It was named Nemty because of the extension it provides to data logs after they are encrypted.
Like all malicious programs of file encryption, Nemty will delete shadow copies of the data records it processes, removing the victim from the ability to get better variations of the information generated by their operating system. Windows.
According to his estimates BleepingComputer, initially, the ransom required was zero.09981 BTC, which has now reached $ 1.000.
The payment prortal is hosted on Tor for anonymity and customers need to add configuration file their. Next, a hyberlink is provided for a different site that has the chat feature and additional data about calls.
Messages within the code
A unique object (mutex) allows applications to configure components, thereby giving them access to at least one execution thread at a time.
Another strange factor observed in Nemty's code is a hyberlink to an image of him Vladimir Putin, with a caption saying, "I added you to the record of [insult], however solely with pencil for now."
In addition, the reference to antivirus is also impressive. In the beginning, a strange factor appeared in the code, which, at a glance, serves to decode the base64 strings and create URLs.
Another factor that attracts attention is the verification that Nemty performs to create computer systems in Russia, Belarus, Kazakhstan, Tajikistan and Ukraine.
The "isRU" inside the malware code simply signals the techniques found in one of the 5 international sites and then sends the hacker the computer ID, username, operating system and computer ID.
It is not clear how it is distributed to Nemty, however, according to sources, hackers act via broken remote desktop connections (RDP).
Compared to phishing e-mail, which is nowadays a common distribution technique, leveraging an RDP connection gives the attacker immediate access and management.