Nemty ransomware is distributed via RIG exploit kit

• A security researcher spotted a new malvertising campaign that distributes the Nemty ransomware via the RIG exploit kit (EK).
• After encrypting the files, the Nemty ransomware adds the ‘._NEMTY_Lct5F3C_’ extension to the encrypted files.

What is the issue?

A security researcher who goes under the name ‘Mol69’ spotted a new malvertising campaign that distributes the Nemty ransomware via the RIG exploit kit (EK).

The big picture

The operators of Nemty ransomware are targeting outdated vulnerable systems with exploit kits in order to distribute their ransomware.

The security researcher who spotted the ransomware sample, tested it in an AnyRun test environment that records the entire infection process and the encryption process. Mol69 noted that this complete process took over 10 minutes to finish.

• After encrypting the files, the Nemty ransomware adds the ‘._NEMTY_Lct5F3C_’ extension to the encrypted files.
• The ransomware also drops a ransom note that provides payment instructions to recover the encrypted files.
• The ransom note also includes an encrypted version of the decryption key to unlock the files, which is controlled by the attackers.

“#Malvertising -> #RIGEK -> #NEMTY (#Ransomware)
[Extention]
._NEMTY_Lct5F3C_
Example Payload
https://app[.]any[.]run/tasks/c4c56bb5-0e57-43b7-9... …,” Mol69 tweeted.

Worth noting

• Nemty is a newly discovered ransomware that was first spotted in August 2019.
• The Nemty ransomware usually appends the ‘.nemty’ extension to the encrypted files, however, this new variant observed by Mol69 adds the ‘._NEMTY_Lct5F3C_’ extension to the encrypted files.
• This ransomware demands around $1,000 for decrypting the files.
• There is no free decryption tool available at the moment. On top of that, the ransomware deletes the shadow or backup files in order to make it impossible for the victims to recover their files.