Nemty Ransomware
Malware researchers are struggling to keep up with all the new ransomware threats that keep popping up daily. One of their most recent discoveries on this front is the Nemty Ransomware.
Nemty Ransomware belongs to the ransomware family of malware threats. This means that after infiltrating the user's computer system, it will attempt to encrypt all of the data with a strong encryption algorithm, rendering the user's files unusable. In order to restore them, the creators of Nemty demand a ransom of around $1000 to be paid in the equivalent amount of bitcoins.
Table of Contents
Propagation and Encryption
Cybersecurity specialists have not been able to determine with full certainty, which are the propagation methods involved in the spreading of this file-locking Trojan. Some, however, speculate that the authors of the Nemty Ransomware may have used the most common methods of spreading ransomware threats, namely bogus application updates, fake pirated copies of popular software and mass spam email campaigns. Upon infecting a system, the Nemty Ransomware runs a scan meant to locate all the files, which this threat was programmed to target. Normally, ransomware threats target a very long list of file types so that they can cause maximum damage, and the case of the Nemty Ransomware is no different. Once this step is completed successfully, the Nemty Ransomware would move on to the encryption process. The Nemty Ransomware locks all the targeted files using an encryption algorithm. Once a file is encrypted by this threat, its name will be altered. The Nemty Ransomware appends a ‘.nemty’ extension to the filenames of all the affected files. This means that a photo, which you had called ‘ashy-cat.jpeg’ will be renamed to ‘ashy-cat.jpeg.nemty’ once the encryption process is through.
Nemty Ransomware Diversifies Its Distribution Channels
When cybersecurity experts first discovered a strain of Nemty Ransomware in the wild, they speculated that instead of being distributed through the more common method of spam emails carrying compromised file attachments, Nemty was spreading through compromised RDP (Remote Desktop Protocol) connections. Leveraging compromised RDP connections allows the attackers to have complete control over every step of the process while in comparison using phishing emails is reliant on the victim taking the bait to activate the malware.
While the use of Exploit Kits as a vehicle for pushing malware has been on the decline because they predominantly target vulnerabilities in Internet Explorer and Flash player, both of which were ubiquitously in use just a few years ago but are now being phased out of the Internet, the creators of Nemty Ransomware apparently believe that they still have some potential. As security researcher mol69 found out, Nemty Ransomware was delivered as a payload in a RIG exploit kit malvertising campaign while another researcher, nao_sec, caught the malware being pushed by the Radio EK, which exploits a JScript and VBScript vulnerability that was patched by Microsoft three years ago.
More recently, Nemty was detected to be spread by a fake Paypal website that lures unsuspecting victims with promises of a 3-5% return on purchases made through the platform. The web site was designed to appear as genuine as possible by using official PayPal visuals and a technique known as homograph spoofing - using letters that visually look the same but are actually from different alphabets. If the users fall for the trap and download the aptly named "cashback.exe," instead of an official PayPal app that was supposed to save them money, they were unknowingly downloading and running Nemty Ransomware.
Pictures of Putin, Overkill Encryption and Other Oddities Found in Nemty Code
Digging into the code of Nemty reveals quite a few strange details. One of the more peculiar is a link to a picture that appears to be a different variant of the one found in GandGrab Ransomware. In Nemty's case, it uses nearly identical text in Russian overlaid on an image of the country's President Vladimir Putin. A direct message to the anti-virus community stating "f**kav" was also uncovered. The creators of the ransomware have also decided to name the mutex (mutually exclusive) object in the code as "hate."
The string of curious decisions doesn't stop there as Nemty Ransomware's encryption process can only be described as overkill. To encrypt the user's data, the ransomware employs a combination of AES-128 in CBC mode, RSA-2048, and RSA-8192. While the AES-128 and RSA-2048 are considered quite common, the inclusion of RSA-8192 seems to be extremely inefficient. After all, as detailed in a report by FortiGuard Labs, 2048 and 4096 key sizes offer sufficient encryption already without the sizable overhead and longer key generation times required by the RSA-8192 encryption algorithm.
Symptoms Of A Nemty Ransomware Attack
Once inside the computer system, Nemty Ransomware checks if the user is located in one of five countries - Russia, Belarus, Kazakhstan, Tajikistan, or Ukraine, through hxxp://api.db-ip.com/v2/free/{IP address}/countryName. Curiously, even if the user is indeed from one of these countries, the ransomware will still proceed with the encryption process. All encrypted files will have a ".nemty" extension. To assure that the normal operations of the computer system are not disrupted, Nemty Ransomware has a list of specific files and folders, in addition to several file extensions, that it will not include in the encryption. The excluded files and folders are:
$RECYCLE.BIN
rsa
NTDETECT.COM
ntldr
MSDOS.SYS
IO.SYS
boot.ini
AUTOEXEC.BAT
ntuser.dat
desktop.ini
CONFIG.SYS
RECYCLER
BOOTSECT.BAK
bootmgr
programdata
appdata
windows
Microsoft
Common Files
The excluded file extensions are nemty, log, LOG, CAB, cab, CMD, cmd, COM, com, cpl, CPL, exe, EXE, ini, INI, dll, DLL, lnk, LNK, url, URL, ttf, TTf, DECRYPT.txt.
Once the encryption process is completed, Nemty Ransomware drops a ransom note with the following text:
---=== NEMTY PROJECT ===---
[+] Whats Happen? [+]
Your files are encrypted, and currently unavailable. You can check it: all files on you computer has extension .nemty
By the way, everything is possible to restore, but you need to follow our instructions. Otherwise, you cant return your data (NEVER).[+] What guarantees? [+]
It's just a business. We absolutely do not care about you and your deals, except getting benefits.
If we do not do our work and liabilities - nobody will not cooperate with us.
It's not in our interests.
If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key.
In practise - time is much more valuable than money.[+] How to get access on website? [+]
1) Download and install TOR browser from this site: https://torproject.org/
2) Open our website: zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad.onion/payWhen you open our website, follow the instructions and you will get your files back.
The configuration file mentioned in the ransom note is used for identifying the victim and as a key for the decryption of the data.
Nemty Ransomware prevents the user from restoring the encrypted files through the default Windows options by deleting the shadow volume copies. To do so, the malware executes the following commands:
cmd.exe /c vssadmin.exe delete shadows /all /quiet
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
wbadmin delete catalog -quiet
wmic shadowcopy delete
In the Nemty Ransomware variant analyzed by FortiGuard Labs, the IP address for the attackers C&C (Command and Control) server was not implemented and instead the victim's loopback IP address was used.
Nemty Ransomware Is Under Active Development
Since it was detected, Nemty Ransowmare has seen the release of several versions containing various updates and bug fixes. The criminals behind the ransomware decided that they didn't want to attack the citizens of the five countries in the checklist, so they modified their malware to stop its execution there. Furthermore, in the newer versions, the list of excluded countries was expanded with the addition of Azerbaijan, Armenia, Kyrgyzstan, and Moldova.
For the rest of the world, however, the ransomware was made even more dangerous with the expanded functionality to kill nine processes that may be running during the attack including MS Word, Excel, WordPad, SQL, and the VirtualBox software for running virtual machines.
With Nemty Ransomware being under active development, it may start to claim more and more victims, especially, if it is being offered as an RaaS (Ransomware as a Service), which the inclusion of what appears to be an affiliateID in the code may very well indicate. The specific addition of SQL and VirtualBox in the list of killed processes could further signal a switch in focus towards corporate targets.
Nemty Operators Publish Stolen Data
In 2019, the tactic of stealing victims' files before encryption became a trend among ransomware operators. This was being done with the intent of punishing the victims who decline to pay the ransom, by publicly sharing their sensitive data.
This stolen data could include personal information, company financials, client data, among many others, escalating what was previously a ransomware attack into a data breach. The tactic was employed by several different ransomware families, including DoppelPaymer, Sodinokibi, and Maze.
In March 2020, security researchers came across a website, apparently made by the Nemty ransomware operators, which contained such stolen victim data. The website provided a link to a 3.5 Gigabyte cache of files that were allegedly lifted from the network of an American footwear company.
Limiting the data leak to just one company was a move that was meant to show other victims of the Nemty ransomware that its operators mean business. Given the most recent developments, it's likely that these 3.5 Gigabytes will not be the last piece of stolen data that the people behind Nemty will publish.
Nemty Evolves Into Nefilim
Security researchers recently noticed the Nefilim ransomware making the rounds on the internet, with further research suggesting that the encrypting malware has been circulating since at least February 2020.
After examination of its code, it was determined that the Nefilim ransomware is likely an upgraded version of Nemty 2.5. What's more interesting, however, is that the RaaS capabilities have been removed, and the Tor payment site that was used for payments was ditched in favor of email communication with the victims.
The Nefilim ransomware also relies on more aggressive methods of extortion, such as publishing the data of victims that do not pay up. In the ransom note, it is stated that stolen victim files will be leaked if the threat actors are not contacted in ''seven working days of the breach.''
Unfortunately, ID Ransomware's Michael Gillespie analysis of the threat indicates that the Nefilim ransomware seems to be secure, meaning that there isn't any way to recover the encrypted files for free at this point. Considering the fact that the Nefilim ransomware is somewhat recent and is still being researched, it might take a while before any flaws that can lead to the development of a decryption tool can be found.
Adding the limited timeline that the threat actors give their victims to pay the ransom before they publish their private data, makes the Nefilim ransomware a formidable threat for both individual users and companies alike.
