{
	"id": "66c422a0-b012-4c02-8b8f-2210803ce959",
	"created_at": "2026-04-06T00:10:33.144311Z",
	"updated_at": "2026-04-10T03:21:41.316826Z",
	"deleted_at": null,
	"sha1_hash": "653dae27d22798acee0dc47f68eb024429ab3ed5",
	"title": "The Nemty affiliate model",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 752646,
	"plain_text": "The Nemty affiliate model\r\nBy Benoit ANCEL\r\nPublished: 2021-01-25 · Archived: 2026-04-05 13:33:12 UTC\r\nAlmost a year after the end of the operations of the Nemty ransomware, we are presenting some internal details of\r\ntheir operations between 2019 and 2020 in order to document the business model and the actors that evolved\r\naround that group.\r\nThis article is not meant to be a technical analysis of the capacities of the ransomware - McAfee has already\r\npublished an amazing analysis covering the evolution and the technical capacities of Nemty. We are here trying to\r\nshow how the RaaS was working internally and to characterise the different affiliates in order to document an\r\nimportant ransomware threat of 2019.\r\nNemty backend\r\nLike lots of threat actors in 2019, the Nemty gang chose to hide their backend behind a Fast Flux called Brazzzer.\r\nBoth domains nemty[.]top and nemty[.]hk were protected in order to not reveal the real IP of the control server.\r\nThe domains were resolving to different temporary IPs (nginx proxies) managed by the Fast Flux, and those\r\nproxies were redirecting the traffic to the real server.\r\nHowever, staying anonymous on the internet is hard. The protection of a fast flux alone is far from enough to\r\nprotect the IP of a hidden server. Also Nemty eventually leaked the real IP of their server: 5[.]182[.]39[.]200.\r\nTheir control server was poorly configured, allowing anyone to access the CnC directly from the IP, making our\r\ninvestigation much easier:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/csis-techblog/the-nemty-affiliate-model-13f5cf7ab66b\r\nPage 1 of 7\n\nWe observed this IP being used over the Nemty domains throughout the entire operation until the end of the\r\nransomware.\r\nNemty backend\r\nNemty was a Ransomware-as-a-Service. The backend was a central panel poorly developed in JavaScript using\r\nthe library socket.io. Each affiliate could login with their own credentials. The whole backend was managed\r\nthrough an admin account able to see and manipulate all the affiliate’s bots.\r\nEach affiliate could see their own bots, interact with the encrypted victims, build new stubs of the ransomware and\r\ndiscuss with the admin.\r\nAffiliates\r\nAs shown in the last screenshot, the interesting part of the backend was the affiliates list. You can see below the\r\nfull list of observed affiliates:\r\nhttps://medium.com/csis-techblog/the-nemty-affiliate-model-13f5cf7ab66b\r\nPage 2 of 7\n\nIf you are familiar with the RaaS ecosystem of 2019/2020, you will quickly see some well-known nicknames. E.g.\r\n“jokeroo” was a well-known actor trying to run his own business, symmetries was also known around others\r\nRaaS, helliscod was also known on numerous forums buying different malware like Raccoon, and sprite77 was a\r\nwell- known GandCrab affiliate.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/csis-techblog/the-nemty-affiliate-model-13f5cf7ab66b\r\nPage 3 of 7\n\nAll those nicknames can be found all over the place showing that the affiliates of RaaS are not spending their\r\nmoney on only one project. It was/is very common to see the same actors showing up on different RaaS and when\r\nwe see lots of different campaigns distributing lots of ransomware families, it is, in fact, a small pool of actors.\r\nYou can still find some of them around Dharma ransomware or DJVU in 2021.\r\nThe panel developer’s mistakes\r\nAs mentioned earlier, Nemty was running between August 2019 and April 2020 and we monitored the same single\r\nIP used as backend during the whole operation: 5[.]182[.]39[.]200.\r\nGet Benoit ANCEL’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nWhen you do try to obtain open sourced intelligence about an infrastructure, one of the best places to dig is\r\nStackOverflow.\r\nCriminals or not, behind these kind of operations at the end of the day it’s still humans developing products and\r\nhaving trouble debugging the code.\r\nThe 25th September 2019 a user using the nickname Sajan Maharjan opened a new thread asking for help to\r\ndebug the implementation of a Bitcoin node:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/csis-techblog/the-nemty-affiliate-model-13f5cf7ab66b\r\nPage 4 of 7\n\nScreenshot of the StackOverflow Post\r\nWe can see here the original poster pasting some code mentioning HOST = \"5.182.39[.]200\"; . Curiously\r\nenough, the Nemty IP had that port 8333 opened too at that time.\r\nThat StackOverflow user seems to be working with JavaScript library and UI development and is living in South\r\nKorean where Nemty was the most active in the wild in 2019. Those elements can suggest that this user was\r\nrelated to the backend developers of the Nemty operation.\r\nThese kinds of mistakes are a good reminder about the power of the data exposed on StackOverflow. It’s not the\r\nfirst actor making that mistake and he will not be the last.\r\nConclusion\r\nThis article tries to document the affiliates model and the actors that evolved around Nemty in 2019/2020 in order\r\nto facilitate future investigation of fresh threats potentially used by those criminals.\r\nFor the whole history and technical details about Nemty I recommend reading the paper written by McAfee\r\nresearchers: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/\r\nAppendix\r\nVirtual hosts observed on the IP 5.182.39[.]200:\r\nnemty[.]top\r\nhttps://medium.com/csis-techblog/the-nemty-affiliate-model-13f5cf7ab66b\r\nPage 5 of 7\n\nnemty[.]hk\r\nnemty10[.]hk\r\nEarly Nemty change-log (translated from Russian):\r\n- 08.20.2019 16:56:51 Release date\r\nPanel is ready\r\nCryptolocker is ready\r\n- 08.22.2019 07:22:55 Update 1.0.1 \u0026 1.0.2\r\nFixed builder page Added page loader Added drives section on bots page\r\n- 08.24.2019 09:32:35 Update 1.1 \u0026 1.0.3\r\nRansomware:\r\nEncryption speed increased significantly due to asynchronization of threads Extension changed to ._NE\r\nAdded simple tags like “@admin” (admin will come) Fixed some bugs\r\n- 08.25.2019 09:15:29 WARNING UPDATE BUILDS\r\n- 08.26.2019 08:09:48 update your builds actual version — 1.3\r\n- 08.26.2019 08:49:57 Important to read to everyone\r\nNow two victims from two different countries have tapped, both write the same:\r\nGuy, test decrypt isn’t working, but I can’t pay you so much, because I’m not a rich man.\r\nI went to look for a problem, why didn’t they decrypt the files from them.\r\nFound this file that they were trying to decrypt.\r\nSince I leave the encrypted key and the file extension at the end of the file, I noticed that the fil\r\nIt was decided to add a check for the extension in the file body, which will be available today.\r\n- 08.28.2019 12:56:42 UPDATE RANSOMWARE\r\nAdded:\r\nNo configuration file, everything in ransom note\r\nFix CD-ROM\r\n- 08.29.2019 19:50:38 SECURITY WARNING\r\ncheck your BTC address, if you will have no BTC address in settings, victims couldn’t open payment pa\r\n- 08.31.2019 06:51:19 Update\r\nAdded saving of any messages\r\n- 09.06.2019 11:19:58 ransomware update\r\nvictim will be appeared in the panel before encrypting files\r\n- 09.09.2019 08:46:37 Mini update\r\nupdate build, now ransomware will skip files with\r\n“nemty”, “exe”, “log”, “cab”, “cmd”, “com”, “cpl”, “exe”, “ini”, “dll”, “url”, “ttf”, “url”\r\nextension and even in upper case\r\nadded process kill\r\n“sql”, “winword”, “wordpad”, “outlook”, “thunderbird”, “oracle”, “excel”, “onenote”, “virtualboxvm”\r\nadded service stop\r\n“DbxSvc”, “OracleXETNSListener”, “OracleServiceXE”, “AcrSch2Svc”, “AcronisAgent”, “Apache2.4”, “SQLW\r\nif you want expand this lists — admin jabber is nemty@thesecure.biz\r\n- 09.24.2019 05:35:24 update 1.5\r\nFastFlux\r\n- 09.27.2019 09:05:57 CLEANING\r\nOLD BOTS WERE DELETED BECAUSE USELESS\r\n- 10.02.2019 15:28:23 1.6 ransomware update\r\nhttps://medium.com/csis-techblog/the-nemty-affiliate-model-13f5cf7ab66b\r\nPage 6 of 7\n\nchanged encryption algorithm\r\nadded our own key generator (not pseudo keys)\r\n- 10.10.2019 08:25:03 update builds\r\nif there is no internet, it won’t get an IP and as a result the panel will not detect the IP string a\r\nso update the builds, all bots that have no Internet or haven’t received an IP will be from IP Austra\r\nSource: https://medium.com/csis-techblog/the-nemty-affiliate-model-13f5cf7ab66b\r\nhttps://medium.com/csis-techblog/the-nemty-affiliate-model-13f5cf7ab66b\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/csis-techblog/the-nemty-affiliate-model-13f5cf7ab66b"
	],
	"report_names": [
		"the-nemty-affiliate-model-13f5cf7ab66b"
	],
	"threat_actors": [],
	"ts_created_at": 1775434233,
	"ts_updated_at": 1775791301,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/653dae27d22798acee0dc47f68eb024429ab3ed5.pdf",
		"text": "https://archive.orkl.eu/653dae27d22798acee0dc47f68eb024429ab3ed5.txt",
		"img": "https://archive.orkl.eu/653dae27d22798acee0dc47f68eb024429ab3ed5.jpg"
	}
}