Nemty is a ransomware variant that searches and will delete shadow copies for files it encrypts, in attempts to hinder the victim from restoring their data without paying the ransom. The ransom note provides the victim a website, accessible on Tor, that provides instructions on getting their data back. In tests conducted by Bleeping Computer, the ransom demand was approximately $1,000. The threat actors offers a chat function within one of the websites it provides. The malware also has a verification method to determine if the victim device is in Russia, Belarus, Kazakhstan, Tajikistan, or the Ukraine. This verification does not prevent the installation of the ransomware on those devices but rather initiates the malware to send the device’s data to the actor, including computer name, username, operating system, and computer ID. At this time of writing, the Nemty’s distribution method is unknown but suspected to be via compromised remote desktop connections.

Reporting and Technical Details

  • Security researcher Vitali Kremez provides technical analysis on Nemty in his Github post.

  • August 2019: New Nemty Ransomware Taunts Antivirus Solutions, May Use RDP. (Bleeping Computer)