Nemty Ransomware Update Lets It Kill Processes and Services

Nemty ransomware is under active development, although its version number may not show it. Its authors are clearly making efforts to make it a more efficient and sophisticated malware and it begins wider distribution.

The malware is new in the business and its cold reception in the ransomware underground community did not help it take off the way its administrators wanted.

Process and service killer

Despite making changes to the code, Nemty authors kept the same version number, shows an analysis from security researcher Vitali Kremez. The code, however, shows modifications that make the ransomware more aggressive in its actions.

The researcher noticed that the latest version of the malware includes code for killing processes and services in order to encrypt files that are currently in use.

A look at Nemty's new code reveals a set of nine targeted processes, which include WordPad, Microsoft Word, Excel, Outlook Thunderbird email clients, SQL, and the VirtualBox software for running virtual machines.

With SQL and VirtualBox on the list, it gives us a clue that Nemty is targeting corporate victims.

More countries on the "no-no" list

Kremez also observed that the 'isRu' check has now extended to more countries. The full list now including Russia, Belarus, Kazakhstan, Tajikistan, Ukraine, Azerbaijan, Armenia, Kyrgyzstan, and Moldova, with the last four being the latest additions.

With an earlier version of the malware, 'isRU' did not make any difference for the encryption job and just marked those hosts to send system information to the command and control server. An update changed this and aborted encryption on computers positive for this check.

New distribution pipeline

One of the first versions of Nemty was seen distributed by RIG EK (exploit kit), while a more recent release, 1.4, spread through a fake PayPal page.

At the beginning of this week, a new release was observed by security researchers where they observed changes in the way victims are chosen and how the encryption process works.

The malware operators have a new distributor on their list, Radio EK, as found by nao_sec at the beginning of the week.

This is not a top-quality distributor, though, as the EK exploits a vulnerability in JScript and VBScript for Internet Explorer that Microsoft patched three years ago, the researcher told BleepingComputer.

Nemty may not enjoy much success at the moment but its authors seem to be putting in the energy to earn the respect of cybercriminals on ransomware forums and turn their malware into a lucrative business.