How does Nemty Ransomware Work?
Nemty ransomware is designed to attack entire networks rather than individual systems. It uses executables that lock all devices on a network and stop companies from decrypting individual machines. Once the victim pays the ransom, it is supplied with a single key to decrypt all devices on their network. Moreover, Nemty has been developed as ransomware-as-a-Service software. With RaaS software, ransomware operators sell their ransomware as a platform tool to other malicious actors. They in turn use the RaaS ransomware software to hold computer files, information or systems hostage. Nemty ransomware was named as such because it leaves a ransom note labelled “NEMTY-random characters-DECRIPT.txt” on the victim’s systems. The note provides instructions for the victim on how to obtain a decryption key. Nemty is notable for refusing to encrypt data on machines located in the countries of the former USSR.
Change in Ransomware Operators’ Tactics
Until recently attackers using ransomware have just encrypted data on victims’ computers, networks or systems. They then required payment from the victim before they would decrypted the data. However, recently they have begun to also steal the data before encrypting it. If the company does not pay, attackers then leak the stolen data a-little-at-a-time until the company pays the ransom. Or until all the data has been released. According to BleepingComputer: “The theory behind this is that companies may be more apt to pay a ransom if it costs less than the possible fines, data breach notification costs, loss of trade and business secrets, tarnishing of brand image, and potential lawsuits for the disclosing of personal data.” In the case of Nemty, it already has RaaS functionality in place. Therefore modifying the RaaS to extract data before encrypting it would not be difficult to implement.
Ransomware Tactic of Leaking Data is on the Rise
The tactic of leaking stolen data was first used by Maze ransomware operators in December 2019. Sodinokipi ransomware also used this tactic a couple of days ago against Artech Information Systems. Furthermore, Sodinokipi is threatening to do the same to Travelex if it does not pay up. Now Nemty is also looking at leaking victims’ data if they don’t pay. Moreover, Snatch and Zeppelin ransomware are also designed to steal information. This indicates that the trend is on the rise.
How does Nemty Ransomware Intend to Leak Stolen Data?
Nemty operators have a news feed where they post their plans, bug fixes and upcoming changes to their RaaS. According to a recent “News” post shared with BleepingComputer, Nemty plans to create a website where they will leak stolen data if ransoms are not paid.