Nemty Ransomware Update Lets It Kill Processes and Services

Nemty Ransomware

Nemty ransomware is under active development, although it can not be shown by its version number. Its writers obviously strive to make this malware more effective and advanced and to start distribution more widely.

The malware is new to the company and its cold reception in the underground Ransomware community did not assist take the route its managers wished.

Process and service assassin

Despite code modifications, Nemty writers have kept the same version amount and the safety investigator Vitali Kremez’s analysis demonstrates. However, the code demonstrates changes that make the ransomware more aggressive.

The researcher noticed that the latest malware version includes code to kill processes and services to encrypt current files.

Nemty-proc-serv-killer

Process and service killer

A look at Nemty’s new code reveals a set of nine targeting processes including WordPad, Microsoft Word, Excel, Outlook Thunderbird email clients, SQL and VirtualBox software.

It gives us a clue that Nemty targets corporate victims with SQL and VirtualBox on the list.

Nemty-proc-killer

List of terminated processes

More nations on the “no-no” list

Kremez also noted that the check ‘ isRu’ has now spread to more countries. This full list now includes Russia, Belarus, Kazakhstan, Tajikistan, Ukraine, Azerbaijan, Armenia, Cyrgyzstan and Moldova.

With the previous malware version,’ isRU’ made no difference to the encryption task and just marked the hosts to send system information to the control server. This was amended by an update and computer encryption was aborted for this check.
Nemty-isRu_extended

Blacklisted countries

New pipeline for distribution

One of the first versions of Nemty was distributed via RIG EK (exploit kit), while the later release 1.4 was distributed via a fake PayPal page.

At the beginning of this week, security researchers noted changes in the way victims are selected and the process of encryption worked.

The malware operators have a new distributor, Radio EK, on their list, as found at the start of the week by nao sec.

However, because EK exploits a JScript and VBScript vulnerability for Internet Explorer, that Microsoft patched three years ago, the researcher told BleepingComputer. This is not a superior distributor.

radioek

RadioEK in a malvertising campaign

Nemty is not currently very successful, but its authors seem to put energy into earning respect for cyber criminals in ransomware forums and turning their malware into a lucrative business.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.