{
	"id": "6e22b716-00ba-43df-94fc-22b571652fa0",
	"created_at": "2026-04-06T00:08:54.70195Z",
	"updated_at": "2026-04-10T03:20:34.150188Z",
	"deleted_at": null,
	"sha1_hash": "f0e848dbddd46f181fa50d88aef18a3fcb88b2fd",
	"title": "New Nemty Ransomware May Spread via Compromised RDP Connections",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2432862,
	"plain_text": "New Nemty Ransomware May Spread via Compromised RDP\r\nConnections\r\nBy Ionut Ilascu\r\nPublished: 2019-08-26 · Archived: 2026-04-05 19:05:54 UTC\r\nA new ransomware has been spotted over the weekend, carrying references to the Russian president and antivirus software.\r\nThe researchers call it Nemty.\r\nThis is the first version of Nemty ransomware, named so after the extension it adds to the files following the encryption\r\nprocess.\r\nThe ransom demand\r\nLike any proper file-encrypting malware, Nemty will delete the shadow copies for the files it processes, taking away from\r\nthe victim the possibility to recover versions of the data as created by the Windows operating system.\r\nhttps://www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nVictims will see a ransom note informing that the attackers hold the decryption key and that data is recoverable for a price.\r\nIn BleepingComputer's tests, the ransom demand was 0.09981 BTC, which converts to around $1,000 at the moment.\r\nThe payment portal is hosted on the Tor network for anonymity, and users have to upload their configuration file.\r\nBased on this, they are provided with the link to another website that comes with a chat function and more information on\r\nthe demands.\r\nMessages in the code\r\nSecurity researcher Vitali Kremez took a closer look at the malware and noticed that it comes with an unusual name for the\r\nmutex object. The author called it \"hate,\" as visible in the image below.\r\nhttps://www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/\r\nPage 3 of 6\n\nA mutually exclusive (mutex) object is a flag that allows programs to control resources by allowing access to them to one\r\nexecution thread at a time.\r\nAnother weird thing Kremez noticed in Nemty's code is a link to this picture of Vladimir Putin, with a caption saying \"I\r\nadded you to the list of [insult], but only with pencil for now.\"\r\nThe list of peculiarities does not stop at this. A straight message to the antivirus industry was spotted by the researcher.\r\nAt first, the reference seemed an odd thing in the code but a second look at how Nemty worked revealed that it was the key\r\nfor decoding base64 strings and create URLs is a straight message to the antivirus industry.\r\nhttps://www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/\r\nPage 4 of 6\n\nAnother interesting thing is a verification Nemty makes to identify computers in Russia, Belarus, Kazakhstan, Tajikistan,\r\nand Ukraine. This is not to exempt the hosts from the file encryption routine, though, Kremez told BleepingComputer.\r\nThe \"isRU\" check in the malware code simply marks the systems as being in one of the five countries and then sends to the\r\nattacker data that includes the computer name, username, operating system, and computer ID.\r\nIt's unclear how Nemty is distributed but Kremez heard from a reliable source that the operators deploy it via compromised\r\nremote desktop connections.\r\nCompared to phishing email, which is currently the common distribution method, leveraging a RDP connection puts the\r\nattacker in control as they no longer have to wait for the victim to take the phishing bait.\r\nKremez published his research notes on Nemty where he includes the list of folders (anything needed for booting the OS)\r\nand the file extensions (binaries, shortcuts, and log data) the malware does not touch.\r\nhttps://www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/\r\nhttps://www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/"
	],
	"report_names": [
		"new-nemty-ransomware-may-spread-via-compromised-rdp-connections"
	],
	"threat_actors": [],
	"ts_created_at": 1775434134,
	"ts_updated_at": 1775791234,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f0e848dbddd46f181fa50d88aef18a3fcb88b2fd.pdf",
		"text": "https://archive.orkl.eu/f0e848dbddd46f181fa50d88aef18a3fcb88b2fd.txt",
		"img": "https://archive.orkl.eu/f0e848dbddd46f181fa50d88aef18a3fcb88b2fd.jpg"
	}
}