Another Ransomware-as-a-Service project is being shut down by its operators
Nemty ransomware, which was first released back in the summer of 2019, is being shut down by its operators. The revelation came to light as security researchers have found a post on the underground hacking forums, written in Russian. The operation of this RaaS-based based malware only lasted for 10 months, and its shut down was relatively predictable due to multiple reasons.
Nemty operators established the strain in August last year and gave the project a relatively strong launch – it incorporated a never-before-seen RSA-8192 encryption algorithm for file locking process and used multiple attack vectors, including weakly protected Remote Desktop connections, exploit kits, spam email attachments, and others.
Multiple distribution methods stem from the fact that the malware used the RaaS scheme, where developers kept 30% of the profits, while the distributors retained 70%. Victims, which ranged from regular computer users to businesses and corporations, were frequently asked different sums of money. Over its course of life, several Nemty ransomware variants were released, some of which are now decryptable.
While it is a small victory for the infosec community and its victims, Nemty is not gone forever, as it was rebranded to Nefilim,[1], and is now actively being distributed worldwide (still avoiding CIS countries).
Nemty demise was predicted by members of security community
According to the forum post by Nemty gang, victims have a week since the announcement to recover keys required to unlock files of the undecryptable ransomware versions. An actor by the name “gigabyte” wrote (translated from Russian):[2]
we leave in private
victims have a week to acquire decryptors, the it will be no longer possible.
in a week you can close the topic, do not merge the master keys
So how come this allegedly successful project went down? As it turns it, it was no surprise to many – malware suffered several blows during its short operation of 10 months.
One of the major disruptions occurred in October 2019 when Tesorion security researchers managed to find bugs within encryption pattern and released a decryptor that worked for most versions released at the time.[3] This significantly reduced the interest of the distributors, reducing its prevalence and popularity, as actors chose to go for much more established strains.
As a result, Nemty could never establish itself as a major player among other strains, and remained somewhere in the middle, despite the initial success. A clear indicator of this was the notorious data leakage site that was released by the ransomware developers in order to publish sensitive information stolen from corporations during the malware infection process – developers only released data of one company despite being months in operation.
Seeing how Nemty was not working out, threat actors started to develop a new project in the background, which was based on Nemty’s code. Naturally, dedicating more time to an already weak malware is a waste, and operators were well aware of that. A similar path was chosen by GandCrab developers when the strain was rebranded to REvil/Sodinokibi, as it was starting to get too much attention from the authorities.[4]
Some bad news: Nemty shuts down, Nefilim prevails
With the new Nefilim ransomware that appeared around mid-March, developers aim to reach goals that they did not manage with Nemty. They established a new leak site, involved multiple distributors in the illegal business, and now are actively trying to infect businesses and organizations, giving them merely seven days to pay the ransom before the sensitive information is published publicly.
On the brighter side, those that were affected with Nemty ransomware recently might be able to recover data for free, although the operators urge paying ransom while the malware is still in operation. However, when looking at previous instances of the retired ransomware strains such as GandCrab (operators of which also urged users to pay ransoms as fast as possible before the shut down), security researchers managed to develop a free decryption software for victims;[5] in other cases, the servers where the decryption keys were held were seized, which also allowed users to regain access to their files for free.
Nonetheless, these are just speculations. The latest versions of ransomware, such as Nemty Revenge or Nemty Revenue 3.1, are currently not decryptable, along with the new rebranded strain Nefilim.