Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
112
Global rank
137 infographic chevron month
Month rank
124 infographic chevron week
Week rank
0
IOCs

Nemty is ransomware with an unusually complex encryption algorithm. This malware encrypts user files and demands money so that they can be unlocked again. It may be connected to other famous ransomware, but we don’t know for sure.

Ransomware
Type
ex-USSR territory
Origin
1 August, 2019
First seen
22 September, 2025
Last seen
Also known as
NEMTY PROJECT

How to analyze Nemty with ANY.RUN

Type
ex-USSR territory
Origin
1 August, 2019
First seen
22 September, 2025
Last seen

IOCs

IP addresses
169.159.105.25
Hashes
3ae7d44569b2885de360c0e6c3448772f74c1c3ff4ee3f594053a95bfc73850f
d09f4bce2e2b4396f2f0f06b0c18c689131a3266e7592fb0ab935ec3b8a08563
5c59f79a1706bbdb2cd0f0d34baea40cee5f15220599c24dca5a535c1c6654a1
064debda941fb6b1ac7de62e4990f658ded67870f55f48757ab72a772c640995
f3e0b5808c1394c884b4b2c7fa0c0955f7b544959a46b8839b76c8d8e2735413
455681168925ee1c2150eb702ae42b8fc6761c16663116fc1f3e8acee09c81ee
f05326931d80cd0764eaffaeca69add9c88033a210d5b45b6c076ebc4d26adf8
a3cb6814fcdb42517728815c875f2dc169ac7b15f615b971eff209c4e2937527
58cd3bdbaaf68e77974e59da3046c95f03d6c641ac1be2229e4d64e75eab3022
aa647fc681fd8d6d30e3c2cba0806841a997bfe5d93255ead639a42ae8a38648
1ac0c87c3ff27dc6d630cb3f543311fb48edfc88d33470836438b1d388ae9687
affefaf1b5f42ab2d0e81c3f1b1fab9cdb8af95437cd4adf96e0b8030c762100
bff4af2eb55e3b40c05b93c06748015ad6af243c84fc016a0383e90fa424070a
c295b52dcc29deace11ba0bdc48505eaae23cf5d5656cea97cf9884216ab0cb1
613c390d6b3b792d6bf0765e97719ac4278741abcebdd03d9fe394c8a46a841c
cbb016cab1718c610f2bd98e0190bb5a426a2de38ddfccfec86196294e47bca0
a9e866898f343aaab28063977c13dec133ab7dd5c8f155cf90540b71371413ac
17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae
c41f14cf5a0c8d407b70cf07f552a5ba26db3b23bfdbfae7b24e7ff8de7ec1a7
f69943bf5f5f8e9f52f7e14ac618334d5f17f30f7b8da8e702391f8127468bc2
Domains
nemty10.hk
nemty2.top
mandevelopm.org
farid19394.xyz
zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad.onion
4760.webhop.me
nemty11.hk
nemty.hk
buydecrypt.hk
marsdefenseandscience.com
mytele.ga
megabitcoin.life
workpc.biz
URLs
http://api.ipify.org/
http://api.db-ip.com/v2/free/181.214.173.100/countryName
Last Seen at
Last Seen at

Recent blog posts

post image
Efficient SOC: How to Detect and Solve Incide...
watchers 683
comments 0
post image
ANY.RUN & Palo Alto Networks Cortex XSOAR...
watchers 761
comments 0
post image
Lazarus Group Attacks in 2025: Here's Everyth...
watchers 4510
comments 0

Nemty, also known as NEMTY PROJECT is a ransomware-type of malware. A virus that puts encryption on all files that are stored on infected machines and only allows to restore them if victims pay a certain ransom amount.

Nemty has surfaced not so long ago. It was first observed in the wild in August 2019. Due to some similarities in the code and behavior, researchers think that Nemty might be related to GandCrab and Sodinokibi, though direct correlation hasn’t been proved. In any case, it is safe to assume that this is very advanced malware.

Additionally, the malware’s code apparently includes an affiliate ID which may indicate that Nemty is available as a Ransomware as a Service. If this information is correct Nemty has the potential to become a very widespread malware due to its easy availability.

General description of Nemty ransomware

Nemty ransomware is being actively upgraded by its creators. In fact, several versions of the virus have already been released and nothing suggests that this development should stop anytime soon.

Among other upgrades, threat actors employed a very strong encryption algorithm. It is actually so strong that no malware before Nemty has used anything similar. The RSA-8192 used here is 8192-bit encryption which is considered to be an overkill for use in malware. Even though this encryption protocol makes data decryption more difficult it also presents its own complications. For example, it causes longer encryption and key generation times and only encrypts 1024 bytes at a time.

Despite this, researchers have been able to create decryptors that work with versions 1.4, 1.5 and 1.6 of the malware, for example, the Avast Nemty decryption tool. This means that victims that have been attacked by the version of the malware mentioned above can restore their information without having to pay the ransom to the attackers.

Without the decryptors like the Avast Nemty tool, victims would have to pay a ransom of about $1000 equivalent in Bitcoin to the attackers. The ransom can be paid through a payment portal that is hosted using the TOR network. And if not paid on time, the amount is doubled to a $2000 equivalent.

We don’t know for sure who the people behind Nemty are. The malware has code that checks if the victim is from one of the following countries: Russia, Belarus, Kazakhstan, Tajikistan, or Ukraine.

However, victims from the countries mentioned above can still get attacked by the ransomware. This is strange since usually, viruses that check for the origins of victims terminate execution to avoid getting attention from local law enforcement structures.

In the case of Nemty, users from all over the world are in danger of being infected.

However, there are other interesting oddities in the code that point to a ex-USSR origin of the virus. The code contains a link to a similar picture that was linked in GandCrab’s code. Except, this time it contains on an overlay of the Russian president’s portrait. There are other weird things to be found in the code of this malware. For example, if you dig deep enough you will find a direct message to cybersecurity professionals telling them to, well, “mind their own business” in a less polite form.

More evidence suggesting the x-USSR origin of the malware creators is that the payment page is in the Russian language. Maybe the creators are in fact Russian or they are trying to plant a false lead and mislead researchers.

Malware analysis of Nemty ransomware

A video recorded in the ANY.RUN malware hunting service allows us to take a look at the execution of this malware in action.

nemty's ransom note

Figure 1: Nemty's ransom note

text report of the Nemty ransomware analysis

Figure 2: Shows a customizable text report generated by the ANY.RUN malware analysis service which allows diving deeper into the details of the Nemty execution process.

Nemty execution process

The execution process of the Nemty ransomware is relatively typical for this type of malware. After the executable file makes its way into an infected system and runs, the main malicious activity begins. Like many other ransomware families, Nemty deletes shadow copy files. It also stops and kills processes from the hardcoded list. The malware creates a text file with a ransom note in every folder with encrypted files.

The interesting thing is that Nemty, as well as Sodinokibi, creates a registry key in which it stores values such as a public key and a file extension for encrypted files.

Nemty Distribution

Initially, Nemty was using RIG and Radio EK exploit kits for distribution purposes. In addition to that, malware authors employed spam email campaigns to distribute the virus primarily in Korea and China. These two countries are where the bulk of all Nemty infections is happening.

However, with the newer versions of the malware coming out, threat actors started using new distribution methods. Possibly they were trying to expand the reach of the malware and gain the ability to infect more victims.

One of such methods is a fake PayPal website that promises to save money with an unusually high cashback. The website is designed to look identical to the genuine PayPal and prompts users to download a file called “cashback.exe”. Although unsuspecting victims might think that they are downloading a PayPal app, in reality, they are installing and executing the Nemty ransomware.

In addition, later versions of the malware are delivered using the Trik botnet. Apparently, the authors of Nemty have partnered up with people behind Trik to increase their range.

How to detect Nemty using ANY.RUN?

To determine whether the sample under review is Nemty or not, you can take a look at the changes that it made in the registry. To do so, open "Advanced details of process" of the malicious process and look at the "Registry changes" tab in the "Events" section. If a process has created values with the names "cfg", "pbkey" or "fid" into the key HKEY_CURRENT_USER\Software\NEMTY, you can be sure that the given sample is Nemty.

changes in registry made by nemty ransomware

Figure 3: Changes in registry made by Nemty ransomware

Conclusion

The constant evolution of distribution methods, as well as regular updates, prove that this malware is at a stage of active development. First seen in 2019, Nemty is a young threat that already shows signs of sophisticated malware.

Coupled with the potential use of the Ransomware as a Service business model that makes this malware available to many threat actors around the globe, these factors demand that this threat is not taken lightly.

One of the primary dangers of this Ransomware lies in the delivery techniques chosen by the attackers. While mail spam helps to reach millions of potential victims easily, heavy use of exploit kits allows attackers to control every step of the infection.

Thus, it is especially important that security researchers can evaluate this ransomware and continue developing countermeasures and encryptors, like the Avast Nemty. One more tool that can help in this pursuit is the ANY.RUN malware hunting service that will allow studying samples of Nemty in a controlled and safe environment.

HAVE A LOOK AT

WannaCry screenshot
WannaCry
wannacry ransomware
WannaCry is a famous Ransomware that utilizes the EternalBlue exploit. This malware is known for infecting at least 200,000 computers worldwide and it continues to be an active and dangerous threat.
Read More
Cactus Ransomware screenshot
Cactus ransomware-as-a-service (RaaS) was first caught in March 2023 targeting corporate networks. It became known for its self-encrypting payload and double extortion tactics. Cactus primarily targets large enterprises across industries in finance, manufacturing, IT, and healthcare. It is known for using custom encryption techniques, remote access tools, and penetration testing frameworks to maximize damage.
Read More
GootLoader screenshot
GootLoader
gootloader
GootLoader is an initial-access-as-a-service malware that operates by delivering the GootKit banking trojan and other malicious payloads. It utilizes techniques such as fileless execution and process injection to avoid detection. The malware is often distributed through SEO poisoning and compromised websites, deceiving users into downloading infected files.
Read More
Spyware screenshot
Spyware
spyware
Spyware is a stealth form of malware whose primary objective is to gather sensitive information, such as personal data, login credentials, and financial details, by monitoring user activities and exploiting system vulnerabilities. Spyware operates secretly in the background, evading detection while transmitting collected data to cybercriminals, who can then use it for malicious purposes like identity theft, financial fraud, or espionage.
Read More
Spynote screenshot
Spynote
spynote
SpyNote, also known as SpyMax and CypherRat, is a powerful Android malware family designed primarily for surveillance and data theft, often categorized as a Remote Access Trojan (RAT). Originally emerged in 2016, SpyNote has evolved significantly, with new variants continuing to appear as recently as 2023–2025.
Read More
Loader screenshot
Loader
loader downloader
A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.
Read More