A new malvertising campaign distributing Nemty ransomware through the RIG exploit kit has recently been discovered by an independent security researcher. An AnyRun test environment was used to gain a full understanding of how the infection and encryption process works; this process took more than ten minutes. What the researcher discovered was that once the files were encrypted the ._NEMTY_Lct5F3C_ extension is dropped in the encrypted files by Nemty. Following that, a ransom note is also added which explains how to make a payment to recover the stolen files. The ransom note also includes an encrypted version of the decryption key to unlock the files, which is controlled by the attackers. The ransom amount that is typically requested by the attackers is around $1,000. The ransomware also removes shadow and backup files to make it nearly impossible for the victim to recover their files without paying the ransom.
Note: this post was originally shared on https://squiblydoo.blog/ by a member of the Binary Defense Team. In