SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nemty (Back to overview)

Nemty


Nemty is a ransomware that was discovered in September 2019. Fortinet states that they found it being distributed through similar ways as Sodinokibi and also noted artfifacts they had seen before in Gandcrab.

References
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
2020-05-04SentinelOneJim Walter
@online{walter:20200504:meet:7943fa2, author = {Jim Walter}, title = {{Meet NEMTY Successor, Nefilim/Nephilim Ransomware}}, date = {2020-05-04}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/}, language = {English}, urldate = {2020-06-22} } Meet NEMTY Successor, Nefilim/Nephilim Ransomware
Nefilim Ransomware Nemty
2020-04-02McAfeeAlexandre Mundo, Marc Rivero López
@online{mundo:20200402:nemty:96afa32, author = {Alexandre Mundo and Marc Rivero López}, title = {{Nemty Ransomware – Learning by Doing}}, date = {2020-04-02}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/}, language = {English}, urldate = {2020-04-08} } Nemty Ransomware – Learning by Doing
Nemty
2020-03-24Bleeping ComputerLawrence Abrams
@online{abrams:20200324:three:fb92d03, author = {Lawrence Abrams}, title = {{Three More Ransomware Families Create Sites to Leak Stolen Data}}, date = {2020-03-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/}, language = {English}, urldate = {2020-03-26} } Three More Ransomware Families Create Sites to Leak Stolen Data
Clop DoppelPaymer Maze Nefilim Ransomware Nemty REvil
2020-02-18LastlineJason Zhang, Stefano Ortolani
@online{zhang:20200218:nemty:8d6340a, author = {Jason Zhang and Stefano Ortolani}, title = {{Nemty Ransomware Scaling UP: APAC Mailboxes Swarmed by Dual Downloaders}}, date = {2020-02-18}, organization = {Lastline}, url = {https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/}, language = {English}, urldate = {2020-02-23} } Nemty Ransomware Scaling UP: APAC Mailboxes Swarmed by Dual Downloaders
Nemty Phorpiex
2020-01-10Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20200110:nemty:7575d77, author = {Albert Zsigovits}, title = {{Nemty ransomware}}, date = {2020-01-10}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-notes/blob/master/Nemty.md}, language = {English}, urldate = {2020-01-14} } Nemty ransomware
Nemty
2019-11-04SymantecNguyen Hoang Giang, Eduardo Altares, Muhammad Hasib Latif
@online{giang:20191104:nemty:6f237c6, author = {Nguyen Hoang Giang and Eduardo Altares and Muhammad Hasib Latif}, title = {{Nemty Ransomware Expands Its Reach, Also Delivered by Trik Botnet}}, date = {2019-11-04}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet}, language = {English}, urldate = {2020-06-02} } Nemty Ransomware Expands Its Reach, Also Delivered by Trik Botnet
Nemty Phorpiex
2019-10-10Bleeping ComputerLawrence Abrams
@online{abrams:20191010:nemty:319e3b7, author = {Lawrence Abrams}, title = {{Nemty Ransomware Decryptor Released, Recover Files for Free}}, date = {2019-10-10}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/nemty-ransomware-decryptor-released-recover-files-for-free/}, language = {English}, urldate = {2020-01-09} } Nemty Ransomware Decryptor Released, Recover Files for Free
Nemty
2019-10-10TesorionFrank van den Hurk
@online{hurk:20191010:nemty:3be8553, author = {Frank van den Hurk}, title = {{Nemty update: decryptors for Nemty 1.5 and 1.6}}, date = {2019-10-10}, organization = {Tesorion}, url = {https://www.tesorion.nl/nemty-update-decryptors-for-nemty-1-5-and-1-6/}, language = {English}, urldate = {2019-10-23} } Nemty update: decryptors for Nemty 1.5 and 1.6
Nemty
2019-09-17FortinetJoie Salvio
@online{salvio:20190917:nemty:761b43e, author = {Joie Salvio}, title = {{Nemty Ransomware 1.0: A Threat in its Early Stage}}, date = {2019-09-17}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html}, language = {English}, urldate = {2020-01-13} } Nemty Ransomware 1.0: A Threat in its Early Stage
Nemty
2019-09-08Bleeping ComputerIonut Ilascu
@online{ilascu:20190908:fake:3f0addd, author = {Ionut Ilascu}, title = {{Fake PayPal Site Spreads Nemty Ransomware}}, date = {2019-09-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fake-paypal-site-spreads-nemty-ransomware/}, language = {English}, urldate = {2020-01-13} } Fake PayPal Site Spreads Nemty Ransomware
Nemty
2019-09-03Bleeping ComputerIonut Ilascu
@online{ilascu:20190903:nemty:459166a, author = {Ionut Ilascu}, title = {{Nemty Ransomware Gets Distribution from RIG Exploit Kit}}, date = {2019-09-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distribution-from-rig-exploit-kit/}, language = {English}, urldate = {2020-01-08} } Nemty Ransomware Gets Distribution from RIG Exploit Kit
Nemty
2019-08-26Bleeping ComputerIonut Ilascu
@online{ilascu:20190826:new:20f0561, author = {Ionut Ilascu}, title = {{New Nemty Ransomware May Spread via Compromised RDP Connections}}, date = {2019-08-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/}, language = {English}, urldate = {2020-01-07} } New Nemty Ransomware May Spread via Compromised RDP Connections
Nemty
2019-08-24Github (k-vitali)Vitali Kremez
@online{kremez:20190824:notes:486e04c, author = {Vitali Kremez}, title = {{Notes on Nemty Ransomware}}, date = {2019-08-24}, organization = {Github (k-vitali)}, url = {https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-08-24-nemty-ransomware-notes.vk.raw}, language = {English}, urldate = {2020-01-13} } Notes on Nemty Ransomware
Nemty
Yara Rules
[TLP:WHITE] win_nemty_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_nemty_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nemty"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 53 8db5ecfcffff e8???????? 53 8db5b4fcffff }
            // n = 5, score = 200
            //   53                   | push                ebx
            //   8db5ecfcffff         | lea                 esi, [ebp - 0x314]
            //   e8????????           |                     
            //   53                   | push                ebx
            //   8db5b4fcffff         | lea                 esi, [ebp - 0x34c]

        $sequence_1 = { 53 50 89b5e4d8ffff 889decd8ffff e8???????? 83c40c 8d85e8d8ffff }
            // n = 7, score = 200
            //   53                   | push                ebx
            //   50                   | push                eax
            //   89b5e4d8ffff         | mov                 dword ptr [ebp - 0x271c], esi
            //   889decd8ffff         | mov                 byte ptr [ebp - 0x2714], bl
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d85e8d8ffff         | lea                 eax, [ebp - 0x2718]

        $sequence_2 = { 2b5dfc 6a00 035e10 8bc6 }
            // n = 4, score = 200
            //   2b5dfc               | sub                 ebx, dword ptr [ebp - 4]
            //   6a00                 | push                0
            //   035e10               | add                 ebx, dword ptr [esi + 0x10]
            //   8bc6                 | mov                 eax, esi

        $sequence_3 = { e8???????? 6a01 33ff 8d7508 e8???????? 8b4dfc }
            // n = 6, score = 200
            //   e8????????           |                     
            //   6a01                 | push                1
            //   33ff                 | xor                 edi, edi
            //   8d7508               | lea                 esi, [ebp + 8]
            //   e8????????           |                     
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_4 = { 83c61c 3bd8 72c0 68???????? }
            // n = 4, score = 200
            //   83c61c               | add                 esi, 0x1c
            //   3bd8                 | cmp                 ebx, eax
            //   72c0                 | jb                  0xffffffc2
            //   68????????           |                     

        $sequence_5 = { ff75e8 50 51 e8???????? 83c410 }
            // n = 5, score = 200
            //   ff75e8               | push                dword ptr [ebp - 0x18]
            //   50                   | push                eax
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10

        $sequence_6 = { 8b7de0 ff33 e8???????? 59 6bf61c 8b45e8 03f0 }
            // n = 7, score = 200
            //   8b7de0               | mov                 edi, dword ptr [ebp - 0x20]
            //   ff33                 | push                dword ptr [ebx]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   6bf61c               | imul                esi, esi, 0x1c
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   03f0                 | add                 esi, eax

        $sequence_7 = { 8d8de0d8ffff 51 8d8decd8ffff 51 }
            // n = 4, score = 200
            //   8d8de0d8ffff         | lea                 ecx, [ebp - 0x2720]
            //   51                   | push                ecx
            //   8d8decd8ffff         | lea                 ecx, [ebp - 0x2714]
            //   51                   | push                ecx

        $sequence_8 = { 8945e4 8b0b 2bc1 99 6a1c }
            // n = 5, score = 200
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   8b0b                 | mov                 ecx, dword ptr [ebx]
            //   2bc1                 | sub                 eax, ecx
            //   99                   | cdq                 
            //   6a1c                 | push                0x1c

        $sequence_9 = { 8db524fdffff e8???????? 53 8db5ecfcffff e8???????? }
            // n = 5, score = 200
            //   8db524fdffff         | lea                 esi, [ebp - 0x2dc]
            //   e8????????           |                     
            //   53                   | push                ebx
            //   8db5ecfcffff         | lea                 esi, [ebp - 0x314]
            //   e8????????           |                     

    condition:
        7 of them and filesize < 204800
}
Download all Yara Rules