Severity scale:  
  (94/100)

Remove Nemty ransomware (Removal Instructions) - updated Oct 2019

removal by Alice Woods - - | Type: Ransomware

Nemty ransomware is a crypto-malware most variants of witch are not decryptable due to AES-256 key scheduling bugs along with CBC block mode implementation

Nemty ransomware

Nemty ransomware is a relatively new malware strain that researchers spotted in mid-August 2019 spreading via exposed Remote Desktop connections. The virus uses a combination sophisticated encryption algorithms to lock up pictures, music, videos, and other files and appends .nemty, ._NEMTY_[random 7 characters]_, or ._NEMTY_[random 7 characters]_!  extension to each of them – researchers named the malware based on this.

After locking all personal data, Nemty virus then drops a ransom note NEMTY-DECRYPT.txt, which explains that users need to visit a particular Tor site, upload a configuration file that is loaded by the ransomware on the host machine, and then pay the ransom of 0.099 BTC (which is approximately $1,000 at the time of the writing).

While the developers of JSWorm ransomware took responsibility of Nemty ransomware project development (which is currently still in progress),[1] security researchers from Fortinet[2] discovered that a link in binary extracted from malware sample was also used by a notorious GandCrab before its developers announced the retirement in June 2019, after an extremely successful year and a half of operation. Nevertheless, no other similarities between the two malware families were found by experts.

Questions about Nemty ransomware

On October 10, 2019, security researchers from Tesorion released great news to Nemty ransomware victims – a new decryptor is ready for them to use for free.[3] While not all versions and all file types are currently decryptable, the security team is working on the decryption tool improvement and is planning to release a tool that works for Nemty ransomware 1.5 (all variants up to 1.4 and 1.6 are decryptable).

Name Nemty ransomware
Type Cryptovirus
Also known as NEMTY PROJECT
Cipher used AES-128, RSA-2048, RSA-8192 (the latter being quite an unusual algorithm and possibly never used by ransomware authors previously)
Ransom note NEMTY-DECRYPT.txt,  _NEMTY_[random 7 characters]_-DECRYPT.txt, 
Ransom amount $1,000 in Bitcoin
Distribution Trojans, exploit kits (Rig and Radio), unprotected RDP, spam email attachments infected with macros[4], fake PayPal sites, etc. 
File marker .nemty, ._NEMTY_[random 7 characters]_, or ._NEMTY_[random 7 characters]_!; encrypted file example: image.JPG._NEMTY_VOv3Zme_, 
Infection exemption In the latest versions, Nemty retreats without infecting users from Russia, Belarus, Ukraine, Kazakhstan and Tajikistan, Azerbaijan, Armenia, Kyrgyzstan and Moldova
Elimination Get the anti-malware tool and remove Nemty ransomware completely. Use Reimage Reimage Cleaner for virus damage removal
File recovery A free decryption may be possible with the help of security researchers from Tesorion – contact details here. Unfortunately, Nemty 1.5 variant is not currently decryptable, although at least some of the data may be restored with the help of our guidelines in the recovery section below

Since its initial debut, the malware already managed to reach headlines of multiple security news sites several times, and for a reason. Besides using RDP, RIG[5] and Radio[6] exploit kits, fake PayPal websites[7] and other sophisticated methods for propagation, it also has multiple interesting features.

Nemty ransomware also uses strange clues in its code, gathers additional details about users from Russia and other four countries, has a process and service kill function,[8] a mutex called “hate,” and, oddly, includes a link to a picture of Vladimir Putin which also contains a vulgar pun.

Regardless of its features, the most devastating one is file encryption and, as the decryption tool has not yet been developed by the security community, it might result in permanent data loss to victims. Nevertheless, users should hurry up and remove Nemty ransomware with the help of security tools like Reimage Reimage Cleaner , SpyHunter 5Combo Cleaner, Malwarebytes or any other anti-malware software that detects this computer threat.[9]

As for Nemty ransomware file recovery, users should try a free decryption help from Tesorion, use third-party tools or Windows Previous Versions feature. For more detailed instructions, please check the recovery section below.

Nemty ransomware virus
Nemty ransomware is the virus that calls itself NEMTY PROJECT. The threat is created by cybercriminals, so stay away from contacting them entirely.

Nemty ransomware operation analysis

Just like many other ransomware viruses, Nemty Project targets random computer users, as the infection is based on vulnerable systems. Before beginning the infection process, the malware checks if the victim is from Russia, Belarus, Ukraine, Kazakhstan, and Tajikistan using the command “isRU.”[10] However, this check is not used to prevent users from these countries from being infected, but rather for information gathering as it collects the following information to the attackers:

  • Username;
  • Computer name;
  • Computer ID;
  • Operating system.

In the later versions, however, the check process was changed: four more countries were added to the list (Azerbaijan, Armenia, Kyrgyzstan, Moldova) and, instead of gathering the information about the victims from these countries, Nemty retreats without infecting them.[11]

Nemty ransomware uses base64 encoding process along with the RC4 encryption algorithm to obfuscate its execution, preventing it from being detected by multiple security tools. Nevertheless, AV engines now recognize most of the malware's variants, so it is vital to run a comprehensive security application at all times in order to prevent the infection.

Security experts at Fortinet found several bugs within the encryption process of Nemty file virus. For example, a coding line “boot.ini” is loaded twice, which is a mistake. Also, the way the encryption algorithm looks for particular extensions to encrypt is quite unusual and, as called out by researchers “rather inefficient.” These defects led the Fortinet team to believe that Nemty ransomware is still in early development stages. However, it does not diminish the impact this malware can do to the infected victims' computers and files.

Nemty Project ransomware also generates a configuration file for every victim that needs to be uploaded to the Tor site specified in the ransom note. The introduced file stored in JSON format and placed into %USERPROFILE% folder – it can give all the details about the victim the hackers might need. It includes IP address, country, computer name, user name, malware version, operating system, etc.

The stored data also includes a UserID entry, which most likely refers to the affiliate ID. This leads to the conclusion that Nemty Project might be using the affiliate program known as Ransomware-as-a-Service (RaaS), which was also used by hacking groups like Pinchy Spider – a gang that released the notorious GandCrab ransomware.

Nemty ransomware creators
JSWorm developers announced on underground forums that Nemty Project is their doing

Besides file encryption process, Nemty virus also deletes Shadow Volume Copies, modifies Windows registry, runs PowerShell commands, creates new mutexes, establishes TCP[12] connections, etc.

The latest variant of Nemty ransomware (1.4) allows the attackers to shut down several processes and services in order to encrypt files that are currently in use. It includes MS Word, MS Excel, Outlook, WordPad, SQL, VirtualBox, and others. VirtualBox is an open-source multi-platform application used by various corporations, and its shut down might indicate that companies are also a valid target for Nemty Project creators.

Tesorion cybersecurity researchers may provide free decryption solutions for Nemty ransomware victims

Nemty ransomware demands payment immediately after file encryption and displays the extortion message in a text file, which brings users to the Tor site zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad.onion/pay. Nemty virus authors use Tor for communication with the victims due to the anonymity aspect the platform provides – it became a trend among the most prolific malware developers. There, victims are asked to upload the encrypted configuration file found in C:\Users\admin directory.

NEMTY-DECRYPT.txt is the ransom note file that shows the initial message informing about the attack and encryption:

—=== NEMTY PROJECT ===—

[+] Whats Happen? [+]

Your files are encrypted, and currently unavailable. You can check it: all files on you computer has extension .nemty
By the way, everything is possible to restore, but you need to follow our instructions. Otherwise, you cant return your data (NEVER).

[+] What guarantees? [+]

It’s just a business. We absolutely do not care about you and your deals, except getting benefits.
If we do not do our work and liabilities – nobody will not cooperate with us.
It’s not in our interests.
If you will not cooperate with our service – for us, its does not matter. But you will lose your time and data, cause just we have the private key.
In practise – time is much more valuable than money.

[+] How to get access on website? [+]

1) Download and install TOR browser from this site: hxxps://torproject.org/
2) Open our website: – zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5t***zxprjjnwapkad.onion

When you open our website, follow the instructions and you will get your files back.

Configuration file path:

Cybercriminals offer a free test decryption service that is meant to guarantee file recovery after the payment of $1,000 in BTC is transferred to them. However, nobody can guarantee anything when it comes to the criminal world, including the digital one. Nemty ransomware creators are working on a project that is designed to extort innocent users' money, and they do not care about the well-being of theirs.

Nemty ransomware configuration file
Once on the Tor network, users are asked to upload the configuration file located in their computers

Thus, there is no guarantee that paying the ransom will provide you the decryption tool. Besides, the action will only encourage criminals to develop the project further and infect more victims. Security experts[13] and infosec community advise not paying the ransom, although, in some cases, it might be the only choice victims have left.[14]

The good news is that Tesorion security experts released a free decryption tool that works for most versions of Nemty ransomware. Researchers managed to find bugs within the implementation of the AES-256 key scheduling and the CBC block mode implementation techniques. However, because Tesorion did not want to release the findings in case ransomware authors would find out about them, they opted to help each of the victims individually, offering the generation of the key on their servers instead of the host machines. This help was applicable for all variants released at the time – up to 1.4.

In the midst of this operation (Tesorion was very busy helping all the victims), Nemty ransomware 1.5 and 1.6 were released by cybercriminals. Because 1.6 was the newest variant, experts decided to start from it and develop a working tool. The decryptor for 1.5 is scheduled to be released a week after the initial release.

Nemty ransomware decryptor only works for the following file types:

avi, bmp, gif, mp3, jpeg, jpg, mov, mp4, mov, mp4, qt, 3gp, mpeg, mpg, doc, docb, dot, ole, pot, pps, ppt, wbk, xlm, xls, xlsb, xlt, pdf, png, tif, tiff, nef, , doc, txt, docm, docx, dotm, dotx, jar, potm, potx, ppsm, ppsx, pptm, pptx, xlsm, xlsx, xltm, xltx, zip

Tesorion team said that it is closely working with Europol to release the the tool on its No More Ransom Project

Alternatively, those infected with Nemty ransomware can instead try using alternative file recovery methods, such as third-party tools or Windows Previous Versions feature. Under certain circumstances, data retrieval can be successful, although it is relatively low. For details on all the solutions, please check the recovery section below.

Before trying to recover data, however, users should take care of Nemty ransomware removal. Otherwise, all the recovered data will be encrypted repeatedly, making the whole process worthless.

Nemty ransomware decryptor
Thanks to security experts from Tesorion, many Nemty ransomware victims can now recover certain file types for free

Nemty ransomware variants

There are many Nemty ransomware variants release by cybercrooks. As the malware is in state of development, such scenario is nothing uncommon. Besides, bad actors are willing to patch possible bugs within the code in order to prevent researchers from working on Nemty ransomware decryptor.

Nemty ransomware 1.4

This variant was the one that researchers found the weakness inside Nemty ransomware's code. It used the ._NEMTY_[random 7]_ file extension to encrypt all data on the device and dropped a ransom note _NEMTY_[random 7]_-DECRYPT.txt. Researchers found that the dropped files by this variant include h0ecrnc4.exe zazuvu.pdb and risoceha.pdb. The executable file is dropped into C:\ Users\ Admin\ AppData\ Local\ Temp\ location, from where it is executed, and the encryption process begins. Nemty ransomware V1.4 fixed multiple bugs present in previous versions and was spread with the help of Radio Exploit Kit.[15]

Nemty ransomware 1.4 and below helped Tesorion experts to figure out more details about file decryption, and the tool is being improved each day thanks to that, decryption more file types in the process. While currently, the involvement of the CSIRT team is required for file decryption, experts promised to release a standalone decryptor that would work for this variant without experts' help.

Nemty ransomware 1.5

Nemty ransomware 1.5 was one of two variants that were released after security experts from Tesorion released the initial decryption tool. The AES bugs that helped security experts to release the previous decryptor are still present in this version, although researchers said that “other minor differences require some changes to our 1.4 decryption process.”

Just as its predecessors, Nemty 1.5 is mostly using RIG and other exploit kits for its propagation, although it is also likely that hackers opt for multiple distribution techniques. It uses the same encryption method – the encrypted files are changed as previously.

According to Tesorion researchers, they will be releasing a working decryption tool in the near future, so users who are affected by this variant should hurry with Nemty ransomware removal and wait for the decryptor to be released to recover data for free.

Nemty ransomware 1.6

Nemty ransomware 1.6 was distributed with the help of Quasar Remote Access Trojan and a MedusaHTTP DDoS botnet malware.[16] This is another version of the malware that was released after Tesorion announced the decryptor for 1.4 and prior variants of Nemty ransomware.

Nemty ransomware V1.6
Nemty ransomware V1.6 no longer asks users to visit Tor site, and they can access the decryption service via any browser

While the encryption methods and file markings did not change, there were changes made to the ransom note, which reads:

NEMTY PROJECT V1.6

Don't worry, all your encrypted files can be restored. It's a business, if we can't provide full decryption, other people won't trust us.

In confirmation, that we have decryption key, we can provide you test decryption. On our website you can upload 1 encrypted picture (png, bmp, jpg, gif) and get it decrypted.

There is no way to decrypt your files without our help.

There is 1 way how to get to the website:

1) Any browser
a)Open your browser
b) Type this url: nemty.hk/pay
c) Upload this note

V1.6 is currently decryptable (at least most of the file types are), so make sure you remove Nemty ransomware and then contact Tesorion security experts.

Ransomware comes breaking through unprotected RDP and other ways

When compared the common distribution methods of ransomware, phishing emails that need to be opened and downloaded are not controlled by the attacker. Breaking through the RDP connection puts the attacker in control because the criminal can act immediately without waiting for the victim to take the phishing bait. This method of infection has been more prevalent in recent years, as more and more criminal gangs use it.[17]

To avoid being a victim of a brute-force attack, make sure you do not use the random RDP port 3389, which renders the machine vulnerable to special software that scans the internet and looks for such connections. Besides, the connection should also be secured with a strong password, and RDP function disconnected as soon as it is not needed.

Additionally, users should watch out for spoofing websites such as PayPal that virus authors used to deliver the payload via the cashback.exe executable that had to be downloaded by the victims.

To avoid being a victim of exploits, users should also regularly update their systems, as Rig, for example, was patched by Microsoft three years ago.

Eliminate Nemty ransomware from the system and only then attempt to get your files back

When people get affected by the malicious Nemty ransomware virus, all the files on the system get locked, which often results in a shock, as users no longer have access to their precious data. Due to this, some users hurry to pay the ransom and retrieve their files. Unfortunately, that is not the optimal choice, as it is better to remove Nemty ransomware and then use alternative methods to recover data.

Nemty Project ransomware
Nemty virus is the one that demands to pay for the alleged decryption that may not even exist. The demand appears in a ransom note file and Tor browser window.

For a comprehensive Nemty ransomware removal, you will need to install powerful anti-malware software, if you do not have one yet (which is a huge hole in your computer security!). You should then access Safe Mode with Networking in case the malware tampers with security program operation – we explain how to do that below. Once inside, perform a full system scan using Reimage Reimage Cleaner , SpyHunter 5Combo Cleaner, or Malwarebytes, or another reputable anti-malware.

Offer
do it now!
Download
Reimage Happiness
Guarantee
Download
Reimage Cleaner Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Reimage Cleaner, submit a question to our support team and provide as much details as possible.
Reimage Reimage Cleaner has a free limited scanner. Reimage Reimage Cleaner offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage Cleaner, try running Combo Cleaner.

To remove Nemty virus, follow these steps:

Remove Nemty using Safe Mode with Networking

Reboot the machine in Safe Mode with Networking to eliminate Nemty ransomware completely without virus interuption

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Nemty

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Nemty removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Nemty using System Restore

System Restore is the feature that can recover the system in a previous state

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Nemty. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner and make sure that Nemty removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Nemty from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Nemty, you can use several methods to restore them:

Data Recovery Pro is the file restoring software that helps with encoded files

Nemty ransomware encrypted files or accidentally deleted data can be recovered with Data Recovery Pro

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Nemty ransomware;
  • Restore them.

Try Windows Previous Versions as an alternative for data backupd

When System Restore gets enabled, you can try Windows Previous Versions as file recovery method

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer – a tool used for data restore

Unfortunately, Nemty ransomware deletes Shadow Volume Copies, so data decryption is barely possible

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Cotact Tesorion security researchers for Nemty file decryption

Security experts at Tesorion are actively working on Nemty ransomware decryptor. Currently most of the variants are decryptable, although not all file types are. For help, you need to contact Tesorion directly – you can find the contact details here.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Nemty and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner , SpyHunter 5Combo Cleaner or Malwarebytes

About the author

Alice Woods
Alice Woods - Likes to teach users about virus prevention

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Alice Woods
About the company Esolutions

References


Your opinion regarding Nemty ransomware