Nemty 1.6 ransomware released. Uses 8192-bit encryption.


The SonicWall Capture Labs Threat Research Team observed reports of a new version of Nemty ransomware being delivered via the RIG exploit kit. Previous versions of Nemty have used a variety of methods to infect users including a phishing techniques using a fake Paypal website. Released in August 2019, Nemty has undergone various changes including using 8192-bit encryption keys to encrypt files.  The proposed cost of decryption is 0.17968 BTC (around $1500 USD at the time of writing).


Infection Cycle:


The trojan uses the following icon:


Upon infection, files on the system are encrypted and “_NEMTY_8MD1JU0_” is appended to each filename.


The following ransom note is displayed on the desktop:


The trojan adds the following file to the system:

  • %USERPROFILE%\AdobeUpdate.exe (copy of original) [Detected as GAV: Nemty.FN_2 (Trojan)]


The trojan adds the following data to the registry to keep track of crypto key information:

  • HKEY_CURRENT_USER\Software\NEMTY cfg “ydtMmiDIWOLCeoUK…..”


It adds a scheduled task so that it starts up after reboot via the following command:


The trojan is packed with TitanCrypt in an attempt to thwart debugging:


The trojan obtains the systems public IP address and geolocation:


The ransom note contains instructions to go to in order to decrypt files.

The link leads to a page with the following dialog:


After uploading the ransom note that contains the “NEMTY DECRYPTION KEY“, you are able to upload a sample file to decrypt:


The following page allows you to download the decrypted file and also chat with the operators via the chat box.  At the time of our analysis no one responded to our questions.


SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Nemty.RSM (Trojan)
  • GAV: Nemty.RSM_2 (Trojan)
  • GAV: Nemty.RSM_3 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.