{ "id": "77bac8ec-f722-4313-beb8-cb7ee5de08fe", "created_at": "2026-04-06T00:14:51.289274Z", "updated_at": "2026-04-10T03:20:43.244685Z", "deleted_at": null, "sha1_hash": "923e20af0d67e759fc6b0e46744dafcb2fa49384", "title": "Nemty ransomware operation shuts down public RaaS", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 184073, "plain_text": "Nemty ransomware operation shuts down public RaaS\r\nBy Catalin Cimpanu\r\nPublished: 2020-04-15 ยท Archived: 2026-04-05 23:10:16 UTC\r\nThe operators of the Nemty ransomware have announced this week they were shutting down their public\r\nRansomware-as-a-Service operation and opting to go private in order to focus and put more rersources on targeted\r\nattacks.\r\nFor those unfamiliar with this malware operation, Nemty is a classic RaaS (Ransomware-as-a-Service). It\r\nlaunched in the summer of 2019 and has been heavily advertised on underground Russian-speaking hacking\r\nforums.\r\nUsers who signed up with the Nemty RaaS were granted access to a web portal where they could create custom\r\nversions of the Nemty ransomware.\r\nThe customers were then free to distribute these custom versions via their own methods. Over the past few\r\nmonths, the Nemty ransomware has been spotted being distributed via email spam (malspam) campaigns, exploit\r\nkits, boobytrapped apps, and by brute-forcing RDP endpoints.\r\nDistribution methods varied based on the Nemty RaaS customer who was spreading that particular Nemty strain.\r\nIf any of the victims who had computers infected with Nemty paid the ransom demand, the Nemty operator kept\r\n30% of the payment, while the distributors got %70 for their efforts.\r\nNemty goes private after 10 months\r\nBut in an update posted on a dedicated topic on the Exploit hacking forum, the Nemty operator announced\r\nyesterday they were shutting down their RaaS operation and \"going private.\" Going private in the cybercriminal\r\nunderground means working with a few selected partners to distribute your malware.\r\nThe Nemty operator gave victims a week to pay any ransom demands they have before they'd would shut down all\r\nservers, and users would be unable to decrypt their files, even if they wanted to pay.\r\nhttps://www.zdnet.com/article/nemty-ransomware-operation-shuts-down/\r\nPage 1 of 2\n\nAnnouncement of the Nemty ransomware shutdown. Text translated from Russian with Google\r\nTranslate.\r\nImage supplied by Under the Breach\r\nA day after the announcement, the Nemty crew also shut down its \"leak site,\" a portal where the Nemty gang\r\npublish files from companies that refused to pay ransom demands.\r\nnemty-ransomware-leak-site.png\r\n\"Leak site\" for the Nemty ransomware\r\nImage: ZDNet\r\nIn October 2019, Tesorion security researchers released free decrypters, for three versions of the Nemty\r\nransomware. However, recent versions are not decryptable.\r\nThe author of the Nemty ransomware also appears to have shared Nemty's source code with others, as last month\r\na new ransomware strain named Nefilim was spotted online. SentinelLabs' Vitali Kremez and ID Ransomware's\r\nMichael Gillespie said the new Nefilim ransomware appears to be based on Nemty's code.\r\nThe Nefilim ransomware has been deployed only in a small number of attacks against large companies. It is this\r\nmodus operandi that the Nemty gang is now hoping to transition to.\r\nEditorial standards\r\nSource: https://www.zdnet.com/article/nemty-ransomware-operation-shuts-down/\r\nhttps://www.zdnet.com/article/nemty-ransomware-operation-shuts-down/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.zdnet.com/article/nemty-ransomware-operation-shuts-down/" ], "report_names": [ "nemty-ransomware-operation-shuts-down" ], "threat_actors": [], "ts_created_at": 1775434491, "ts_updated_at": 1775791243, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/923e20af0d67e759fc6b0e46744dafcb2fa49384.pdf", "text": "https://archive.orkl.eu/923e20af0d67e759fc6b0e46744dafcb2fa49384.txt", "img": "https://archive.orkl.eu/923e20af0d67e759fc6b0e46744dafcb2fa49384.jpg" } }