Nemty Ransomware Operators Threaten to Leak Data on Website

• The ransomware operators expect that the victim companies are likely to pay a ransom if it costs them less overall.
• Nemty attacks on network with a builder mode, which helps the actors create executables to target an entire network rather than individual systems.

Nemty ransomware actors have created a blog that will be used to publish stolen data for ransomware victims who refuse to pay the ransom.

Why the blog?

The Nemty group’s plan resembles the tactics started by the Maze and used by Sodinokibi, who also steal files from companies before encrypting them.

• According to the recent information shared with BleepingComputer, the Nemty group may come up soon with a web site to leak stolen data if ransoms are not paid on time.
• If a victim fails to pay the ransom, then the stolen data will be leaked successively until payment has been made or it has all been released.
• According to experts, the theory behind it says that the victim companies are likely to pay a ransom if it costs them less overall.
• The Maze operators do it in a quite similar way. They have created a web site to publish information about their non-paying victims and post open links to the leaked data.

The ransomware operators cum developers have a news feed where they post their plans, bug fixes, and upcoming changes coming to their Ransomware-as-a-Service (RaaS).

The execution plan

Nemty attacks on network with a builder mode, which helps the actors to create executables to target an entire network rather than individual systems.

• The mode, designed for corporations, offer only one key to decrypt all the devices in the network and restricts victim from decrypting individual machines.
• With this functionality in place, developing the RaaS to incorporate data exfiltration and further extortion tactics doesn’t seem like a tedious job.

Closing words

Now, let’s wait and watch if this new extortion method is paying off for the ransomware actors, unless they get busted. However, the trend suggests that we will continue to see more threat actors adopting this new tactic.