Home » News » Nemty ransomware developers continue to improve their malware

Nemty ransomware developers continue to improve their malware

Nemty ransomware developers continue to actively work on their malware, developing it in an effort to increase interest to the product on underground forums.

Attackers made changes to the nature of their actions in the victim’s system. Now the program can not only encrypt files, but also terminate processes and services that interfere with this task.

For the first time, Nemty came to the attention of information security specialists in mid-August. Over the past month, virus writers managed to release a new version of the malware under number 1.4, in which they corrected the errors found and added a stop list.

Read also: Another 0-day vulnerability discovered in Android

The program began to limits its activitiy if the target system was in Russia, Belarus, Kazakhstan, Tajikistan or Ukraine.

Recently, information security researcher Vitali Kremez found out that the authors of the encryptor, without changing the version number, made the next adjustments. The number of geographical regions from the stop list has replenished with Azerbaijan, Armenia, Moldova and Kyrgyzstan that have been added to them.

Nemty ransomware continues to develop

However, the main innovation has become a feature that makes Nemty’s behavior much more aggressive. The code added by the developers can forcibly terminate the processes running on the system, so that, among others, the files opened by the victim can be encrypted.

The main targets of the malware are nine Windows programs and services, including WordPad and Microsoft Word text editors, Microsoft Excel application, Microsoft Outlook and Mozilla Thunderbird email clients, SQL service and VirtualBox virtualization software.

According to Bleeping Computer, the last two items on this list give reason to think that large companies and corporations are most interested in potential victims of criminals.

“There is reason to believe that attackers will not stop in the search for the most effective ways of delivering malware to target systems. At the moment, they have already tested the infection through vulnerable RDP connections, as well as using the fake PayPal page”, — says Ionut Ilascu, one of the authors of Bleeping Computer.

Since criminals have already used one of the exploit packs – RIG, which exploits vulnerabilities in Internet Explorer, Java, Adobe Flash, and Silverlight – they may also resort to other sets of exploits.

About Trojan Killer

Carry Trojan Killer Portable on your memory stick. Be sure that you’re able to help your PC resist any cyber threats wherever you go.

Check Also

Attackers use Checkm8 jailbreak

Attackers actively use the fresh Checkm8 jailbreak for their own purposes

Cisco Talos experts warned users that attackers are actively using Checkm8 jailbreak. At the end …

Tarmac Malware MacOS attacks

Tarmac malware attacks MacOS users

Confiant found that malicious ad campaigns in the US, Italy and Japan were spreading the …

Leave a Reply