Home » News » Nemty ransomware developers continue to improve their malware

Nemty ransomware developers continue to improve their malware

Nemty ransomware developers continue to actively work on their malware, developing it in an effort to increase interest to the product on underground forums.

Attackers made changes to the nature of their actions in the victim’s system. Now the program can not only encrypt files, but also terminate processes and services that interfere with this task.

For the first time, Nemty came to the attention of information security specialists in mid-August. Over the past month, virus writers managed to release a new version of the malware under number 1.4, in which they corrected the errors found and added a stop list.

Read also: Another 0-day vulnerability discovered in Android

The program began to limits its activitiy if the target system was in Russia, Belarus, Kazakhstan, Tajikistan or Ukraine.

Recently, information security researcher Vitali Kremez found out that the authors of the encryptor, without changing the version number, made the next adjustments. The number of geographical regions from the stop list has replenished with Azerbaijan, Armenia, Moldova and Kyrgyzstan that have been added to them.

Nemty ransomware continues to develop

However, the main innovation has become a feature that makes Nemty’s behavior much more aggressive. The code added by the developers can forcibly terminate the processes running on the system, so that, among others, the files opened by the victim can be encrypted.

The main targets of the malware are nine Windows programs and services, including WordPad and Microsoft Word text editors, Microsoft Excel application, Microsoft Outlook and Mozilla Thunderbird email clients, SQL service and VirtualBox virtualization software.

According to Bleeping Computer, the last two items on this list give reason to think that large companies and corporations are most interested in potential victims of criminals.

“There is reason to believe that attackers will not stop in the search for the most effective ways of delivering malware to target systems. At the moment, they have already tested the infection through vulnerable RDP connections, as well as using the fake PayPal page”, — says Ionut Ilascu, one of the authors of Bleeping Computer.

Since criminals have already used one of the exploit packs – RIG, which exploits vulnerabilities in Internet Explorer, Java, Adobe Flash, and Silverlight – they may also resort to other sets of exploits.

About Trojan Killer

Carry Trojan Killer Portable on your memory stick. Be sure that you’re able to help your PC resist any cyber threats wherever you go.

Check Also

StackOverflow Java code error

The most copied piece of Java code on StackOverflow contains an error

As it turned out, the most copied piece of Java code on StackOverflow contains an …

MageCart on the Heroku Cloud Platform

Researchers Found Several MageCart Web Skimmers On Heroku Cloud Platform

Researchers at Malwarebytes reported about finding several MageCart web skimmers on the Heroku cloud platform …

Leave a Reply