{
	"id": "4d272b05-77a4-4682-8e83-493a2a656884",
	"created_at": "2026-04-06T00:19:37.121968Z",
	"updated_at": "2026-04-10T03:20:38.970758Z",
	"deleted_at": null,
	"sha1_hash": "5a56d55327a3dc6d3807955e82344ce136a0440e",
	"title": "Nemty Ransomware Gets Distribution from RIG Exploit Kit",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2178147,
	"plain_text": "Nemty Ransomware Gets Distribution from RIG Exploit Kit\r\nBy Ionut Ilascu\r\nPublished: 2019-09-03 · Archived: 2026-04-05 13:27:28 UTC\r\nThe operators of Nemty ransomware appear to have struck a distribution deal to target systems with outdated technology\r\nthat can still be infected by exploit kits.\r\nExploit kits are not as commonly used since they typically thrive on vulnerabilities in Internet Explorer and Flash Player,\r\ntwo products that used to dominate the web a few years ago but are now with one foot out in the grave.\r\nEven so, many companies still depend on them and Microsoft's web browser continues to be used in many countries, turning\r\nthem into targets for web threats to which most of the world is immune.\r\nhttps://www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distribution-from-rig-exploit-kit/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distribution-from-rig-exploit-kit/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nNemty is all RIGged up\r\nNemty appeared on the radar towards the end of August, although the malware administrators made it known on\r\ncybercriminal forums long before this date.\r\nIt drew attention through its code, which in version 1.0 contains references to the Russian president and to antivirus\r\nsoftware.\r\nBleepingComputer saw that the post-encryption ransom demand was around $1,000 in bitcoin. Unfortunately, there is no\r\nfree decryption tool available at the moment and the malware makes sure to remove the file shadows created by Windows.\r\nSecurity researcher Mol69 noticed that the file-encrypting malware is now a payload in malvertising campaigns from RIG\r\nexploit kit (EK).\r\nThe malware used the .nemty extension for the encrypted files but the variant observed by Mol69 adds\r\n'._NEMTY_Lct5F3C_' at the end of the processed files.\r\n— mol69 (@tkanalyst) August 31, 2019\r\nIn the ransom note shown after encrypting the files, Nemty provides instructions on how to pay to recover the data.\r\nIn the ransom note is also an encrypted version of the key that unlocks the files on the infected computer, and decrypting it\r\nis controlled by the malware administrators.\r\nSuspicious community\r\nMol69 rolled the infection chain in an AnyRun test environment that documents all of the steps leading to the file encryption\r\nprocess. The entire activity took over 10 minutes to finish.\r\nNemty is new on the scene and on at least one underground forum it was received with skepticism. This is not unusual with\r\nnew ransomware, BleepingComputer learned from Yelisey Boguslavskiy, director of security research at Advanced\r\nIntelligence (AdvIntel).\r\nThis was not the case of Sodinokibi, though, whose administrators are suspected to be from the old GandCrab gang.\r\nSodinokibi ransomware received immediate support from high-profile members of the forum.\r\nFurthermore, its profitability only enticed spirits and prompted malware distributors to jump at the opportunity of partnering\r\nup. However, Sodinokibi operators are very selective and associated only with individuals considered veterans in the field.\r\nNemty, on the other hand, did not enjoy a warm welcome in the community.\r\nhttps://www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distribution-from-rig-exploit-kit/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distribution-from-rig-exploit-kit/\r\nhttps://www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distribution-from-rig-exploit-kit/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distribution-from-rig-exploit-kit/"
	],
	"report_names": [
		"nemty-ransomware-gets-distribution-from-rig-exploit-kit"
	],
	"threat_actors": [],
	"ts_created_at": 1775434777,
	"ts_updated_at": 1775791238,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5a56d55327a3dc6d3807955e82344ce136a0440e.pdf",
		"text": "https://archive.orkl.eu/5a56d55327a3dc6d3807955e82344ce136a0440e.txt",
		"img": "https://archive.orkl.eu/5a56d55327a3dc6d3807955e82344ce136a0440e.jpg"
	}
}