First spotted by FortiGuard Labs in mid-August, Nemty is one of the newest ransomware strains in the threat landscape. The actor behind the ransomware has sought to add a number of affiliate members for use of the ransomware as they press ahead with finding new ways for distribution. Nemty ransomware was designed to target Windows XP computers, but now included Windows 7 as well. It was initially seen being distributed via compromised RDP connections and malvertisement campaigns, but continues to seek out new means of distribution as it improves capabilities. Because this ransomware targets older software and uses exploit kits (EKs) that target out-of-date browsers and software it does reduce the potential pool of targets when compared with other ransomware. However, it is important to recognize that many companies, both in the U.S. and particularly internationally, still use old software and operating systems, and so this cannot be considered a non-threat. Not only that, but Nemty is undergoing very active development both in terms of capability and means of delivery.
- Aug 26, 2019 - Nemty delivered via compromised RDP connections
- Sep 3, 2019 - Being delivered by RigEK
- Sep 8, 2019 - Propagated by fake PayPal site
- Sept 9, 2019 - Delivered by Radio EK. This EK targets an Internet Explorer vulnerability patched in 2016.
Execution and Functionality
Whatever the vector, once Nemty has compromised a target, before beginning its encryption routine it will check to see if the infected machine in based in Russia, Ukraine, Belarus, Kazakhstan, or Tajikistan and if true it will terminate. On initial release, while this check was in the code, it wouldn’t spare the target even if it were in one of these five countries. Like most ransomware, Nemty will delete shadow copies so that users can’t easily restore their files. The reported ransom demanded is approximately $1000 in Bitcoin and can be paid by visiting the attacker’s TOR website.
EKs largely rely on outdated software and thus the simplest measure that should be taken is to keep your browser and software up to date. Also, in regards to dealing with EKs, disabling Flash Player and not using the IE browser (which Microsoft replaced with the more secure Edge browser) will go a long way in reducing your company’s attack surface. As with all ransomware keeping back-ups of your data is important and where possible, those backups should be kept off the network so as to not have them compromised in an infection. Another step that can be taken in regard to this threat is to disable RDP connections unless needed and where needed ensure that default password is always changed.
Nemty may not be the biggest threat in ransomware at the moment, but the success of Sodinokibi and GandCrab has likely inspired others and actor behind Nemty is actively working to make this ransomware more effective and more aggressive so vigilance is warranted.
View this OSINT Threat Report on TruSTAR to correlate IOCs with your own data:
Not on TruSTAR yet? Request a demo, and in the meantime download IOCs via .txt file: