Nemty Ransomware Announced that they were Shutting down their Service for a Week

Ransomware attack

The operators of Nemty ransomware announced that after ten months of operations, they were shutting down their service this week.

For those not aware of this malware project, Nemty is a classic RaaS.

The Nemty RaaS was released in the summer of 2019 and has been widely marketed in Russian-speaking underground hacking forums.

Users who registered with Nemty RaaS were given access to a web portal where custom versions of Nemty ransomware were developed.

Such consumer versions were then freely distributed by their processes. Over the past couple of months, the Nemty ransomware has been spreading via email promotions, malware kits, boobytrapped programs, and brute-forcing RDP endpoints.

The methods of distribution differ according to the customer of Nemty RaaS who spread the particular Nemty strain.

Image supplied by Under the Breach.

When any of the victims who had Nemty-infected computers paid the ransoms fee, 30% of the payout was held by the Nemty provider, while retailers earned 70% for their efforts.

But yesterday, in an update on a dedicated subject on the Hacking Platform Exploit, the Nemty operator declared their shutdown.

The operator from Nemty offered victims a week to pay for their ransom before the ransomware shut down their network, and even though they wanted to pay, users would be unable to decrypt their files.

The fact that Nemty shuts down does not shock the information security community. There are many explanations.

Second, the ransomware struggled to become a top player on the ransomware market. Distribution campaigns typically ranged in strength, but ransomware never was the highest threat, never more than a mid-pack player.

It is quite clear from the fact that the Nemty gang built a website promising to leak files from companies that declined to pay for the payment; however, they only published data from one company after setting up the website months ago.

At the other hand, rivals’ “leak pages” publish files almost daily in the cybercrime world, showing how much more involved and familiar are the different strains, compared with Nemty.

Furthermore, in October 2019, Nemty also experienced primary renown hit by decrypting three versions of the Tesoro protection researchers.

For a RaaS operation, there is no more significant “company killer” than the security companies issuing decrypters, as such movements typically lead clients to rival services.

Thirdly, after Tesorion launched its free decrypters and seemed to have gone on to create a new strain from scratch, the crew at Nemty saw this on the wall.

As stated by Vitali Kremez of SentinelLabs and Michael Gillespie of ID Ransomware, the latest ransomware from Nefilim, published last month, appears to be based on code of Nemty.

There was no need for the Nemty gang to keep the old one around because it would look like a new and rebranded RaaS going.

This happens when last year Gandcrab ransomware operators also shut down their service and created the new strain of Sodinokibi (REvil), after security companies continued to decry the older pressure of Gandcrab, harming the credibility, revenues, and customer base of ransomware.

And like the old Nemty, the new service of Nefilim runs a “leak platform,” where files of companies do not pay the ransom are released.

The bad news is that the new Nefilim RaaS seems useful and involved, with new leaks published weekly.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.