{ "id": "2ed06c5d-7409-4633-a0b5-c5609a00c519", "created_at": "2026-04-06T00:08:30.826319Z", "updated_at": "2026-04-10T03:23:52.05643Z", "deleted_at": null, "sha1_hash": "40df31fc9f16baf75bdfb02474d8cb4fe320c77a", "title": "Nemty Ransomware Analysis: Technical Details \u0026 IOCs | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3188596, "plain_text": "Nemty Ransomware Analysis: Technical Details \u0026 IOCs |\r\nFortiGuard Labs\r\nBy Joie Salvio\r\nPublished: 2019-09-17 · Archived: 2026-04-05 14:10:49 UTC\r\nIn 2019, FortiGuard Labs was investigating the Sodinokibi ransomware family, when we came across the newly\r\ndiscovered Nemty Ransomware. Interestingly, as we analyzed this new malware, we also encountered an artifact\r\nembedded in its binary that we were very much familiar with since it was also used by the GandCrab ransomware\r\nbefore the threat actors’ announced retirement. It is also interesting to see that the Nemty ransomware is being\r\ndistributed using the same method as Sodinokibi, a malware that has strong similarities to GandCrab.\r\nThis report discusses the technical aspects of the new ransomware, including some irregularities that make us\r\nthink that it is still in its early stage of development.\r\nDiscovery\r\nThe first sample that we were able to analyze came from a link that was shared by the @BotySrt Twitter bot\r\naccount, which posts Pastebin links leading to the Sodinokibi and Buran malware families. \r\nFigure 1. Link that was supposed to lead to a Sodinokibi payload\r\nhttps://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html\r\nPage 1 of 15\n\nThe links lead to Powershell scripts that execute embedded malware payloads using Reflective PE Injection. We\r\ncollected the links that were tagged as Sodinokibi, expecting to extract samples of that ransomware. However, as\r\nwe were running our automation to extract the embedded binaries, we found an unsupported file, and as we\r\ninvestigated further, we discovered it was the new Nemty ransomware instead.\r\nA GandCrab Flashback\r\nIn our initial analysis of the ransomware, we found a link embedded in its binary which we are very familiar with.\r\nIt is a statement that was actually used by GandCrab when it was having its vaccine war with Ahnlab, as we\r\ndetailed previously in our article discussing the evolution of GandCrab v4.x. \r\nFigure 2. Embedded link leading to an image\r\nhttps://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html\r\nPage 2 of 15\n\nFigure 3. GandCrab’s version of the image\r\nThe similarities end there, however, so it is hard to say early on if there is any real relation to the two. But the\r\ninclusion of this artifact, combined with the fact that it is being distributed by the same group as Sodinokibi\r\n(which many see as the reincarnation of GandCrab) makes us curious.\r\nTechnical Analysis\r\nIt’s interesting that GandCrab and Nemty have something in common. But to understand what makes Nemty\r\nunique, we’ll have to engage in a technical analysis. Here’s what we found:\r\nObfuscation\r\nThe strings used throughout Nemty’s execution are obfuscated using a combination of simple base64 encoding\r\nand RC4 encryption. And to express their unsurprising animosity towards the security industry, this variant\r\nuse ‘f**kav\\x00’ as its vulgar RC4 encryption key.\r\nFigure 4. String decryption using base64 and RC4 algorithm\r\nNemty’s File Encryption Methods\r\nNemty ransomware uses a combination of AES-128 in CBC mode, RSA-2048, and the unusual RSA-8192 for its\r\nfile encryption and key protection. The following steps summarize its encryption process.\r\n1. Generate a 32-byte value using a pseudo-random algorithm. This value is added to\r\nthe configuration information later on. The first 16 bytes are used as the main AES key for file encryption.\r\nhttps://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html\r\nPage 3 of 15\n\nFigure 5. Function to generate random characters\r\n2. Generate an RSA-2048 key pair.\r\n3. Decrypt and import the embedded RSA-8192 Public Key using the same RC4-base64 function. \r\nFigure 6. Embedded RSA-8192 Public Key\r\n4. Include the generated Private Key from step 2 to the configuration file, which also contains other information\r\ngathered from the system (discussed in the next section)\r\n5. Encrypt the configuration file using RSA-8192 Public Key imported in step 3 and encode it in base64.\r\nNOTE: Using RSA encryption with 8192 bits of key size is very unusual. In fact, this may be the first time that we\r\nhave seen a ransom malware use such a strong – albeit overkill and inefficient for its purpose – encryption\r\nalgorithm to protect information. In most cases, 2048 and 4096 key sizes are more than enough to secure any\r\nmessage. Using the longer key size adds a large overhead due to significantly longer key generation and\r\nencryption times. And lastly, RSA-8192 can only encrypt 1024 bytes at a time, even less if we consider the\r\nhttps://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html\r\nPage 4 of 15\n\nreserved size for padding. Since the configuration’s size will surely be more than that due to the fact that it\r\ncontains the encoded Private Key (from step 4), the malware cuts the information into chunks of 1000 (0x3e8)\r\nbytes and performs multiple operations of the RSA-8192 until the entire information is encrypted\r\n6. Generate another 16-byte key using the same algorithm used in step 1. This is the IV (Initialization Vector) for\r\nthe AES-128 CBC mode encryption. A new IV is generated for every file.\r\n7. Encrypt the file content using the main AES Key from step 1 and the current IV.\r\n8. Encrypt the current IV using RSA-2048 with the locally generated Public Key generated in step 2 and encode it\r\nin base64.\r\n9. Append the encrypted IV to the file.\r\nFigure 7. File encryption process\r\nhttps://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html\r\nPage 5 of 15\n\nFigure 8. Structure of encrypted file\r\nThis means that, as of now, file decryption is not practically possible without the threat actor’s RSA Private Key\r\npair of the embedded RSA Public Key.\r\nhttps://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html\r\nPage 6 of 15\n\nFigure 9. File decryption process\r\nThe screenshot below shows files that it avoids during its encryption process. Notice that “boot.ini” is being\r\ncompared twice. This is clearly an error, which implies that this malware may be in its early stages.\r\nhttps://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html\r\nPage 7 of 15\n\nFigure 10. Whitelisted folders\r\nIt also avoids files with specific extensions, as listed in the next image, although it is done in a very unusual and\r\nrather inefficient way using case-insensitive string comparison.\r\nhttps://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html\r\nPage 8 of 15\n\nFigure 11. Whitelisted file extensions\r\nThe confusion continues when it checks to see if the IP address of the victim is located in Russia, Belarus,\r\nKazakhstan, Tajikistan, or Ukraine by accessing hxxp://api.db-ip.com/v2/free/{IP address}/countryName.\r\nIronically, regardless of the result, it still proceeds to the file encryption stage.\r\nVictim Configuration File\r\nThe configuration file, as referred to in the malware’s ransom note, acts as the victim’s identification and key for\r\nfile decryption. The information is assembled and written in JSON format to\r\n%USERPROFILE%/{FileID}.nemty, wherein the FileID is _NEMTY_{7 random characters} (e.g.\r\n_NEMTY_NIZ8NSt_.nemty). In generating the random characters, it uses the same algorithm used in generating\r\nthe AES Key and IVs.\r\nhttps://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html\r\nPage 9 of 15\n\nFigure 12. Configuration file in JSON format\r\nhttps://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html\r\nPage 10 of 15\n\nFigure 13. Configuration file information descriptions\r\nThe UserID is set to a value hardcoded in the binary. This is possibly an affiliate ID, which means that Nemty is\r\npossibly being sold as a Ransomware-as-a-Service (RaaS).\r\nNemty’s Ransom Note and Payment Page\r\nhttps://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html\r\nPage 11 of 15\n\nFigure 14. Ransom note\r\nThe payment page is hosted in the Tor network for anonymity, which has become a standard for ransomware\r\noperations. To get to the main payment page, the victim must upload the encrypted configuration file and an\r\nencrypted file for a decryption test. As of this writing, the threat actors are demanding $1000 in bitcoin in\r\nexchange for the decryption of the victim’s files.\r\nThere is a function to send the encrypted configuration to exfiltrate the configuration data from the victim’s\r\nmachine, although it clearly has not yet been practically implemented. This is because the hardcoded IP address,\r\nwhich is supposed to be the threat actors’ C2 server, is actually the victim system’s loopback address, 127.0.0.1. It\r\nis possible that they simply have not configured an operational server to receive the data yet, which is another clue\r\nthat this ransomware is still in the development stage. \r\nhttps://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html\r\nPage 12 of 15\n\nFigure 15. Function for sending configuration data\r\nAs a result, all information needed for decryption and identification have to be manually submitted by the victim.\r\nhttps://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html\r\nPage 13 of 15\n\nFigure 16. Upload pages for test decryption\r\nThe payment page supports the Russian language, which is very unusual and confusing. Considering the\r\nembedded image with the Russian statement that was discussed later, it is easy to assume that the developers of\r\nNemty are of Russian descent. Normally, they would avoid infecting Russian users so as to not attract attention\r\nfrom authorities in their region. However, this does not seem to be the case for this ransomware.\r\nFigure 17. Main payment page\r\nConclusion\r\nhttps://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html\r\nPage 14 of 15\n\nNemty Ransomware is a file-encrypting malware that is being actively distributed. Although it is interesting to\r\nthink that it may have some relation to GandCrab and Sodinokibi, aside from the insulting Russian statement and\r\nthe similar distribution method, we have not found any compelling evidence to tie them together.\r\nIt also appears that this malware may be yet another RaaS (Ransomware-as-a-Service) due to the existence of a\r\npossible affiliate ID. This means we might be seeing more of this malware being distributed through other means\r\npretty soon.\r\nWe have also discussed several irregularities and inefficiencies in its code, implying that it is still in its early stage\r\nof development. Despite that, however, in its current state, it can still carry out file encryption on a victim’s\r\nsystem, making it a real threat..\r\nAs of this writing, a new version of this malware has been found and is already being analyzed. FortiGuard Labs\r\nwill be releasing a new report about it.\r\n-= FortiGuard Lion Team =-\r\nSolutions to Protect Against Nemty\r\nFortinet customers are protected by the following:\r\nSamples are detected by our W32/Gen.NVV!tr.ransom signature\r\nFortiSandbox rates the malware’s behavior as high risk\r\nIOCs for Nemty Ransomware\r\n267a9dcf77c33a1af362e2080aaacc01a7ca075658beb002ab41e0712ffe066e (Nemty ransomware from Powershell)\r\n- W32/Gen.NVV!tr.ransom\r\nhxxps://pastebin.com/raw/NE3TJ3z1 (link to the Powershell loader)\r\n127.0.0.1:9050/public/gate?data={encrypted configuration}\r\nLearn more about FortiGuard Labs and the FortiGuard Security Services portfolio. Sign up for our weekly\r\nFortiGuard Threat Brief. \r\nRead about the FortiGuard Security Rating Service, which provides security audits and best practices.\r\nSource: https://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html\r\nhttps://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html" ], "report_names": [ "nemty-ransomware-early-stage-threat.html" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434110, "ts_updated_at": 1775791432, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/40df31fc9f16baf75bdfb02474d8cb4fe320c77a.pdf", "text": "https://archive.orkl.eu/40df31fc9f16baf75bdfb02474d8cb4fe320c77a.txt", "img": "https://archive.orkl.eu/40df31fc9f16baf75bdfb02474d8cb4fe320c77a.jpg" } }