and demands money so that they can be unlocked again. It may be connected to other famous ransomware, but we don’t know for sure.

Ransomware
Type
ex-USSR territory
Origin
1 August, 2019
First seen
11 April, 2024
Last seen
Also known as
NEMTY PROJECT

How to analyze Nemty with ANY.RUN

Type
ex-USSR territory
Origin
1 August, 2019
First seen
11 April, 2024
Last seen

IOCs

IP addresses
169.159.105.25
Hashes
5c59f79a1706bbdb2cd0f0d34baea40cee5f15220599c24dca5a535c1c6654a1
613c390d6b3b792d6bf0765e97719ac4278741abcebdd03d9fe394c8a46a841c
17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae
8ee3fcde25866ac62159f0ff3ac1482f3d25de140ec434adbbd5d44396832781
98f260b52586edd447eaab38f113fc98b9ff6014e291c59c9cd639df48556e12
6027c4344c35a302616dd6773ff8d8deb39b15af9c6e8f7e9d1004873556b3d1
518394d105b9f9f1c375efe6038468e595bfd4e848940b9af6c6f563f00bbe26
e5e0740a6c6df35cb8a0c4a3cb4a26b0af53cd3a2801d431d0f86d893135520b
20d432c171ec17e7c5105f032210a96ea726ffc52154b79ec43acd62d6e3f304
2e436f4277a6cac69c5b484284160559752ef0679e27e2af8112e78c9074a17c
fb81f82121f9604a664925790e83763f7dceb2adaa4aeafaf8af24f7986e1f12
b41db9492af0134eebb2dc074bd1ad2f585372a36a8c2bf3165e81e9a967824e
2160391fc7c69bc30dea5c4e0e3e6ca2045d021087d4f1170d74eacedae9ebd2
a380640490d3aa7380255ed9269bb967a4daee6d2d20353a50154e7e6d399746
7eb2b5125f9fbcc2672c05031456b6a2432c8921e9fa561bb7d7fa72010638b0
45c3faeb8cdd2cbdcf6161f05b2e72aba7927594138da693b0020f24db9e60d8
6b3fea34cb8bb5cc6d698e30933884e1fe55c942d8768da85eb1c8085525bb41
3a061909a2631041b16d1d57212c1f44baca897efce50d095a141f8b7563db0b
0aed298cdbbb21d34f0e21dcfccfb7373d03c85c892e95e3570f86a219348478
5a022aba75d4986adedb1a5fb62fce8946d43f06846f663a851ba93e9e317f8c
Domains
4760.webhop.me
nemty11.hk
buydecrypt.hk
farid19394.xyz
zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad.onion
nemty.hk
megabitcoin.life
marsdefenseandscience.com
mytele.ga
mandevelopm.org
nemty10.hk
workpc.biz
Last Seen at

Recent blog posts

post image
Malware Trends Report: Q1, 2024
watchers 157
comments 0
post image
Understand Encryption in Malware: From Basics...
watchers 547
comments 0
post image
ANY.RUN for Enterprises: Learn About Our Most...
watchers 298
comments 0

Nemty, also known as NEMTY PROJECT is a ransomware-type of malware. A virus that puts encryption on all files that are stored on infected machines and only allows to restore them if victims pay a certain ransom amount.

Nemty has surfaced not so long ago. It was first observed in the wild in August 2019. Due to some similarities in the code and behavior, researchers think that Nemty might be related to GandCrab and Sodinokibi, though direct correlation hasn’t been proved. In any case, it is safe to assume that this is very advanced malware.

Additionally, the malware’s code apparently includes an affiliate ID which may indicate that Nemty is available as a Ransomware as a Service. If this information is correct Nemty has the potential to become a very widespread malware due to its easy availability.

General description of Nemty ransomware

Nemty ransomware is being actively upgraded by its creators. In fact, several versions of the virus have already been released and nothing suggests that this development should stop anytime soon.

Among other upgrades, threat actors employed a very strong encryption algorithm. It is actually so strong that no malware before Nemty has used anything similar. The RSA-8192 used here is 8192-bit encryption which is considered to be an overkill for use in malware. Even though this encryption protocol makes data decryption more difficult it also presents its own complications. For example, it causes longer encryption and key generation times and only encrypts 1024 bytes at a time.

Despite this, researchers have been able to create decryptors that work with versions 1.4, 1.5 and 1.6 of the malware, for example, the Avast Nemty decryption tool. This means that victims that have been attacked by the version of the malware mentioned above can restore their information without having to pay the ransom to the attackers.

Without the decryptors like the Avast Nemty tool, victims would have to pay a ransom of about $1000 equivalent in Bitcoin to the attackers. The ransom can be paid through a payment portal that is hosted using the TOR network. And if not paid on time, the amount is doubled to a $2000 equivalent.

We don’t know for sure who the people behind Nemty are. The malware has code that checks if the victim is from one of the following countries: Russia, Belarus, Kazakhstan, Tajikistan, or Ukraine.

However, victims from the countries mentioned above can still get attacked by the ransomware. This is strange since usually, viruses that check for the origins of victims terminate execution to avoid getting attention from local law enforcement structures.

In the case of Nemty, users from all over the world are in danger of being infected.

However, there are other interesting oddities in the code that point to a ex-USSR origin of the virus. The code contains a link to a similar picture that was linked in GandCrab’s code. Except, this time it contains on an overlay of the Russian president’s portrait. There are other weird things to be found in the code of this malware. For example, if you dig deep enough you will find a direct message to cybersecurity professionals telling them to, well, “mind their own business” in a less polite form.

More evidence suggesting the x-USSR origin of the malware creators is that the payment page is in the Russian language. Maybe the creators are in fact Russian or they are trying to plant a false lead and mislead researchers.

Malware analysis of Nemty ransomware

A video recorded in the ANY.RUN malware hunting service allows us to take a look at the execution of this malware in action.

nemty's ransom note

Figure 1: Nemty's ransom note

text report of the Nemty ransomware analysis

Figure 2: Shows a customizable text report generated by the ANY.RUN malware analysis service which allows diving deeper into the details of the Nemty execution process.

Nemty execution process

The execution process of the Nemty ransomware is relatively typical for this type of malware. After the executable file makes its way into an infected system and runs, the main malicious activity begins. Like many other ransomware families, Nemty deletes shadow copy files. It also stops and kills processes from the hardcoded list. The malware creates a text file with a ransom note in every folder with encrypted files.

The interesting thing is that Nemty, as well as Sodinokibi, creates a registry key in which it stores values such as a public key and a file extension for encrypted files.

Nemty Distribution

Initially, Nemty was using RIG and Radio EK exploit kits for distribution purposes. In addition to that, malware authors employed spam email campaigns to distribute the virus primarily in Korea and China. These two countries are where the bulk of all Nemty infections is happening.

However, with the newer versions of the malware coming out, threat actors started using new distribution methods. Possibly they were trying to expand the reach of the malware and gain the ability to infect more victims.

One of such methods is a fake PayPal website that promises to save money with an unusually high cashback. The website is designed to look identical to the genuine PayPal and prompts users to download a file called “cashback.exe”. Although unsuspecting victims might think that they are downloading a PayPal app, in reality, they are installing and executing the Nemty ransomware.

In addition, later versions of the malware are delivered using the Trik botnet. Apparently, the authors of Nemty have partnered up with people behind Trik to increase their range.

How to detect Nemty using ANY.RUN?

To determine whether the sample under review is Nemty or not, you can take a look at the changes that it made in the registry. To do so, open "Advanced details of process" of the malicious process and look at the "Registry changes" tab in the "Events" section. If a process has created values with the names "cfg", "pbkey" or "fid" into the key HKEY_CURRENT_USER\Software\NEMTY, you can be sure that the given sample is Nemty.

changes in registry made by nemty ransomware

Figure 3: Changes in registry made by Nemty ransomware

Conclusion

The constant evolution of distribution methods, as well as regular updates, prove that this malware is at a stage of active development. First seen in 2019, Nemty is a young threat that already shows signs of sophisticated malware.

Coupled with the potential use of the Ransomware as a Service business model that makes this malware available to many threat actors around the globe, these factors demand that this threat is not taken lightly.

One of the primary dangers of this Ransomware lies in the delivery techniques chosen by the attackers. While mail spam helps to reach millions of potential victims easily, heavy use of exploit kits allows attackers to control every step of the infection.

Thus, it is especially important that security researchers can evaluate this ransomware and continue developing countermeasures and encryptors, like the Avast Nemty. One more tool that can help in this pursuit is the ANY.RUN malware hunting service that will allow studying samples of Nemty in a controlled and safe environment.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy