{ "id": "deabaf5b-5b72-42a7-a1e8-9c364cb3de28", "created_at": "2026-04-06T00:14:14.364883Z", "updated_at": "2026-04-10T03:23:52.303397Z", "deleted_at": null, "sha1_hash": "735b9e4e2d7261270feeb99f9facc93b923724a0", "title": "Nemty Ransomware Actively Distributed via 'Love Letter' Spam", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1691767, "plain_text": "Nemty Ransomware Actively Distributed via 'Love Letter' Spam\r\nBy Sergiu Gatlan\r\nPublished: 2020-02-27 · Archived: 2026-04-05 23:40:46 UTC\r\nSecurity researchers have spotted an ongoing malspam campaign using emails disguised as messages from secret lovers to\r\ndeliver Nemty Ransomware payloads on the computers of potential victims.\r\nThe spam campaign was identified by both Malwarebytes and X-Force IRIS researchers and has started distributing\r\nmalicious messages yesterday via a persistent stream of emails.\r\nThe attackers use several subject lines that hint at the contents of the email being sent by someone the recipient already\r\nknows and are built using a love letter template with statements such as \"Don't tell anyone,\" \"I love you,\" \"Letter for you,\"\r\n\"Will be our secret,\" and \"Can't forget you.\"\r\nhttps://www.bleepingcomputer.com/news/security/nemty-ransomware-actively-distributed-via-love-letter-spam/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/nemty-ransomware-actively-distributed-via-love-letter-spam/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nWhat sets this campaign apart from others is that the operators didn't bother composing an enticing email since all these\r\nspam messages only contain a wink ;) text emoticon.\r\nThis might be a hint at the attackers thinking that the 'secret lover' bait — as it was dubbed by Malwarebytes — is effective\r\nenough on its own.\r\nSample spam email\r\n\"Attached to each email is a ZIP archive with a name formatted as 'LOVE_YOU_######_2020.zip' with only the #s\r\nchanging,\" researchers at X-Force IRIS found.\r\n\"The hash of the file contained within each of these archives remains the same and is associated with a highly obfuscated\r\nJavaScript file named LOVE_YOU.js,\"\r\nThis malicious JavaScript file has a very low VirusTotal detection rate at the moment which might lead to an increased\r\nnumber of infections until other security solutions add it to their definitions.\r\nThe attackers use it to drop a Nemty ransomware executable on the victims' computers when executed by downloading the\r\nmalicious payload from a remote server and launching it.\r\n\"The downloaded executable was identified to be the Nemty ransomware and performs encryption of system files upon\r\nexecution, leaving behind a ransom note demanding payment in exchange for the decryption key,\" the researchers\r\ndiscovered.\r\nhttps://www.bleepingcomputer.com/news/security/nemty-ransomware-actively-distributed-via-love-letter-spam/\r\nPage 3 of 5\n\nNemty ransomware was first spotted in August 2019 and is known for deleting the shadow copies of all the files it encrypts,\r\nmaking it impossible for victims who don't have separate backups to recover their data.\r\nResearchers discovered one month later that the malware's developers upgraded it to include code for killing Windows\r\nservices and processes to allow it to encrypt files that are currently in use.\r\nSecurity firm Tesorion created a free Nemty ransomware decryptor in October 2019 for Nemty versions 1.4 and 1.6, and\r\nworking for a limited number of document types including images, videos, office docs, and archives.\r\nLast month the operators behind the Nemty ransomware said that they're planning to create a leak blog to be used to publish\r\ninformation stolen for ransomware victims who refused to pay the ransoms.\r\nThis trend was started by Maze Ransomware in November 2019, with Sodinokibi, BitPyLock, and Nemty following on their\r\ntracks and saying that they'll adopt the same tactic (1, 2, 3).\r\nhttps://www.bleepingcomputer.com/news/security/nemty-ransomware-actively-distributed-via-love-letter-spam/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/nemty-ransomware-actively-distributed-via-love-letter-spam/\r\nhttps://www.bleepingcomputer.com/news/security/nemty-ransomware-actively-distributed-via-love-letter-spam/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/nemty-ransomware-actively-distributed-via-love-letter-spam/" ], "report_names": [ "nemty-ransomware-actively-distributed-via-love-letter-spam" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434454, "ts_updated_at": 1775791432, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/735b9e4e2d7261270feeb99f9facc93b923724a0.pdf", "text": "https://archive.orkl.eu/735b9e4e2d7261270feeb99f9facc93b923724a0.txt", "img": "https://archive.orkl.eu/735b9e4e2d7261270feeb99f9facc93b923724a0.jpg" } }