Malware spotlight: Nemty
Introduction
If the last five years or so have proven anything, it is that ransomware is here to stay as a threat in the cybersecurity wild. This should not be used as rationale to simply ignore the deluge of new types of malware that are discovered weekly, as the recently discovered malware family Nemty has demonstrated.
While appearing at first like an almost run-of-the-mill malware, Nemty has assimilated some dangerous and destructive techniques and tactics used by previously-seen ransomware to become a formidable information security foe for those unprepared.
Become a certified reverse engineer!
This article will explore Nemty malware from a high-level view. We’ll look at what Nemty is, how it spreads and how it works, as well as useful prevention tips.
What is Nemty?
Nemty is a type of ransomware that was discovered in the cybersecurity wild in mid-August of 2019. At first, it was not too different from other types of ransomware aside from the fact that compromised systems would display a note from “NEMTY PROJECT” — which is still the easiest way for victims to know who is behind their ransomed files.
Over time, Nemty took on characteristics used by other types of ransomware, making it clear that it was a dangerous work in progress that needed to be taken seriously. Just some of these assimilated traits include leveraging the RIG exploit kit and doxing victims of its ransomware campaign. However, this should not distract from the fact that Nemty is truly its own animal: aside from the note mentioned above, Nemty also contains an Easter egg of a photo of the president of the Russian Federation, Vladimir Putin, along with an abusive message for the Nemty victim.
How does Nemty spread?
Nemty spreads through several methods. When it was first discovered, Nemty was spread via phishing emails that contained a malicious URL. This phishing tactic is coupled with a homoglyph deception that obfuscates itself by using non-ASCII characters in the domain name in the malicious URL. This is known as punycode, which is used to represent international domain names. Soon after, Nemty was discovered to use the RIG exploit kit as an attack vector to spread, which has been used by different malware campaigns since its inception in 2014.
This ransomware was soon discovered to be spread through a fake PayPal site. This site used a social engineering trick, using a portable executable file dubbed cashback.exe to begin its attack. Still later, Nemty was observed being spread via exposed remote desktop connections. This may be the most dangerous of all methods because it gives Nemty unfettered access to resources on high-privileged systems.
One of the latest evolutions in its ability to spread is its partnership with the Trik botnet. This botnet has been around in the wild for about 10 years now and has significantly expanded the reach of Nemty. This partnership will pay dividends in the future for the spread of Nemty, as Trik adapts to the latest trends to stay ahead of the information security game.
How does Nemty work?
Once a computer is compromised with Nemty, the ransomware performs several actions. One of the first actions it performs is disabling antivirus security solutions. It then uses this security-disabled environment to infect the system with its ransomware. From the user level, they are presented with the “NEMTY PROJECT” note, possibly the picture of President Putin of Russia and a demand for ransom. As of August of 2019, this demand was set at .09981 bitcoin, which would be about $1000.
Unlike other forms of ransomware, Nemty is configured to attack and encrypt computers in an entire network and not individual machines. Only one key pair is needed to decrypt all PCs in a network, offering a sort of twisted benefit to victims where a large-scale attack can be remedied with just one ransom, as opposed to potentially hundreds or thousands.
As a form of ransomware-as-a-service, Nemty includes a ransomware affiliate panel where news is posted regarding future plans and fixes, as well as updates and changes to Nemty. One of the latest announced changes is that Nemty will soon borrow from the Maze ransomware and will publicly post sensitive information of victims who don’t pay the ransom on a website that Nemty plans to create.
Nemty 1.0 was around for several months and security researchers quickly developed a decryptor that would, supposedly, safely remove the ransomware and most of the files associated with the threat. Users would then have to hunt down any remaining remnants to fully remove it. With the release of Nemty 2.0 and the current version, 2.2, there are no decryptor tools available. However, there are ways you can remove it on your own.
Prevention
The best way to mitigate Nemty is to be conscious of cybersecurity and be mindful of what you click on, secure remote desktop sessions, not fall for fake PayPal social engineering campaigns, and most of all — make backups. These recommendations are second nature for most information security professionals, but Nemty targets corporations and users may not be equipped with the right cybersecurity knowledge and training to spot the threat. This is especially true when the threat comes via an email with a punycode-loaded URL.
To prevent Nemty spread via RIG, ensure that organization devices are patched with all of the latest updates. Exploit kits are notorious for taking advantage of device vulnerabilities, especially those using Flash Player and IE. This can be easily managed by disabling Flash and not using IE. Instead, use a more security-minded browser like Brave.
Conclusion
Nemty is a relatively recent addition to the ever-growing number of malware families. When it was first discovered, this “work in progress” ransomware was not too much different from others in the wild. However, it has since been seen using a diverse range of methods to spread, including RIG exploit kit and the Trik botnet.
Nemty should be taken seriously as it can infect entire corporate networks. Thankfully, it can be prevented fairly easily by following standard information security measures.
Become a certified reverse engineer!
Sources
- Nemty Ransomware Expands Its Reach, Also Delivered by Trik Botnet, Symantec Threat Intelligence Blog
- Nemty Ransomware to Start Leaking Non-Paying Victim’s Data, Bleeping Computer
- Nemty Ransomware Possibly Spreads Through Exposed Remote Desktop Connections, TrendMicro
- Threat Analysis: Nemty Ransomware and the Fake PayPal Site, Acronis
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- Malware spotlight: Nemty
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis