{
	"id": "0484cb51-d193-4df7-ad52-408fe25b7be0",
	"created_at": "2026-04-06T03:37:33.201046Z",
	"updated_at": "2026-04-10T03:20:00.411857Z",
	"deleted_at": null,
	"sha1_hash": "bdea6a2f058fe8a628514f98cc2eb85e8a8e0469",
	"title": "Nemty Ransomware Update Lets It Kill Processes and Services",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2443922,
	"plain_text": "Nemty Ransomware Update Lets It Kill Processes and Services\r\nBy Ionut Ilascu\r\nPublished: 2019-09-14 · Archived: 2026-04-06 03:20:11 UTC\r\nNemty ransomware is under active development, although its version number may not show it. Its authors are clearly\r\nmaking efforts to make it a more efficient and sophisticated malware and it begins wider distribution.\r\nThe malware is new in the business and its cold reception in the ransomware underground community did not help it take off\r\nthe way its administrators wanted.\r\nProcess and service killer\r\nDespite making changes to the code, Nemty authors kept the same version number, shows an analysis from security\r\nresearcher Vitali Kremez. The code, however, shows modifications that make the ransomware more aggressive in its actions.\r\nhttps://www.bleepingcomputer.com/news/security/nemty-ransomware-update-lets-it-kill-processes-and-services/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/nemty-ransomware-update-lets-it-kill-processes-and-services/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThe researcher noticed that the latest version of the malware includes code for killing processes and services in order to\r\nencrypt files that are currently in use.\r\nA look at Nemty's new code reveals a set of nine targeted processes, which include WordPad, Microsoft Word, Excel,\r\nOutlook Thunderbird email clients, SQL, and the VirtualBox software for running virtual machines.\r\nWith SQL and VirtualBox on the list, it gives us a clue that Nemty is targeting corporate victims.\r\nList of terminated processes\r\nMore countries on the \"no-no\" list\r\nKremez also observed that the 'isRu' check has now extended to more countries. The full list now including Russia, Belarus,\r\nKazakhstan, Tajikistan, Ukraine, Azerbaijan, Armenia, Kyrgyzstan, and Moldova, with the last four being the latest\r\nadditions.\r\nWith an earlier version of the malware, 'isRU' did not make any difference for the encryption job and just marked those\r\nhosts to send system information to the command and control server. An update changed this and aborted encryption on\r\ncomputers positive for this check.\r\nhttps://www.bleepingcomputer.com/news/security/nemty-ransomware-update-lets-it-kill-processes-and-services/\r\nPage 3 of 5\n\nBlacklisted countries\r\nNew distribution pipeline\r\nOne of the first versions of Nemty was seen distributed by RIG EK (exploit kit), while a more recent release, 1.4, spread\r\nthrough a fake PayPal page.\r\nAt the beginning of this week, a new release was observed by security researchers where they observed changes in the way\r\nvictims are chosen and how the encryption process works.\r\nThe malware operators have a new distributor on their list, Radio EK, as found by nao_sec at the beginning of the week.\r\nThis is not a top-quality distributor, though, as the EK exploits a vulnerability in JScript and VBScript for Internet Explorer\r\nthat Microsoft patched three years ago, the researcher told BleepingComputer.\r\nRadioEK in a malvertising campaign\r\nNemty may not enjoy much success at the moment but its authors seem to be putting in the energy to earn the respect of\r\ncybercriminals on ransomware forums and turn their malware into a lucrative business.\r\nhttps://www.bleepingcomputer.com/news/security/nemty-ransomware-update-lets-it-kill-processes-and-services/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/nemty-ransomware-update-lets-it-kill-processes-and-services/\r\nhttps://www.bleepingcomputer.com/news/security/nemty-ransomware-update-lets-it-kill-processes-and-services/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/nemty-ransomware-update-lets-it-kill-processes-and-services/"
	],
	"report_names": [
		"nemty-ransomware-update-lets-it-kill-processes-and-services"
	],
	"threat_actors": [],
	"ts_created_at": 1775446653,
	"ts_updated_at": 1775791200,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bdea6a2f058fe8a628514f98cc2eb85e8a8e0469.pdf",
		"text": "https://archive.orkl.eu/bdea6a2f058fe8a628514f98cc2eb85e8a8e0469.txt",
		"img": "https://archive.orkl.eu/bdea6a2f058fe8a628514f98cc2eb85e8a8e0469.jpg"
	}
}