The Nemty ransomware is under active development by the developers to try to increase their profits. With malware detection programs constantly being upgraded, attackers are making Nemty more efficient and sophisticated and are beginning wider distribution. Despite making changes to the base coding, Nemty developers kept the same version number. The code does show modifications that make it more aggressive in its actions. Research shows that the latest version includes code for killing processes and services to encrypt files that are currently running. A look at the new code shows nine targeted processes that include WordPad, Microsoft Word, Microsoft Excel, Outlook Thunderbird email clients, SQL, and VirtualBox software for running virtual machines. With VirtualBox and SQL on the list, it shows that the Nemty is targeting corporate victims. The research also shows that Nemty has increased its “no-no” list of countries that it will shut down on if found. The list now contains, Russia, Belarus, Kazakhstan, Tajikistan, Ukraine, Azerbaijan, Armenia, Kyrgyzstan, and Moldova. Lastly, the new version has been seen using a fake PayPal page to spread its payload.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is