“Love Letter” malspam campaign delivers Nemty ransomware

Beware of the secret admirer – the attached document is ransomware that will lock you out of access to your files

On Wednesday, security researchers from Malwarebytes and X-Force IRIS have uncovered a new malspam campaign that installs Nemty ransomware^[1] payload. Malicious actors once again rely on social engineering in order to make users open the malicious attachments clipped to the mail – they try to make it seem like the message is coming from a secret admirer.

While the body text usually consists of emotes like “;),” the subject always hints at the intimate nature of the email with titles like” “I love you,” “Can’t forget you,” “Letter for you,” “Don’t tell anyone, “or “Will be our secret. The attachment is usually a typical booby-trapped .zip package that executes and installs Nemty ransomware once executed.

Nemty ransomware made its grand entry in August 2019, when its developers announced the affiliate program – ransomware-as-a-service, allowing multiple different parties to take care of malware distribution. Initially, it was delivered via weakly protected Remote desktop connections that use the default TCP/UDP port, while later was noticed being spread via RIG and Radio exploit kits,fake PayPal websites, as well as the Trik Botnet.^[2] Now, malicious actors returned to the primitive, yet effective method – malspam.

Behind the .zip attachment – obfuscated LOVE_YOU.js file 

Some spam emails are compiled in a way that makes just a few users question their legitimacy. This time, threat actors did not go for the regular use of fake invoices, messages from delivery services, or bank statements, and left the body text rather blank, although the wink emoji leaves a lot of room for interpretation. Due to this, Malwarebytes researchers dubbed the campaign “secret lover.”^[3]

The attached zip file usually follows the following pattern when it comes to its name, and the only variable is the digits:

LOVE_YOU_######_2020.zip

Inside this archive, lies a highly obfuscated JavaScript file named LOVE_YOU.js, which initially had a very low detection rate on Virus Total. Nevertheless, the definitions of the AV software is constantly updated, and, at the time of the writing, 23 engines already detect the .JS file as malicious.^[4]

As soon as victims double-click on the LOVE_YOU.js file, i will contact a remote server and download the Nemty ransomware payload, as explained by X-Force IRIS team:

The downloaded executable was identified to be the Nemty ransomware and performs encryption of system files upon execution, leaving behind a ransom note demanding payment in exchange for the decryption key.

Nemty is one of the bigger projects in the underground cybercriminal scene

Love You spam has been used previously numerous times – just a year before a similar campaign targeted Japanese users and included GandCrab ransomware as its main payload.^[5] These love-themed phishing emails are typically observed to show up before and during Valentine’s day period – it seems like Nemty ransomware is a little bit late this year. Nevertheless, the malicious actors expect the campaign to work regardless.

During its existence, Nemty ransomware was upgraded several times, and new versions were released. To ensure a comprehensive data encryption process, malware can also stop Windows processes and services that are related to files that are being currently in use, maximizing damage cause for the victims.

In October last year, Tesorion security experts managed to create a working decryption tool that worked for versions 1.4 and 1.6,^[6] although Nemty 2.0 was released soon after, which is no longer decryptable.

Recently, threat actors behind Nemty announced that they would release a public website that will be used to publish files and information about victims who refuse to pay the ransom (this tactic was already adopted by other big names like DoppelPaymer and Maze).