The Nemty Ransomware is shutting down its public Ransomware-as-a-Service (RaaS) operation and switching to an exclusive private operation where affiliates are hand-selected for their expertise.
Nemty has historically been a public RaaS, which is a service where ransomware operators are in charge of developing the ransomware and payment site, and affiliates join to distribute and infect victims.
As part of this arrangement, the ransomware operators receive a 30% cut and an affiliate receives 70% of the ransom payments they brought in.
After operating since the summer of 2019 and through a mistake that allowed Tesorion to create a decryptor for earlier versions, jsworm has announced that they are shutting down the public ransomware-as-a-service and making it a private operation instead.
In a post to a Russian hacker forum that was shared with BleepingComputer by security researcher Vitali Kremez, jsworm states that “we leave in private,” meaning that the operation is going private and will no longer be publicly available to join.
The Russian post above translates to English as:
we leave in private. victims have a week to acquire decryptors, then it will be no longer possible. in a week you can close the topic, do not merge the master keys :)
Jsworm’s post further states that as part of this transition, they will not be migrating the old master encryption keys for the public RaaS to the private one.
To recover files, victims of the current operation would need to purchase decryptors before the switch or the keys will no longer be available, and it would not be possible to decrypt encrypted files.
Going private makes operation more exclusive
According to Kremez, who has been tracking Nemty’s operation for some time, by switching to a private operation, Nemty will become more exclusive and be able to recruit more experienced malware distributors.
This change will allow them to focus on more profitable attacks such as network compromises and network-wide deployment of their ransomware.
About two weeks before yesterday’s ‘we leave in private’ post, jsworm announced that they have completely rewritten the ransomware and released it as “Nemty Revenue 3.1”.
The above post translates to English as:
ports did not roll out, but completely rewrote the project under / nodefaultlib NEMTY REVENUE 3.1 build weight is now a measly 24kb (very good for spammers). import of one library - kernel32.dll. dynamic loading of all necessary functions (aka PathFindExtensionW ()). morph pictures for desktop. use only vinapi functions. encryption has not changed (everything is also aes-128 in ctr mode with separate keys for each file (thanks SystemFunction036) and rsa-2048 to protect aes keys). from the very first versions almost everything has been changed. all functions with strings are handwritten or taken from CRT sources. in connection with the update - cleaned the panel from zeros, freed up 4 places. in the panel, you can safely get a fresh build, chat with the victim through a chat with push notifications, see your statistics. all payments automatically get to your wallet through a mixer (verified by crabs). spammers, dediks and networks are required (although there are enough of them, but better is more than less: ^)
Kremez believes this version will be used in Nemty’s more exclusive private operation.
Second project launched called Nefilim
In March 2020, a new ransomware named Nefilim was launched that shares the same code as Nemty 2.5.
At this time, it is not 100% clear if another group purchased the Nemty ransomware code for their project or if they are using jsworm’s infrastructure to create a white-labeled version.
On March 14th, jsworm announced this new project and stated that they are looking for new affiliates who are good “spammers” and have access to breached computers known as “dediks” that give attackers remote access to networks.
Translated to English, this post reads:
7 zeros removed, there are slots. need spammers and Dediks in good countries. hxxps: //twitter.com/malwrhunterteam/status/1238553586474332160 the second project, which was created so that Michel analyzed it (otherwise he even scored on us ??) and wrote that it is not decryptable without our help. Algos in both projects are the same, except for the encryption of the number of blocks. A. soon iocp ...
As you can see, they reference both MalwareHunterTeam, who commonly writes about new samples of Nemty, and Michael Gillespie, who previously released a decryptor for jsworm’s original ransomware known as “jsworm.”
When we asked the Nefilim operators in the past how they gained access to the Nemty code, they just replied with, “Does it really matter how we got the source code?”
Nefilim is one of the ransomware operators who told us that they would not target hospitals, non-profits, schools, or governments and would decrypt for free if done by accident.
“We work very diligently in choosing our targets. We never target non-profits, hospitals, schools, government organizations.
If we ever encrypted one of those organizations by accident we would provide decryption for free and would delete all data downloaded.
But as you probably understand the process of choosing and downloading data makes it unlikely that we would encrypt something by accident.
The pandemic has not changed our stance on our targets since we believe that hospitals are off limits in any situation.”
Since their initial release, a new version was discovered called Nephilim, which is the more common spelling of this word.