# New Nemty Ransomware May Spread via Compromised RDP Connections **[bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/](https://www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/)** Ionut Ilascu By [Ionut Ilascu](https://www.bleepingcomputer.com/author/ionut-ilascu/) August 26, 2019 03:29 AM 0 A new ransomware has been spotted over the weekend, carrying references to the Russian president and antivirus software. The researchers call it Nemty. This is the first version of Nemty ransomware, named so after the extension it adds to the files following the encryption process. ## The ransom demand Like any proper file-encrypting malware, Nemty will delete the shadow copies for the files it processes, taking away from the victim the possibility to recover versions of the data as created by the Windows operating system. Victims will see a ransom note informing that the attackers hold the decryption key and that data is recoverable for a price. ----- In BleepingComputer's tests, the ransom demand was 0.09981 BTC, which converts to around $1,000 at the moment. The payment portal is hosted on the Tor network for anonymity, and users have to upload their configuration file. Based on this, they are provided with the link to another website that comes with a chat function and more information on the demands. ## Messages in the code [Security researcher Vitali Kremez took a closer look at the malware and noticed that it](https://twitter.com/VK_Intel/status/1165352844876222464) comes with an unusual name for the mutex object. The author called it "hate," as visible in the image below. ----- A mutually exclusive (mutex) object is a flag that allows programs to control resources by allowing access to them to one execution thread at a time. [Another weird thing Kremez noticed in Nemty's code is a link to this picture of Vladimir](https://pbs.twimg.com/media/Dn4vwaRW0AY-tUu.jpg:large) [Putin, with a caption saying "I added you to the list of [insult], but only with pencil for now."](https://www.merriam-webster.com/dictionary/fag) The list of peculiarities does not stop at this. A straight message to the antivirus industry was spotted by the researcher. At first, the reference seemed an odd thing in the code but a second look at how Nemty worked revealed that it was the key for decoding base64 strings and create URLs is a straight message to the antivirus industry. ----- Another interesting thing is a verification Nemty makes to identify computers in Russia, Belarus, Kazakhstan, Tajikistan, and Ukraine. This is not to exempt the hosts from the file encryption routine, though, Kremez told BleepingComputer. The "isRU" check in the malware code simply marks the systems as being in one of the five countries and then sends to the attacker data that includes the computer name, username, operating system, and computer ID. ----- It s unclear how Nemty is distributed but Kremez heard from a reliable source that the operators deploy it via compromised remote desktop connections. Compared to phishing email, which is currently the common distribution method, leveraging a RDP connection puts the attacker in control as they no longer have to wait for the victim to take the phishing bait. [Kremez published his research notes on Nemty where he includes the list of folders](https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-08-24-nemty-ransomware-notes.vk.raw) (anything needed for booting the OS) and the file extensions (binaries, shortcuts, and log data) the malware does not touch. ### Related Articles: [BlackCat/ALPHV ransomware asks $5 million to unlock Austrian state](https://www.bleepingcomputer.com/news/security/blackcat-alphv-ransomware-asks-5-million-to-unlock-austrian-state/) [Windows 11 KB5014019 breaks Trend Micro ransomware protection](https://www.bleepingcomputer.com/news/security/windows-11-kb5014019-breaks-trend-micro-ransomware-protection/) [Industrial Spy data extortion market gets into the ransomware game](https://www.bleepingcomputer.com/news/security/industrial-spy-data-extortion-market-gets-into-the-ransomware-game/) [New ‘Cheers’ Linux ransomware targets VMware ESXi servers](https://www.bleepingcomputer.com/news/security/new-cheers-linux-ransomware-targets-vmware-esxi-servers/) [SpiceJet airline passengers stranded after ransomware attack](https://www.bleepingcomputer.com/news/security/spicejet-airline-passengers-stranded-after-ransomware-attack/) [Nemty Ransomware](https://www.bleepingcomputer.com/tag/nemty-ransomware/) [Ransomware](https://www.bleepingcomputer.com/tag/ransomware/) [Ionut Ilascu](https://www.bleepingcomputer.com/author/ionut-ilascu/) Ionut Ilascu is a technology writer with a focus on all things cybersecurity. The topics he writes about include malware, vulnerabilities, exploits and security defenses, as well as research and innovation in information security. His work has been published by Bitdefender, Netgear, The Security Ledger and Softpedia. [Previous Article](https://www.bleepingcomputer.com/news/security/hostinger-data-breach-affects-almost-14-million-customers/) [Next Article](https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-of-windows-10-1703-end-of-life-for-enterprise/) Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----