Nemty Ransomware

[Didi 0]

Hello,

On Tuesday 27th August, I was downloading some iMazing torrents in order to transfer photos from iPhone to my laptop (Windows 10). After some time, I saw that all my files (except for music files),  on my laptop and my external hard drive, had gone blank and had this extra extension attached: _NEMTY_VOv3Zme_ . I also got a ransom message as well that said that I would have to pay a cryptocurrency fee which is equal to $1000.

I downloaded some ransomware programs to get rid of the malware and searched for the malware in my registry. It seems that I’ve been able to remove the ransomware but my files have been encrypted and it seems that the ransomware has affected my Windows Defender, as it refuses to go on.

I ask if anyone can please help me find out how to decrypt my files and let me know if they have any information. I’d be so so grateful.

 

[Kevin Zoll 280]

That is the dangers of downloading pirated software.

Let's make sure of what we're dealing with. The following site is quite good at identification, and will also offer advice on who, if anyone, might have a decrypter available, even if it is not us. We contribute to the site as well.

Please visit the following website and upload both an encrypted file (between 256KB and 2MB in size would be best) and a ransom note for proper identification, and share with me the web address of the results page: https://id-ransomware.malwarehunterteam.com/ 

Please be sure to read the information link on the results page, as to whether we have a decrypter or not, sometimes someone else's decrypter is listed, or other information is available that might be useful for recovery.

Outright cracking secure encryption is currently not possible. The encryption used is the same thing governments use and can take on the order of billions of years (no, I'm not exaggerating) with current technology to completely brute-force decrypt even a single victim's computer. Google searching for "time to decrypt AES-256" is pretty enlightening.

If this is on a server, please make sure RDP (Remote Desktop Protocol) into your server is protected by proper difficult passwords (all of them), that you audit every account on the server and every machine that can access the server, and use firewalling to limit the range of IP addresses that can use RDP into your server. Also make sure it is up to date with all the latest security patches from Microsoft, especially ones such as the EternalBlue exploit patch. Many criminals using ransomware variants these days use RDP exploits to break in physically, so the attacker can turn off any protection that is on the machine prior to encrypting it. There is no protection against that if they are able to get in, so it is very important to secure the server.

[Kevin Zoll 280]

It also appears that NEMTY is unbreakable and cannot be decrypted using third-party decryption tools.

[Didi 0]

Hello Kevin,

I appreciate your very swift reply; thank you so much. I apologise for my not so quick reply; I've been reading up on this ransomware and what options I have.

Thank you for the information provided. You're right, this is what you get when you download pirated programs. I uploaded the necessary files on the site and I've attached a picture of the results page. It seems that GandCrab v4.0 / v5.0 may help but I'm skeptical seeing as you've said that "outright cracking secure encryption is currently not possible".

Annoyingly, I found that  RDP (Remote Desktop Protocol) was enabled/allowed so I quickly unchecked the "allow" box. I'm currently running SpyHunter4 on my laptop which picked up the cryptowall ransomware (screenshot is attached).

Is there any advice you could please offer me?

Download Image

Download Image

[Amigo-A 40]

Hello @Didi

Ransomware's actors often copies elements from each other to trick ID Ransomware

Attach 2-3 encrypted files and the original ransom note to your message, so that we can verify it individually.

Description of Nemty Ransomware

[Didi 0]

Hello @Amigo-A,

Thank you for getting in touch. 

I see. OK, here are 3 encrypted files and the ransom note is called NEMTY-DECRYPT.txt

IMG_2439.JPG._NEMTY_VOv3Zme_ IMG_2440.JPG._NEMTY_VOv3Zme_ NEMTY-DECRYPT.txt

[Amigo-A 40]

Yes. This is new variant of Nemty Ransomware

They again decided to change the extension, as if there was some reason for this.

[Amigo-A 40]

6 hours ago, Didi said:

I'm currently running SpyHunter4 on my laptop which picked up the cryptowall ransomware (screenshot is attached).

Is there any advice you could please offer me?

1st step

In this case, the most correct solution would be to remove SpyHunter, because it will not protect your PC and will not return your files. 

Quarantine needs to be exported, if this program allows this action.

"The Moor has done his job, the Moor can go" - (phrase from the classics of literature). 

[Amigo-A 40]

2st step

While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

[Amigo-A 40]

3st step

Later run a scan with Emsisoft Emergency Kit to make sure there's nothing malicious left on the system. 

Do not delete Quarantine if such files will be found.

I or someone from the support service will look at the scan results to exclude the presence of malicious ransomware and others malicious files in the system.

[Didi 0]

@Amigo-A,

Thank you again for your reply. OK, I'll delete SpyHunter and will download FRST. 

Please bear with me.

 

[Amigo-A 40]

Decryption specialists will need time to explore the first and new variants  and find vulnerabilities to make the decryptor.

It is possible that this will not happen soon or will never happen. 

JSWorm - the previous development of the ransomware team, which, despite all their tricks and changes, was studied by decryption specialists and almost all the variants were decrypted. Thank you very much to  @Demonslay335

This does not mean that success will be repeated every time something changes, but I think that we should hope and wait.

Demonslay335 promises good news, but the time is not known in advance.

[Didi 0]

Hello @Amigo-A,

Thank you for your swift reply; I really appreciate it. I was about to try all that you’ve mentioned but I had the opportunity to hand over my laptop and my external hard drive to the IT department in my workplace. I’ll wait and see what they say and give all that you’ve mentioned a go.

Although I’m disheartened to hear that something may happen in the long run or not at all, I’m somewhat hopeful about @Demonslay335 finding a solution. 

[Didi 0]

As I thought, the IT department was unsuccessful so I’ll be getting my laptop back soon. 

I’ll be running a scan with FRST and the Emisoft Emergency Kit once I receive my laptop and I will post my logs/findings ASAP.

[Didi 0]

Hello @Amigo-A,

 

I ran a scan with FRST and the Emisoft Emergency Kit and there was no problem. I've attached a screenshot of the Emisoft Emergency Kit's scan of my system.

Download Image

[Amigo-A 40]

Need a log of results. 

[GT500 589]

On 9/7/2019 at 4:47 PM, Didi said:

I've attached a screenshot of the Emisoft Emergency Kit's scan of my system.

The screenshot shows Emsisoft Emergency Kit downloading Emsisoft Anti-Malware. Please note that if you already have Anti-Virus protection, you may want to remove it before installing Emsisoft Anti-Malware.

 

On 9/7/2019 at 4:47 PM, Didi said:

I ran a scan with FRST and the Emisoft Emergency Kit and there was no problem.

FRST isn't going to tell you if it found anything. What it does is save logs which need to be manually analyzed by an expert. If you could attach those logs to a reply, we would be happy yo look over them for you.

[Didi 0]

OK, here are is the log for the Emisoft Emergency kit:

Emsisoft Emergency Kit 2019.6.0.9501 stable [en-us]
OS: Windows 10 (Version 10.0, Build 18362, 64-bit Edition)

Forensics log

    Date    Component    Action    Details    
09/09/2019 01:06:09    Scanner    Scan finished    Scanned 95288 objects and found nothing.        
09/09/2019 00:55:00    User    Update    Downloaded and installed 226 files (96030 kb) (17 min. 4 sec.).        
09/09/2019 00:39:12    User IBHADE\ibhad    Scan started    Malware Scan        
09/09/2019 00:37:57    Core    Notification    "Recommended Reading:To pay or not to pay ransomware: A cost-benefit analysis of paying the ransom".        
 

Log for FRST:

FRST.txt

Edited September 13 by GT500
Moved FRST log into attachment.

[Didi 0]

FRST Addition log:

Addition.txt

Edited September 13 by GT500
Moved log into attachment.

[Didi 0]

I've been unable to enable Windows Defender. The attack disabled it and shows an error when I click on Use recommended settings:

Download Image

[GT500 589]

@Didi Please download the following fixlist.txt file and save it to the Desktop:

https://www.gt500.org/emsisoft/fixlist/2019-09September-13/Didi/fixlist.txt

NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop.

1. Run the FRST download from earlier, and press the Fix button just once and wait.
2. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do.
3. When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply.
   

[Didi 0]

Hello @GT500 ,

I apologise for the very late reply. I did as instructed and I've attached the log here. 

Windows Defender hasn't changed:

Fixlog.txt
Download Image

[GT500 589]

I can't be certain if it will help in this case, however Microsoft has a fix for some Windows Firewall issues at the following link:
https://support.microsoft.com/en-us/help/17613/automatically-diagnose-and-fix-problems-with-windows-firewall

If that doesn't help, then please try the following:

1. Right-click on the Start button.
2. Select Windows PowerShell (Admin) from the menu.
3. PowerShell will take a minute to fully load, so wait until it says "PS C:\WINDOWS\system32>" before you proceed.
4. Type cmd.exe into PowerShell, and then press Enter on your keyboard.
5. Copy the command from the following box, paste it into PowerShell, and then press Enter again:

netsh advfirewall reset

After the command is done running, please be sure to restart your computer by right-clicking on the Start button, going to Shut down or sign out, and selecting Restart from that menu.

[Didi 0]

Thank you so much for these! 

I'll try them and get back to you!

[Amigo-A 40]

Hello @Didi

Good news! 

Tesorion CSIRT helps victims of Nemty Ransomware

Tesorion CSIRT: +31 88 27 47 800
E-mail: [email protected]

Description >>

[Didi 0]

OMG!!! REALLY?! WOW! Thank you so much!!! I'll check them out now!!!!

[Amigo-A 40]

Yes. This seems to be true, they thoroughly studied the encryption process, identified errors and offer each victim free help.

[Didi 0]

That's amazing!!! I'm so excited! Thank you for letting me know. I've emailed them.

I tried both methods for Windows Firewall and nothing worked.

This is what Powershell reported when I ran the command: An error occurred while attempting to contact the  Windows Defender Firewall service. Make sure that the service is running and try your request again.

Are there any other methods you could please suggest?

[GT500 589]

7 hours ago, Didi said:

This is what Powershell reported when I ran the command: An error occurred while attempting to contact the  Windows Defender Firewall service. Make sure that the service is running and try your request again.

Are there any other methods you could please suggest?

Restart your computer, then run another scan with FRST and attach the logs to a reply. I want to see if the Event Logs show any indication as to why the firewall service isn't starting.

[Didi 0]

@GT500 Sorry for my late reply.

I've attached the FRST and Addition logs.

Thank you again for your help!

FRST.txt Addition.txt

[GT500 589]

Remove KMS and any pirated software, then run the DSIM /CheckHealth and DSIM /ScanHealth commands and the SFC SCANNOW command, make sure the computer is restarted if any repairs were made, and then if the firewall still isn't running try the Microsoft firewall repairs again.

Note: KMS is known to install malware on computers, and it is rather common for victims of the STOP/Djvu ransomware to have been compromised shortly after installing KMS.

[Amigo-A 40]

Didi

Quote

C:\Users\ibhad\Downloads\_Getintopc.com_KMSAuto_Net_Office_2007.rar

This file is in the Downloads and in the Recycle Bin - C:\$Recycle.Bin\***.
You need to remove it physically and empty the Trash (Recycle Bin). 

[Didi 0]

@GT500 and @Amigo-A, thank you for the insights.

I'll report back as soon as I do as instructed.

[Didi 0]

@GT500 and @Amigo-A, I ran the commands but they made no difference. I still get an error message when I access Windows Defender Firewall (shown in the screenshot).

Also, I've been unable to decrypt my files using the Tesorion decryptor (v2.0.7228.29806). Everything starts off fine when I upload the ransom note but once I upload a file, it always fails to be decrypted. Is there way I could get help with getting my files back?

Download Image

[Didi 0]

I just tried decrypting a file again and the decryptor failed (shown in the screenshot)
Download Image