SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nemty (Back to overview)

Nemty

Nemty is a ransomware that was discovered in September 2019. Fortinet states that they found it being distributed through similar ways as Sodinokibi and also noted artfifacts they had seen before in Gandcrab.

References
2021-10-18SentinelOneAntonis Terefos
@online{terefos:20211018:karma:04248e2, author = {Antonis Terefos}, title = {{Karma Ransomware | An Emerging Threat With A Hint of Nemty Pedigree}}, date = {2021-10-18}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/}, language = {English}, urldate = {2021-10-24} } Karma Ransomware | An Emerging Threat With A Hint of Nemty Pedigree
karma Nemty
2021-05-25KasperskyFedor Sinitsyn, Yanis Zinchenko
@online{sinitsyn:20210525:evolution:d76aea7, author = {Fedor Sinitsyn and Yanis Zinchenko}, title = {{Evolution of JSWorm ransomware}}, date = {2021-05-25}, organization = {Kaspersky}, url = {https://securelist.com/evolution-of-jsworm-ransomware/102428/}, language = {English}, urldate = {2021-06-16} } Evolution of JSWorm ransomware
Nefilim Nemty
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-06Cyborg SecurityBrandon Denker
@online{denker:20210506:ransomware:a1f31df, author = {Brandon Denker}, title = {{Ransomware: Hunting for Inhibiting System Backup or Recovery}}, date = {2021-05-06}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/}, language = {English}, urldate = {2021-05-08} } Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2021-04-12PTSecurityPTSecurity
@online{ptsecurity:20210412:paas:1d06836, author = {PTSecurity}, title = {{PaaS, or how hackers evade antivirus software}}, date = {2021-04-12}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/}, language = {English}, urldate = {2021-04-12} } PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-01-25Medium CSIS TechblogBenoît Ancel
@online{ancel:20210125:nemty:7e56d61, author = {Benoît Ancel}, title = {{The Nemty affiliate model}}, date = {2021-01-25}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/the-nemty-affiliate-model-13f5cf7ab66b}, language = {English}, urldate = {2021-01-25} } The Nemty affiliate model
Nemty
2021SecureworksSecureWorks
@online{secureworks:2021:threat:b0aa2ab, author = {SecureWorks}, title = {{Threat Profile: GOLD MANSARD}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-mansard}, language = {English}, urldate = {2021-05-31} } Threat Profile: GOLD MANSARD
Nefilim Nemty GOLD MANSARD
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-05-04SentinelOneJim Walter
@online{walter:20200504:meet:7943fa2, author = {Jim Walter}, title = {{Meet NEMTY Successor, Nefilim/Nephilim Ransomware}}, date = {2020-05-04}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/}, language = {English}, urldate = {2020-06-22} } Meet NEMTY Successor, Nefilim/Nephilim Ransomware
Nefilim Nemty
2020-04-02McAfeeAlexandre Mundo, Marc Rivero López
@online{mundo:20200402:nemty:96afa32, author = {Alexandre Mundo and Marc Rivero López}, title = {{Nemty Ransomware – Learning by Doing}}, date = {2020-04-02}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/}, language = {English}, urldate = {2020-04-08} } Nemty Ransomware – Learning by Doing
Nemty
2020-03-24Bleeping ComputerLawrence Abrams
@online{abrams:20200324:three:fb92d03, author = {Lawrence Abrams}, title = {{Three More Ransomware Families Create Sites to Leak Stolen Data}}, date = {2020-03-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/}, language = {English}, urldate = {2020-03-26} } Three More Ransomware Families Create Sites to Leak Stolen Data
Clop DoppelPaymer Maze Nefilim Nemty REvil
2020-02-18LastlineJason Zhang, Stefano Ortolani
@online{zhang:20200218:nemty:8d6340a, author = {Jason Zhang and Stefano Ortolani}, title = {{Nemty Ransomware Scaling UP: APAC Mailboxes Swarmed by Dual Downloaders}}, date = {2020-02-18}, organization = {Lastline}, url = {https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/}, language = {English}, urldate = {2020-02-23} } Nemty Ransomware Scaling UP: APAC Mailboxes Swarmed by Dual Downloaders
Nemty Phorpiex
2020-01-10Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20200110:nemty:7575d77, author = {Albert Zsigovits}, title = {{Nemty ransomware}}, date = {2020-01-10}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-notes/blob/master/Nemty.md}, language = {English}, urldate = {2020-01-14} } Nemty ransomware
Nemty
2019-11-04SymantecNguyen Hoang Giang, Eduardo Altares, Muhammad Hasib Latif
@online{giang:20191104:nemty:6f237c6, author = {Nguyen Hoang Giang and Eduardo Altares and Muhammad Hasib Latif}, title = {{Nemty Ransomware Expands Its Reach, Also Delivered by Trik Botnet}}, date = {2019-11-04}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet}, language = {English}, urldate = {2020-06-02} } Nemty Ransomware Expands Its Reach, Also Delivered by Trik Botnet
Nemty Phorpiex
2019-10-10Bleeping ComputerLawrence Abrams
@online{abrams:20191010:nemty:319e3b7, author = {Lawrence Abrams}, title = {{Nemty Ransomware Decryptor Released, Recover Files for Free}}, date = {2019-10-10}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/nemty-ransomware-decryptor-released-recover-files-for-free/}, language = {English}, urldate = {2020-01-09} } Nemty Ransomware Decryptor Released, Recover Files for Free
Nemty
2019-10-10TesorionFrank van den Hurk
@online{hurk:20191010:nemty:3be8553, author = {Frank van den Hurk}, title = {{Nemty update: decryptors for Nemty 1.5 and 1.6}}, date = {2019-10-10}, organization = {Tesorion}, url = {https://www.tesorion.nl/en/posts/nemty-update-decryptors-for-nemty-1-5-and-1-6/}, language = {English}, urldate = {2021-12-01} } Nemty update: decryptors for Nemty 1.5 and 1.6
Nemty
2019-09-17FortinetJoie Salvio
@online{salvio:20190917:nemty:761b43e, author = {Joie Salvio}, title = {{Nemty Ransomware 1.0: A Threat in its Early Stage}}, date = {2019-09-17}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html}, language = {English}, urldate = {2020-01-13} } Nemty Ransomware 1.0: A Threat in its Early Stage
Nemty
2019-09-08Bleeping ComputerIonut Ilascu
@online{ilascu:20190908:fake:3f0addd, author = {Ionut Ilascu}, title = {{Fake PayPal Site Spreads Nemty Ransomware}}, date = {2019-09-08}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fake-paypal-site-spreads-nemty-ransomware/}, language = {English}, urldate = {2020-01-13} } Fake PayPal Site Spreads Nemty Ransomware
Nemty
2019-09-03Bleeping ComputerIonut Ilascu
@online{ilascu:20190903:nemty:459166a, author = {Ionut Ilascu}, title = {{Nemty Ransomware Gets Distribution from RIG Exploit Kit}}, date = {2019-09-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distribution-from-rig-exploit-kit/}, language = {English}, urldate = {2020-01-08} } Nemty Ransomware Gets Distribution from RIG Exploit Kit
Nemty
2019-08-26Bleeping ComputerIonut Ilascu
@online{ilascu:20190826:new:20f0561, author = {Ionut Ilascu}, title = {{New Nemty Ransomware May Spread via Compromised RDP Connections}}, date = {2019-08-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/}, language = {English}, urldate = {2020-01-07} } New Nemty Ransomware May Spread via Compromised RDP Connections
Nemty
2019-08-24Github (k-vitali)Vitali Kremez
@online{kremez:20190824:notes:486e04c, author = {Vitali Kremez}, title = {{Notes on Nemty Ransomware}}, date = {2019-08-24}, organization = {Github (k-vitali)}, url = {https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-08-24-nemty-ransomware-notes.vk.raw}, language = {English}, urldate = {2020-01-13} } Notes on Nemty Ransomware
Nemty
Yara Rules
[TLP:WHITE] win_nemty_auto (20211008 | Detects win.nemty.)
rule win_nemty_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.nemty."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nemty"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 8d85f4fdffff 50 8bc6 }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   8d85f4fdffff         | lea                 eax, dword ptr [ebp - 0x20c]
            //   50                   | push                eax
            //   8bc6                 | mov                 eax, esi

        $sequence_1 = { 8db544fcffff e8???????? 53 8db50cfcffff }
            // n = 4, score = 300
            //   8db544fcffff         | lea                 esi, dword ptr [ebp - 0x3bc]
            //   e8????????           |                     
            //   53                   | push                ebx
            //   8db50cfcffff         | lea                 esi, dword ptr [ebp - 0x3f4]

        $sequence_2 = { a1???????? 33c5 8945fc 8d85f4fdffff 50 33c0 }
            // n = 6, score = 300
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8d85f4fdffff         | lea                 eax, dword ptr [ebp - 0x20c]
            //   50                   | push                eax
            //   33c0                 | xor                 eax, eax

        $sequence_3 = { 83ec1c 8d4508 8bf4 50 }
            // n = 4, score = 300
            //   83ec1c               | sub                 esp, 0x1c
            //   8d4508               | lea                 eax, dword ptr [ebp + 8]
            //   8bf4                 | mov                 esi, esp
            //   50                   | push                eax

        $sequence_4 = { 83c61c 3bd8 72c0 68???????? }
            // n = 4, score = 300
            //   83c61c               | add                 esi, 0x1c
            //   3bd8                 | cmp                 ebx, eax
            //   72c0                 | jb                  0xffffffc2
            //   68????????           |                     

        $sequence_5 = { 0f8479ffffff ffb5f0fbffff 8b85ecfbffff e8???????? ffb5f0fbffff }
            // n = 5, score = 300
            //   0f8479ffffff         | je                  0xffffff7f
            //   ffb5f0fbffff         | push                dword ptr [ebp - 0x410]
            //   8b85ecfbffff         | mov                 eax, dword ptr [ebp - 0x414]
            //   e8????????           |                     
            //   ffb5f0fbffff         | push                dword ptr [ebp - 0x410]

        $sequence_6 = { 8bc3 e8???????? eb23 ff759c }
            // n = 4, score = 300
            //   8bc3                 | mov                 eax, ebx
            //   e8????????           |                     
            //   eb23                 | jmp                 0x25
            //   ff759c               | push                dword ptr [ebp - 0x64]

        $sequence_7 = { ffb5e8d8ffff ff15???????? 8d85ecd8ffff 50 8bc6 e8???????? 6a01 }
            // n = 7, score = 300
            //   ffb5e8d8ffff         | push                dword ptr [ebp - 0x2718]
            //   ff15????????         |                     
            //   8d85ecd8ffff         | lea                 eax, dword ptr [ebp - 0x2714]
            //   50                   | push                eax
            //   8bc6                 | mov                 eax, esi
            //   e8????????           |                     
            //   6a01                 | push                1

        $sequence_8 = { 8d5dd8 50 ff75d8 8bc6 e8???????? a1???????? }
            // n = 6, score = 300
            //   8d5dd8               | lea                 ebx, dword ptr [ebp - 0x28]
            //   50                   | push                eax
            //   ff75d8               | push                dword ptr [ebp - 0x28]
            //   8bc6                 | mov                 eax, esi
            //   e8????????           |                     
            //   a1????????           |                     

        $sequence_9 = { eb15 3b4608 7507 8bce }
            // n = 4, score = 300
            //   eb15                 | jmp                 0x17
            //   3b4608               | cmp                 eax, dword ptr [esi + 8]
            //   7507                 | jne                 9
            //   8bce                 | mov                 ecx, esi

    condition:
        7 of them and filesize < 204800
}
Download all Yara Rules