Ransom.Win32.NEMTY.THIOIAI

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files found in specific folders. It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %User Temp%\IXP000.TMP\temp ← encrypted %User Temp%\IXP000.TMP\ironman.exe
• {Encrypted File Directory}\_NEMTY_{7 random characters}_-DECRYPT.txt ← ransom notes
• %User Temp%\IXP000.TMP\iron.bmp
• %User Temp%\iron.txt ← extracted code from image {iron.bmp}

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops and executes the following files:

• %User Temp%\IXP000.TMP\temp.exe
• %User Temp%\IXP000.TMP\ironman.exe ← detected as Trojan.Win32.INJECTOR.MV

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• %System%\cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wmic shadowcopy delete
• %User Profile%\TorDir\Tor\tor.exe ← TOR Browser
• %System%\cmd.exe /c "{Encrpyted File Directory}\_NEMTY_{7 random characters}_-DECRYPT.txt"

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It creates the following folders:

• %User Profile%\TorDir ← folder of extracted TOR Browser {%User Profile%\tor.zip}
• %User Temp%\IXP000.TMP

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• hate

Autostart Technique

This Ransomware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunOnce
wextract_cleanup0 = rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 "%User Temp%\IXP000.TMP\"

Other System Modifications

This Ransomware deletes the following files:

• %User Temp%\IXP000.TMP\temp.exe
• %User Temp%\IXP000.TMP\temp
• %User Profile%\tor.zip
• %User Temp%\IXP000.TMP\iron.bmp
• %User Temp%\iron.tx

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Download Routine

This Ransomware accesses the following websites to download files:

• https://{BLOCKED}t.{BLOCKED}ject.org/torbrowser/{BLOCKED}.5.4/tor-win32-0.4.0.5.zip ← TOR Browser

It saves the files it downloads using the following names:

• %User Profile%\tor.zip

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other Details

This Ransomware does the following:

• It connects to the following URL(s) to get the affected system's IP address and location:
  • http://api.{BLOCKED}y.org/
  • http://api.{BLOCKED}p.com/v2/free/{Affected system IP}/countryName
    • It terminates itself in the affected system if the return of the IP address location is any of the following:
      • Russia
      • Belarus
      • Kazakhstan
      • Tajikistan
      • Ukraine
• It installs TOR Browser on the affected system.

Ransomware Routine

This Ransomware encrypts files found in the following folders:

• Removable Drive
• Network Drive
• Fixed Drive

It avoids encrypting files with the following strings in their file name:

• nemty
• log
• cab
• cmd
• com
• cpl
• xe
• ini
• dll
• lnk
• url
• ttf
• DECRYPT.txt

It avoids encrypting files with the following strings in their file path:

• rsa
• windows
• $RECYCLE.BIN
• NTDETECT.COM
• ntldr
• MSDOS.SYS
• IO.SYS
• boot.ini
• AUTOEXEC.BAT
• ntuser.dat
• desktop.ini
• CONFIG.SYS
• RECYCLER
• BOOTSECT.BAK
• bootmgr
• programdata
• appdata
• -DECRYPT.txt
• Microsoft
• Common Files

It renames encrypted files using the following names:

• {encrypted file}._NEMTY_{7 random characters}_

It drops the following file(s) as ransom note:

• {Encrypted File Directory}\NEMTY_{7 random characters}_-DECRYPT.txt