Nemty is a relatively new ransomware, spotted at the end of the last month, and has seen a few iterations since its appearance.
The very first variant had references to the Russian president and antivirus. More precisely, the code contained a link pointing to a picture of the Russian president with a caption (an insult), and a message for the antivirus industry. It also tries to identify if the victim’s computer is in Russia and a few other countries, but without exempting it from the attack. This variant was used in the first attack wave, which exploited weak Remote Desktop connections.
The second wave of attacks used a new variant and was distributed with the help of the RIG exploit kit. An upgrade if you like, since the attacks occur once a vulnerable software is found and exploited. A payload is later downloaded and executed if the exploit is successful, the payload being the ransomware itself.
The third wave of attack involved phishing PayPal pages, using a slightly different variant, still making use of the RIG exploit kit.
Finally, the last wave of attack we know of uses a completely different exploit kit, named Radio Exploit Kit (or RadioEK) to distribute Nemty. Phishing emails are used to trick the user into opening attachments containing executables masked as various documents, photos, or other multimedia files. Once the attachments are opened, and the exploit is successful, Nemty is downloaded and executed.
Nemty ransomware – test findings
Our test variant is used in the attacks involving RIG exploit kits and phishing websites and emails, campaigns still active at the time of writing this blog post. When executed, it copies itself in several folders and deletes shadow volume copies of files. Then, it modifies the registry, touches some system files, collects different personal data, and finally starts encrypting. The attacked files are renamed, as Nemty appends “_NEMTY_KWB6L0w_” extension to all of them. The encryption process is quite fast, we had to wait just a few minutes for Nemty to encrypt all our test files. Ransom notes are dropped in each folder, containing instructions of how to recover the files. The links are active and working, as you can see in the video. The criminals requested $600 worth of BitCoins from us to get our files back.
Unfortunately, there are no free decryption tools available to recover the encrypted files at this time.
Nemty ransomware vs Ranstop – test results
TEMASOFT Ranstop detects this version of Nemty ransomware soon after it starts encrypting files. Upon detection, alerts are triggered, and the malware process is stopped and quarantined. The modified files are automatically recovered so that the user doesn’t lose any important document.
About TEMASOFT Ranstop
TEMASOFT Ranstop is an anti-ransomware software that detects present and future ransomware, based on file access pattern analysis with a high degree of accuracy. At the same time, it protects user files so that they can be restored in case of malware attacks or accidental loss.
For more information, follow us on social media and subscribe to our newsletter.