The Nemty ransomware is under active development by the developers to try to increase their profits. With malware detection programs constantly being upgraded, attackers are making Nemty more efficient and sophisticated and are beginning wider distribution. Despite making changes to the base coding, Nemty developers kept the same version number. The code does show modifications that make it more aggressive in its actions. Research shows that the latest version includes code for killing processes and services to encrypt files that are currently running. A look at the new code shows nine targeted processes that include WordPad, Microsoft Word, Microsoft Excel, Outlook Thunderbird email clients, SQL, and VirtualBox software for running virtual machines. With VirtualBox and SQL on the list, it shows that the Nemty is targeting corporate victims. The research also shows that Nemty has increased its “no-no” list of countries that it will shut down on if found. The list now contains, Russia, Belarus, Kazakhstan, Tajikistan, Ukraine, Azerbaijan, Armenia, Kyrgyzstan, and Moldova. Lastly, the new version has been seen using a fake PayPal page to spread its payload.
Analyst Notes
The primary method for combating ransomware is first, to have a secure backup of the user’s files so that if a user’s system is infected they can replace the encrypted files with the clean backup. Second is to adopt a “zero-trust” policy when using the internet. A “zero-trust’ policy is to not trust anything that looks suspicious.
