Nymaim Ransomware DescriptionType: Ransomware
The Nymaim Ransomware family is a typical example of this kind of scam. While there is little to differentiate the Nymaim Ransomware from other ransomware families, this particular ransomware Trojan has attracted the attention of PC security researchers because the Nymaim Ransomware is part of the payload of Darkleech, a high profile malware campaign that has affected various important targets around the world. If your computer has been infected by the Nymaim Ransomware Trojan, you may not be able to access your operating system or files. To remove the Nymaim Ransomware infection from your computer and regain access to your files and operating system, ESG security researchers advise the use of alternate start-up methods to gain access to your security software. A fully updated anti-malware application should be able to remove a Nymaim Ransomware infection and restore access to the infected computer.
The Modus Operandi of the Nymaim Ransomware
The Nymaim Ransomware uses a known social engineering scam to trick inexperienced computer users into paying a ransom. The Nymaim Ransomware scam has the following steps:
- Initially, the Nymaim Ransomware infection enters a computer with the help of an exploit kit or through known social engineering tactics. The Nymaim Ransomware is closely related to the Darkleech infection which uses the Black Hole Exploit Kit to install the Nymaim Ransomware Trojan on the victim's computer.
- Once the Nymaim Ransomware Trojan is installed, the Nymaim Ransomware blocks all access to the victim's computer, displaying a full screen message upon start-up. This message indicates that the victim's computer was blocked as part of a police action due to the infected computer's involvement in supposed illegal activities. The Nymaim Ransomware message will threaten the victim with years of jail time and thousands of Euros in fines unless the victim pays a supposed police 'fine' through an online payment service. This message will usually be tailored to the infected computer's geographical location, written in the victim's language and claiming to have been sent by a local police agency.
It is important to note that paying the Nymaim Ransomware Trojan's fine will not remove this threat from your computer or restore your access to your files. In fact, the only way to restore your access to your computer is to remove the Nymaim Ransomware Trojan completely with a reliable anti-malware program.
Nymaim Has Evolved Into a Flexible Malware Dropper
Since its initial appearance, Nymaim has been documented in relationship with other malware threats. In 2016, for example, it was distributed via spam email campaigns and webinjects along with Ursnif banking Trojan. During the following years, Nymaim has evolved into a sophisticated malware downloader that is capable of dropping a range of data stealing, system profiling or file locking tools on target machines. In this current incarnation, Nymaim has already participated in several global campaigns, as well as in attacks targeting particular countries in Europe and North America.
Threat actors typically distribute Nymaim disguised as a regular app or file, for example, often spam emails come with a subject line "Job Application" which is intended to trick users into opening the attached file. Due to its capabilities of a malware dropper, the presence of Nymaim can cause serious issues on a computer. If it installs an encryption-type of a virus, the user's data will be permanently locked and inaccessible. On the other hand, info-stealing threats record bank account data, login credentials, browsing history, keystrokes, and other kinds of sensitive data. Such activities put user privacy at risk and can result in financial losses and even identity theft.
Nymaim can also distribute exploit kits that are able to connect the infected computer to a botnet, which leads to the misuse of system resources, usually stealthy crypto currency mining. It does not need to mention that the Nymaim malware threat should be removed immediately from the infected computer with the help of a reputable anti-malware solution. Subsequently, all affected PC users are advised to change their passwords for all their online accounts.
Nymaim is Being Dropped by a New Variant of Emotet
In February 2019, Nymaim Ransomware emerged again in the form of a malware downloader, this time targeting the hospitality sector. Researchers found out that a new variant of the well-known Emotet Trojan is distributing Nymaim malware, which in turn, once installed on a machine, tends to download the Nozelesn ransomware.
Researchers made that discovery on the basis of the analysis of 580 similar file attachments injected with Emotet and reported in the period between January 9, 2019, and February 7, 2019. Using Root Cause Chain analysis (RCA), suspicious files called "How_Fix_Nozelesn_files.htm" were found on an infected server.
The analyzed Emotet samples are distributed through malicious Microsoft Word doc attachments, which once opened, download the PowerShell.exe on the target system, connect to various corrupted IP addresses, and then create another malicious executable file on the system. The link between the Nozelesn ransomware and Nymaim was detected by researchers already in 2018 when it was found that Nymaim uses a fileless execution technique to load the ransomware to the computer's memory.
Although the Nymaim malware has been around for several years now, it has a unique configuration file format and many of its aspects and features are still not completely understood by cyber security researchers. That includes the ownership of the virus and its availability to threat actors. Nymaim is an illustration of a general malware trend that focuses on designing persistent, non-destructive infections that stay unnoticed on a machine for long periods of time with the purpose of collecting information, while at the same time, allowing attackers the flexibility to download additional malware at their choice.
File System Details
|#||File Name||MD5||Detection Count|
This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.