Nemty Ransomware Update Lets It Kill Processes and Services
By Ionut Ilascu
Published: 2019-09-14 · Archived: 2026-04-06 03:20:11 UTC
Nemty ransomware is under active development, although its version number may not show it. Its authors are clearly
making efforts to make it a more efficient and sophisticated malware and it begins wider distribution.
The malware is new in the business and its cold reception in the ransomware underground community did not help it take off
the way its administrators wanted.
Process and service killer
Despite making changes to the code, Nemty authors kept the same version number, shows an analysis from security
researcher Vitali Kremez. The code, however, shows modifications that make the ransomware more aggressive in its actions.
https://www.bleepingcomputer.com/news/security/nemty-ransomware-update-lets-it-kill-processes-and-services/
Page 1 of 5

0:00
https://www.bleepingcomputer.com/news/security/nemty-ransomware-update-lets-it-kill-processes-and-services/
Page 2 of 5

Visit Advertiser websiteGO TO PAGE
The researcher noticed that the latest version of the malware includes code for killing processes and services in order to
encrypt files that are currently in use.
A look at Nemty's new code reveals a set of nine targeted processes, which include WordPad, Microsoft Word, Excel,
Outlook Thunderbird email clients, SQL, and the VirtualBox software for running virtual machines.
With SQL and VirtualBox on the list, it gives us a clue that Nemty is targeting corporate victims.
List of terminated processes
More countries on the "no-no" list
Kremez also observed that the 'isRu' check has now extended to more countries. The full list now including Russia, Belarus,
Kazakhstan, Tajikistan, Ukraine, Azerbaijan, Armenia, Kyrgyzstan, and Moldova, with the last four being the latest
additions.
With an earlier version of the malware, 'isRU' did not make any difference for the encryption job and just marked those
hosts to send system information to the command and control server. An update changed this and aborted encryption on
computers positive for this check.
https://www.bleepingcomputer.com/news/security/nemty-ransomware-update-lets-it-kill-processes-and-services/
Page 3 of 5

Blacklisted countries
New distribution pipeline
One of the first versions of Nemty was seen distributed by RIG EK (exploit kit), while a more recent release, 1.4, spread
through a fake PayPal page.
At the beginning of this week, a new release was observed by security researchers where they observed changes in the way
victims are chosen and how the encryption process works.
The malware operators have a new distributor on their list, Radio EK, as found by nao_sec at the beginning of the week.
This is not a top-quality distributor, though, as the EK exploits a vulnerability in JScript and VBScript for Internet Explorer
that Microsoft patched three years ago, the researcher told BleepingComputer.
RadioEK in a malvertising campaign
Nemty may not enjoy much success at the moment but its authors seem to be putting in the energy to earn the respect of
cybercriminals on ransomware forums and turn their malware into a lucrative business.
https://www.bleepingcomputer.com/news/security/nemty-ransomware-update-lets-it-kill-processes-and-services/
Page 4 of 5

Automated Pentesting Covers Only 1 of 6 Surfaces.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the
other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic
questions for any tool evaluation.
Source: https://www.bleepingcomputer.com/news/security/nemty-ransomware-update-lets-it-kill-processes-and-services/
https://www.bleepingcomputer.com/news/security/nemty-ransomware-update-lets-it-kill-processes-and-services/
Page 5 of 5