Nemty Ransomware Ceases Public Operations, Focuses on Private Schemes

Threat actors behind Nemty ransomware close down their ransomware-as-a-service (RaaS) operation as they zero in on private schemes, as reported by BleepingComputer.

This was confirmed in a Russian hacker forum post that security researcher Vitali Kremez shared with Bleeping Computer. In the post, “jsworm,” the ransomware’s operator, declared that “we leave in private” (translated from Russian) and that current victims only have one week to acquire decryptors for the last time. The poster also stated that they will not migrate the old master encryption keys from the public operation to the private scheme.

Around two weeks after the post was published, another post from the same user announced that the ransomware has been fully rewritten and was released under the name Nemty Revenue 3.1.

According to Kremez, the switch to a private scheme will allow the Nemty group to recruit more experienced malware distributors. This will also allow these threat actors to focus efforts towards launching more lucrative attacks like network compromises and network-wide deployment.

Nemty ransomware was discovered in 2019 and was found spreading via Remote Desktop Protocol (RDP). Like newer ransomware variants, Nemty posed a double threat — it didn’t just encrypt its victim’s data, it was also capable of stealing user information from the infected device. One of the latest activity involving the ransomware is a spam campaign spotted back in March this year that propagated through love letter emails.

Nefilim, a recently discovered ransomware variant that can move laterally, shared many notable similarities with Nemty version 2.5.

Thwarting ransomware

Nemty ransomware may not be affecting the public as much as it used to, but the threat landscape still has a number of other ransomware families to fill the void. In our Trend Micro Annual Security Roundup, we shared that the ransomware cases we detected climbed from 55 million in 2018 to 61 million in 2019. The number of new ransomware families, including Maze, Snatch, and Zeppelin also increased.

Below are some of the best practices users can do to protect systems from ransomware:

  • Periodically back up files using the 3-2-1 rule. The rule entails creating three backups in two different formats and storing one copy offsite.
  • Regularly patch and update applications, software, and operating systems to address any exploitable vulnerabilities. For zero-day vulnerabilities, take advantage of virtual patching.
  • Activate sandbox analysis. This enables safe monitoring as malicious files can be executed in an isolated environment.

For more robust and proactive defense against ransomware, the following Trend Micro Solutions are recommended:


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.