# Nemty Ransomware Gets Distribution from RIG Exploit Kit **[bleepingcomputer.com/news/security/nemty-ransomware-gets-distribution-from-rig-exploit-kit/](https://www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distribution-from-rig-exploit-kit/)** Ionut Ilascu By [Ionut Ilascu](https://www.bleepingcomputer.com/author/ionut-ilascu/) September 3, 2019 04:48 AM 0 The operators of Nemty ransomware appear to have struck a distribution deal to target systems with outdated technology that can still be infected by exploit kits. Exploit kits are not as commonly used since they typically thrive on vulnerabilities in Internet Explorer and Flash Player, two products that used to dominate the web a few years ago but are now with one foot out in the grave. Even so, many companies still depend on them and Microsoft's web browser continues to be used in many countries, turning them into targets for web threats to which most of the world is immune. ## Nemty is all RIGged up Nemty appeared on the radar towards the end of August, although the malware administrators made it known on cybercriminal forums long before this date. [It drew attention through its code, which in version 1.0 contains references to the Russian](https://www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/) president and to antivirus software. ----- BleepingComputer saw that the post-encryption ransom demand was around $1,000 in bitcoin. Unfortunately, there is no free decryption tool available at the moment and the malware makes sure to remove the file shadows created by Windows. Security researcher Mol69 noticed that the file-encrypting malware is now a payload in malvertising campaigns from RIG exploit kit (EK). The malware used the .nemty extension for the encrypted files but the variant observed by Mol69 adds '._NEMTY_Lct5F3C_' at the end of the processed files. [#Malvertising ->](https://twitter.com/hashtag/Malvertising?src=hash&ref_src=twsrc%5Etfw) [#RIGEK ->](https://twitter.com/hashtag/RIGEK?src=hash&ref_src=twsrc%5Etfw) [#NEMTY](https://twitter.com/hashtag/NEMTY?src=hash&ref_src=twsrc%5Etfw) [(#Ransomware)](https://twitter.com/hashtag/Ransomware?src=hash&ref_src=twsrc%5Etfw) [Extention] ._NEMTY_Lct5F3C_ [Example Payloadhttps://t.co/eZk2oFZ1t9@anyrun_app](https://t.co/eZk2oFZ1t9) [@EKFiddle](https://twitter.com/EKFiddle?ref_src=twsrc%5Etfw) [@adrian__luca](https://twitter.com/adrian__luca?ref_src=twsrc%5Etfw) [@jeromesegura](https://twitter.com/jeromesegura?ref_src=twsrc%5Etfw) [@nao_sec](https://twitter.com/nao_sec?ref_src=twsrc%5Etfw) [@david_jursa](https://twitter.com/david_jursa?ref_src=twsrc%5Etfw) [pic.twitter.com/HJngPRBKBW](https://t.co/HJngPRBKBW) [— mol69 (@tkanalyst) August 31, 2019](https://twitter.com/tkanalyst/status/1167818997519151105?ref_src=twsrc%5Etfw) In the ransom note shown after encrypting the files, Nemty provides instructions on how to pay to recover the data. In the ransom note is also an encrypted version of the key that unlocks the files on the infected computer, and decrypting it is controlled by the malware administrators. ## Suspicious community [Mol69 rolled the infection chain in an AnyRun test environment that documents all of the](https://app.any.run/tasks/c4c56bb5-0e57-43b7-92b0-a8c6bf8596a0/) steps leading to the file encryption process. The entire activity took over 10 minutes to finish. Nemty is new on the scene and on at least one underground forum it was received with skepticism. This is not unusual with new ransomware, BleepingComputer learned from [Yelisey Boguslavskiy, director of security research at Advanced Intelligence (AdvIntel).](https://www.advanced-intel.com/) This was not the case of Sodinokibi, though, whose administrators are suspected to be from [the old GandCrab gang. Sodinokibi ransomware received immediate support from high-](https://www.bleepingcomputer.com/news/security/a-look-inside-the-highly-profitable-sodinokibi-ransomware-business/) profile members of the forum. Furthermore, its profitability only enticed spirits and prompted malware distributors to jump at the opportunity of partnering up. However, Sodinokibi operators are very selective and associated only with individuals considered veterans in the field. Nemty, on the other hand, did not enjoy a warm welcome in the community. ----- ### Related Articles: [BlackCat/ALPHV ransomware asks $5 million to unlock Austrian state](https://www.bleepingcomputer.com/news/security/blackcat-alphv-ransomware-asks-5-million-to-unlock-austrian-state/) [Windows 11 KB5014019 breaks Trend Micro ransomware protection](https://www.bleepingcomputer.com/news/security/windows-11-kb5014019-breaks-trend-micro-ransomware-protection/) [Industrial Spy data extortion market gets into the ransomware game](https://www.bleepingcomputer.com/news/security/industrial-spy-data-extortion-market-gets-into-the-ransomware-game/) [New ‘Cheers’ Linux ransomware targets VMware ESXi servers](https://www.bleepingcomputer.com/news/security/new-cheers-linux-ransomware-targets-vmware-esxi-servers/) [SpiceJet airline passengers stranded after ransomware attack](https://www.bleepingcomputer.com/news/security/spicejet-airline-passengers-stranded-after-ransomware-attack/) [Encryption Keys](https://www.bleepingcomputer.com/tag/encryption-keys/) [Nemty Ransomware](https://www.bleepingcomputer.com/tag/nemty-ransomware/) [Ransomware](https://www.bleepingcomputer.com/tag/ransomware/) [RIG](https://www.bleepingcomputer.com/tag/rig/) [Ionut Ilascu](https://www.bleepingcomputer.com/author/ionut-ilascu/) Ionut Ilascu is a technology writer with a focus on all things cybersecurity. The topics he writes about include malware, vulnerabilities, exploits and security defenses, as well as research and innovation in information security. His work has been published by Bitdefender, Netgear, The Security Ledger and Softpedia. [Previous Article](https://www.bleepingcomputer.com/news/security/fake-bleachbit-website-built-to-distribute-azorult-info-stealer/) [Next Article](https://www.bleepingcomputer.com/news/security/usbanywhere-bugs-in-supermicro-servers-allow-remote-usb-access/) Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----