Nemty ransomware operation shuts down

The operators of the Nemty ransomware have announced this week they were shutting down their service after ten months in operation, ZDNet has learned from a source in the infosec community.

For those unfamiliar with this malware operation, Nemty is a classic RaaS (Ransomware-as-a-Service).

The Nemty RaaS launched in the summer of 2019 and has been heavily advertised on underground Russian-speaking hacking forums.

Users who signed up with the Nemty RaaS were granted access to a web portal where they could create custom versions of the Nemty ransomware.

The customers were then free to distribute these custom versions via their own methods. Over the past few months, the Nemty ransomware has been spotted being distributed via email spam (malspam) campaigns, exploit kits, boobytrapped apps, and by brute-forcing RDP endpoints.

Distribution methods varied based on the Nemty RaaS customer who was spreading that particular Nemty strain.

If any of the victims who had computers infected with Nemty paid the ransom demand, the Nemty operator kept 30% of the payment, while the distributors got %70 for their efforts.

Nemty shuts down after 10 months

But in an update posted on a dedicated topic on the Exploit hacking forum, the Nemty operator announced yesterday they were shutting down their service.

The Nemty operator gave victims a week to pay the ransom demands before the ransomware would shut down its infrastructure, and users would be unable to decrypt their files, even if they wanted to pay.

The fact that Nemty is shutting down is no surprise for the cyber-security community. There are multiple reasons for this.

First is that the ransomware failed to establish itself as a top player on the ransomware market. Distribution campaigns usually varied in intensity, but the ransomware was never a top threat, being more of a middle-of-the-pack player.

This is pretty evident from the fact that the Nemty gang created a website where they promised to leak files from companies that refused to pay the ransom; however, after setting up the website months back, they only published files from only one company.

On the other hand, "leak sites" from rival ransomware gangs publish files on a nearly daily basis, highlighting how much more active and broadly adopted the other strains are in the cybercrime community, in comparison to Nemty.

Second, Nemty has also suffered a big reputational hit back in October 2019 when Tesorion security researchers decrypted three of its versions.

There's no bigger "business killer" for a RaaS operation than security firms releasing decrypters, as such moves usually drive customers to rival operations.

Third, the Nemty crew saw the writing on the wall after Tesorion released its free decryptors and appear to have moved on to developing a new strain from scratch.

As reported by SentinelLabs' Vitali Krimez and ID Ransomware's Michael Gillespie, the new Nefilim ransomware that was released last month appears to be based on Nemty's code.

With what appears to be a new and rebranded RaaS up and running, there was no reason for the Nemty gang to keep the old one around.

Something similar to this happened last year when the operators of the Gandcrab ransomware also shut down their operation and created the new Sodinokibi (REvil) strain after security firms kept decrypting the older Gandcrab strain, damaging the ransomware's reputation, profits, and clientele.

And just like the old Nemty, the new Nefilim operation also runs a "leak site" where they publish files from companies that don't pay the ransom.

The bad news is that the new Nefilim RaaS appears to be a success and quite very active, with new leaks being published on a weekly basis.

Comments are closed.