Nemty Ransomware Possibly Spreads Through Exposed Remote Desktop Connections

A new ransomware family dubbed “Nemty” for the extension it adds to encrypted files has recently surfaced in the wild. According to a report from Bleeping Computer, New York-based reverse engineer Vitali Kremez posits that Nemty is possibly delivered through exposed remote desktop connections.

Though ransomware distributed via RDP is nothing new, it is notably a more dangerous distribution method as opposed to phishing techniques. Once a cybercriminal gains access to high privileged systems, they will have unfettered entry to the system to launch attacks without user intervention, as seen in previous SAMSAM ransomware campaigns.

Brute force RDP attacks in 2017 showed how attackers did it to disseminate the Crysis ransomware to SMEs and large organizations in Australia and New Zealand. This threat doesn't just affect businesses; Trend Micro telemetry from 2018 detected over 35 million brute force attempts on home computers and personal devices — 85% of the attempts were via RDP.

Nemty at a glance

Nemty drops a ransom note that informs the victim what to do to recover their encrypted files and deletes shadow copies of the files it encrypts in a system. According to Bleeping Computer’s own tests, Nemty demands a ransom of 0.09981 bitcoin, which amounts to around US$1,000 as of writing.

This ransom amount payment is processed on a payment portal hosted on the Tor network. The actors behind Nemty warns that failing to pay the ransom before a deadline will double the ransom amount.

According to Kremez, the ransomware has a feature that can verify if the victim's computer is in Russia, Belarus, Kazakhstan, Tajikistan, or Ukraine, but users from these countries are not immune to a Nemty attack. Nemty collects the user’s computer name, username, OS, and computer ID, which it sends back to its operators.

Upon further examination of Nemty’s code, Kremez noted some interesting things: Its code contained a link to a picture of the Russian president, an oddly named mutex (“hate”), and a line of code referred to as “f*ckav,” which is apparently a key for decoding base64 strings and creating URLs.

Trend Micro’s Machine Learning-Powered Solutions Against Ransomware

When cybercriminals gain access to an organization’s endpoint through compromised RDP, they can disable antivirus products and deploy ransomware on the systems. This is more dangerous than phishing techniques because the ransomware attack is no longer dependent on a user’s action. Users and organizations need to be knowledgeable of best practices to help lower or eliminate the risks tied to a ransomware attack.

At the endpoint level, Trend Micro™ Smart Protection Suites deliver several capabilities like high-fidelity machine learning, behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro™ Deep Discovery Inspector™ detects and blocks ransomware on networks, while Trend Micro™ Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud. 

Using a combination of technologies such as deep packet inspection and threat reputation, the TippingPoint also provides organizations with a proactive approach to security, including the tools to combat ransomware. In addition, Trend Micro XGen™ security provides a cross-generational blend of threat defense techniques against a full range of threats for data centerscloud environmentsnetworks, and endpoints. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

Indicator of Compromise

Hash

Trend Micro Predictive Machine Learning Detection

Trend Micro Pattern Detection

703f5f6a5130868a7c3ec06b40b9f37656c86d24                       

 Troj.Win32.TRX.XXPE50FFF031

 Ransom.Win32.NEMTY.A



HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.