Rig EK – the latest way used by hackers to spread Nemty Project ransomware
The new ransomware strain that came out at the end of August got into security experts' view again after the threat was noticed spreading via the exploit kit. Although Nemty Project ransomware is relying on exploit kits which are typically misusing vulnerabilities found in IE browser and Flash Player (which are less popular nowadays), the main thing that concerns us is that there are numerous users who are still having these programs on their systems.
It is known that Nemty is using RIG exploit kit in particular which has already been used in various malicious campaigns before and is known as a well known tool used to deliver malware. Once it gets on the targeted system, it launches activities needed to gain people's money. It works like typical ransomware which encrypts files and then requires around $1000 for a ransom.
The recent version of file-encrypting malware – a part of the malvertising campaign
The first reports about the Nemty ransomware revealed that it is a typical virus that encrypts files and delivers a ransom note with information about the possible file recovery. Virus developers started with the .nemty file appendix at first and demanded money in NEMTY-DECRYPT.txt ransom note. However, the new versions of the payload appeared with a different file marker.
The new file extension, called ._NEMTY_Lct5F3C_, was noticed in the recent attack which is using the infamous Rig EK to drop the ransomware payload. Other features remain unchanged since the ransom note, showed after encryption, is still providing payment instructions.
Nemty 1.0 contains a message to the Russian president and antivirus software developers in the code
At first, this file-encrypting ransomware was discovered as a threat that encrypts files and deletes the shadow copies to keep the decryption less possible. Additionally, it leaves victims with a ransom note informing about the decryption key and the only possibility to recover data – paying the ransom.
In most cases, the amount was around 0.09981 BTC, so it goes up to $1000. The particular amount appears on the site hosted on the Tor network when users upload their configuration file left for them by criminals. This is a common method used by ransomware developers to ensure anonymity, so there is no particular association with any hacker groups that can be determined right now.
The initial analysis was held by a researcher, “ethical hacker”, Vitali Kremez that discovered a link to a photograph of Vladimir Putin with a caption “I added you to the list of, (insult) but only with pencil for now.”. Also, there was found a message to antivirus software developers and other insulting words.
The first version of the Nemty ransomware was designed to restrain from encrypting devices in Russia, Belarus, Kazakhstan, Tajikistan, or Ukraine. This is also a common feature, so researchers cannot pin these attacks to particular members of hacker groups.