Nemty Ransomware: Slow and Steady Wins the Race?
September 19, 2019
As we outlined recently, ransomware is a key theme of the NCSC Cyber Trends Report: it’s a pervasive threat that can cost organizations a lot of money.
When it comes to ransomware, much of recent talk has centered around Ryuk and Sodinokibi. This is understandable; researchers estimate that these have made millions of dollars for the operators. However, this blog focuses on an even more recent variant – Nemty. Most recently, this variant is now reported to have the ability to kill system processes and services. Although still in its infancy, this is one of many updates to Nemty that has occurred over the last month. Although it does not compare to the likes of Sodinokibi and Ryuk, the authors behind Nemty are slowly and steadily experimenting as the malware develops.
Nemty Ransomware Origins
Like any good malware, Nemty’s name has Egyptian origins, meaning “he who travels”. However, researching in Shadow Search shows it was first mentioned on the Exploit forum on the 20th August 2019 by user “jsworm”.
Figure 1: Shadow Search results for “Nemty”, showing results from Exploit[.]in forum posts
If that name rings a bell, it’s because JSWorm is the name of another ransomware variant active earlier this year. A decryptor for JSWorm 2.0 was released in April, although it’s now in its fourth version. What’s clear is that the author is not new to the ransomware space.
Getting the Right Distribution
Getting the right distribution is key for any ransomware variant. We already know that operators have used fake Punycode PayPal sites to distribute Nemty ransomware.
However, this is by no means the only form of distribution: this variant has also made use of compromised Remote Desktop Protocol (RDP) connections. Even with the takedown of XDedic in January 2019, there are dedicated sites for acquiring compromised RDP connections (such as UAS Service). Even aside from these dedicated sites, compromised RDPs are also a commonly traded item across dark web marketplaces. In the figure below, you can see the ransomware’s distribution across various dark web markets.
Figure 2: Overview of the sale of RDPs across four dark web marketplaces
Finally (and most surprisingly for me) is the continued use of exploit kits to distribute ransomware. It’s already been reported that RIG exploit kit has been used to distribute Sodinokibi and Nemty. Some researchers have even suggested Nemty authors have experimented with the Radio exploit kit (which exploits CVE-2016-0189, an Internet Explorer vulnerability patched in 2016). The continued use of exploit kits is a reminder that cyber criminals continue exploiting old vulnerabilities. For those interested in more on Exploit Kits, Malwarebytes did a great job of breaking down the latest variants.
Keeping Up to Date with Ransomware
Nemty is not yet at the level of Ryuk or Sodinokibi, but the steady experimentation with different delivery methods and regular updates may give it the platform to grow in the future.
You can keep updated on ransomware variants in our weekly intelligence summaries, or by accessing our threat intelligence directly via test drive.