Sunday, August 2, 22:23
Home security Nemty ransomware: Resets antivirus software and uses RDP!

Nemty ransomware: "Resets" antivirus software and uses RDP!

Nemty ransomware: New ransomware was identified at the weekend, with references to the Russian president and to antivirus software program.

It was named Nemty because of the extension it provides to data logs after they are encrypted.


Like all malicious programs of file encryption, Nemty will delete shadow copies of the data records it processes, removing the victim from the ability to get better variations of the information generated by their operating system. Windows.

Victims will see a warning for ransom which will inform that hackers keep the decryption key and have to pay if they want their files.

According to his estimates BleepingComputer, initially, the ransom required was zero.09981 BTC, which has now reached $ 1.000.

The payment prortal is hosted on Tor for anonymity and customers need to add configuration file their. Next, a hyberlink is provided for a different site that has the chat feature and additional data about calls.


Messages within the code

Security researcher Vitali Kremez took a closer look at malware and saw it come with an unusual designation for it mutex object. The creator is called "hat", as shown in the picture below.


A unique object (mutex) allows applications to configure components, thereby giving them access to at least one execution thread at a time.

Another strange factor observed in Nemty's code is a hyberlink to an image of him Vladimir Putin, with a caption saying, "I added you to the record of [insult], however solely with pencil for now."

In addition, the reference to antivirus is also impressive. In the beginning, a strange factor appeared in the code, which, at a glance, serves to decode the base64 strings and create URLs.

Another factor that attracts attention is the verification that Nemty performs to create computer systems in Russia, Belarus, Kazakhstan, Tajikistan and Ukraine.

The "isRU" inside the malware code simply signals the techniques found in one of the 5 international sites and then sends the hacker the computer ID, username, operating system and computer ID.

It is not clear how it is distributed to Nemty, however, according to sources, hackers act via broken remote desktop connections (RDP).

Compared to phishing e-mail, which is nowadays a common distribution technique, leveraging an RDP connection gives the attacker immediate access and management.


Please enter your comment!
Please enter your name here


The top 3 applications for learning foreign languages

On the occasion of the Covid-19 pandemic, you can do something creative remotely, such as learning foreign languages ​​through applications.

90% of organizations delay security projects due to COVID-19

According to Tanium, a security and endpoint systems management company, more than 90% of organizations worldwide were forced to delay key projects ...

The 4 best Bluetooth speakers with aptX support!

If you know enough about Bluetooth encoders, then you will agree that aptX brings two important wireless components that make speakers ...

Why do government hackers focus more on stealing credentials?

Over the years, more and more advanced cyber threats appear. Many times state hackers carry out cyber attacks, ...

System76: Announced a new keyboard suitable for key remap

For the last 10 years, System76 has created many of the best Linux laptops in ...

Perseverance has been successfully launched and is heading to Mars

The Perseverance rover and the Ingenuity helicopter are on their way to Mars, starting their quest to find ancient signs of life, ...

Nvidia: One step before the acquisition of Arm by SoftBank?

Nvidia is in advanced talks to acquire Arm, the well-known chip company, according to Bloomberg.

The Vatican was attacked by Chinese hackers!

When it comes to cyber espionage, the Vatican may not seem like an obvious target. Nevertheless, he was now in the crosshairs ...

Telegram v. Apple over EU antitrust law

One of the most popular instant messaging applications, Telegram has filed a complaint against Apple, after allegedly infringing on ...

CCleaner: Windows labeled it as potentially unwanted software

CCleaner has been hailed as "potentially unwanted software" by Microsoft Defender, Windows 10's built-in antivirus.