Didi

Nemty Ransomware

By Didi, in Help, my files are encrypted!

Recommended Posts

Didi    0

Didi
Posted

Hello,

On Tuesday 27th August, I was downloading some iMazing torrents in order to transfer photos from iPhone to my laptop (Windows 10). After some time, I saw that all my files (except for music files),  on my laptop and my external hard drive, had gone blank and had this extra extension attached: _NEMTY_VOv3Zme_ . I also got a ransom message as well that said that I would have to pay a cryptocurrency fee which is equal to $1000.

I downloaded some ransomware programs to get rid of the malware and searched for the malware in my registry. It seems that I’ve been able to remove the ransomware but my files have been encrypted and it seems that the ransomware has affected my Windows Defender, as it refuses to go on.

I ask if anyone can please help me find out how to decrypt my files and let me know if they have any information. I’d be so so grateful.

 

Share this post

Link to post
Share on other sites

Kevin Zoll    306

Kevin Zoll
Posted

That is the dangers of downloading pirated software.

Let's make sure of what we're dealing with. The following site is quite good at identification, and will also offer advice on who, if anyone, might have a decrypter available, even if it is not us. We contribute to the site as well.

Please visit the following website and upload both an encrypted file (between 256KB and 2MB in size would be best) and a ransom note for proper identification, and share with me the web address of the results page: https://id-ransomware.malwarehunterteam.com/ 

Please be sure to read the information link on the results page, as to whether we have a decrypter or not, sometimes someone else's decrypter is listed, or other information is available that might be useful for recovery.

Outright cracking secure encryption is currently not possible. The encryption used is the same thing governments use and can take on the order of billions of years (no, I'm not exaggerating) with current technology to completely brute-force decrypt even a single victim's computer. Google searching for "time to decrypt AES-256" is pretty enlightening.

If this is on a server, please make sure RDP (Remote Desktop Protocol) into your server is protected by proper difficult passwords (all of them), that you audit every account on the server and every machine that can access the server, and use firewalling to limit the range of IP addresses that can use RDP into your server. Also make sure it is up to date with all the latest security patches from Microsoft, especially ones such as the EternalBlue exploit patch. Many criminals using ransomware variants these days use RDP exploits to break in physically, so the attacker can turn off any protection that is on the machine prior to encrypting it. There is no protection against that if they are able to get in, so it is very important to secure the server.

Share this post

Link to post
Share on other sites

Didi    0

Didi
Posted

Hello Kevin,

I appreciate your very swift reply; thank you so much. I apologise for my not so quick reply; I've been reading up on this ransomware and what options I have.

Thank you for the information provided. You're right, this is what you get when you download pirated programs. I uploaded the necessary files on the site and I've attached a picture of the results page. It seems that GandCrab v4.0 / v5.0 may help but I'm skeptical seeing as you've said that "outright cracking secure encryption is currently not possible".

Annoyingly, I found that  RDP (Remote Desktop Protocol) was enabled/allowed so I quickly unchecked the "allow" box. I'm currently running SpyHunter4 on my laptop which picked up the cryptowall ransomware (screenshot is attached).

Is there any advice you could please offer me?

ID Ransomware.png
Download Image

CryptoWall Ransomware - SpyHunter 4.png
Download Image

Share this post

Link to post
Share on other sites

Amigo-A    63

Amigo-A
Posted

Hello @Didi

Ransomware's actors often copies elements from each other to trick ID Ransomware

Attach 2-3 encrypted files and the original ransom note to your message, so that we can verify it individually.

Description of Nemty Ransomware

Share this post

Link to post
Share on other sites

Amigo-A    63

Amigo-A
Posted

Yes. This is new variant of Nemty Ransomware

They again decided to change the extension, as if there was some reason for this.

Share this post

Link to post
Share on other sites

Amigo-A    63

Amigo-A
Posted
6 hours ago, Didi said:

I'm currently running SpyHunter4 on my laptop which picked up the cryptowall ransomware (screenshot is attached).

Is there any advice you could please offer me?

1st step

In this case, the most correct solution would be to remove SpyHunter, because it will not protect your PC and will not return your files. 

Quarantine needs to be exported, if this program allows this action.

"The Moor has done his job, the Moor can go" - (phrase from the classics of literature). 

Share this post

Link to post
Share on other sites

Amigo-A    63

Amigo-A
Posted

2st step

While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Share this post

Link to post
Share on other sites

Amigo-A    63

Amigo-A
Posted

3st step

Later run a scan with Emsisoft Emergency Kit to make sure there's nothing malicious left on the system. 

Do not delete Quarantine if such files will be found.

I or someone from the support service will look at the scan results to exclude the presence of malicious ransomware and others malicious files in the system.

Share this post

Link to post
Share on other sites

Amigo-A    63

Amigo-A
Posted

Decryption specialists will need time to explore the first and new variants  and find vulnerabilities to make the decryptor.

It is possible that this will not happen soon or will never happen. 

JSWorm - the previous development of the ransomware team, which, despite all their tricks and changes, was studied by decryption specialists and almost all the variants were decrypted. Thank you very much to  @Demonslay335

This does not mean that success will be repeated every time something changes, but I think that we should hope and wait.

Demonslay335 promises good news, but the time is not known in advance.

Share this post

Link to post
Share on other sites

Didi    0

Didi
Posted

Hello @Amigo-A,

Thank you for your swift reply; I really appreciate it. I was about to try all that you’ve mentioned but I had the opportunity to hand over my laptop and my external hard drive to the IT department in my workplace. I’ll wait and see what they say and give all that you’ve mentioned a go.

Although I’m disheartened to hear that something may happen in the long run or not at all, I’m somewhat hopeful about @Demonslay335 finding a solution. 

Share this post

Link to post
Share on other sites

Didi    0

Didi
Posted

As I thought, the IT department was unsuccessful so I’ll be getting my laptop back soon. 

I’ll be running a scan with FRST and the Emisoft Emergency Kit once I receive my laptop and I will post my logs/findings ASAP.

Share this post

Link to post
Share on other sites

GT500    654

GT500
Posted
On 9/7/2019 at 4:47 PM, Didi said:

I've attached a screenshot of the Emisoft Emergency Kit's scan of my system.

The screenshot shows Emsisoft Emergency Kit downloading Emsisoft Anti-Malware. Please note that if you already have Anti-Virus protection, you may want to remove it before installing Emsisoft Anti-Malware.

 

On 9/7/2019 at 4:47 PM, Didi said:

I ran a scan with FRST and the Emisoft Emergency Kit and there was no problem.

FRST isn't going to tell you if it found anything. What it does is save logs which need to be manually analyzed by an expert. If you could attach those logs to a reply, we would be happy yo look over them for you.

Share this post

Link to post
Share on other sites

Didi    0

Didi
Posted (edited)

OK, here are is the log for the Emisoft Emergency kit:

Emsisoft Emergency Kit 2019.6.0.9501 stable [en-us]
OS: Windows 10 (Version 10.0, Build 18362, 64-bit Edition)

Forensics log

    Date    Component    Action    Details    
09/09/2019 01:06:09    Scanner    Scan finished    Scanned 95288 objects and found nothing.        
09/09/2019 00:55:00    User    Update    Downloaded and installed 226 files (96030 kb) (17 min. 4 sec.).        
09/09/2019 00:39:12    User IBHADE\ibhad    Scan started    Malware Scan        
09/09/2019 00:37:57    Core    Notification    "Recommended Reading:To pay or not to pay ransomware: A cost-benefit analysis of paying the ransom".        
 

Log for FRST:

FRST.txt

Edited by GT500
Moved FRST log into attachment.

Share this post

Link to post
Share on other sites

GT500    654

GT500
Posted

@Didi Please download the following fixlist.txt file and save it to the Desktop:

https://www.gt500.org/emsisoft/fixlist/2019-09September-13/Didi/fixlist.txt

NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop.

  1. Run the FRST download from earlier, and press the Fix button just once and wait.
  2. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do.
  3. When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply.

Share this post

Link to post
Share on other sites

GT500    654

GT500
Posted

I can't be certain if it will help in this case, however Microsoft has a fix for some Windows Firewall issues at the following link:
https://support.microsoft.com/en-us/help/17613/automatically-diagnose-and-fix-problems-with-windows-firewall

If that doesn't help, then please try the following:

  1. Right-click on the Start button.
  2. Select Windows PowerShell (Admin) from the menu.
  3. PowerShell will take a minute to fully load, so wait until it says "PS C:\WINDOWS\system32>" before you proceed.
  4. Type cmd.exe into PowerShell, and then press Enter on your keyboard.
  5. Copy the command from the following box, paste it into PowerShell, and then press Enter again: 
netsh advfirewall reset

After the command is done running, please be sure to restart your computer by right-clicking on the Start button, going to Shut down or sign out, and selecting Restart from that menu.

Share this post

Link to post
Share on other sites

Amigo-A    63

Amigo-A
Posted

Yes. This seems to be true, they thoroughly studied the encryption process, identified errors and offer each victim free help.

Share this post

Link to post
Share on other sites

Didi    0

Didi
Posted

That's amazing!!! I'm so excited! Thank you for letting me know. I've emailed them.

I tried both methods for Windows Firewall and nothing worked.

This is what Powershell reported when I ran the command: An error occurred while attempting to contact the  Windows Defender Firewall service. Make sure that the service is running and try your request again.

Are there any other methods you could please suggest?

Share this post

Link to post
Share on other sites

GT500    654

GT500
Posted
7 hours ago, Didi said:

This is what Powershell reported when I ran the command: An error occurred while attempting to contact the  Windows Defender Firewall service. Make sure that the service is running and try your request again.

Are there any other methods you could please suggest?

Restart your computer, then run another scan with FRST and attach the logs to a reply. I want to see if the Event Logs show any indication as to why the firewall service isn't starting.

Share this post

Link to post
Share on other sites

GT500    654

GT500
Posted

Remove KMS and any pirated software, then run the DSIM /CheckHealth and DSIM /ScanHealth commands and the SFC SCANNOW command, make sure the computer is restarted if any repairs were made, and then if the firewall still isn't running try the Microsoft firewall repairs again.

Note: KMS is known to install malware on computers, and it is rather common for victims of the STOP/Djvu ransomware to have been compromised shortly after installing KMS.

Share this post

Link to post
Share on other sites

Amigo-A    63

Amigo-A
Posted

Didi

Quote

C:\Users\ibhad\Downloads\_Getintopc.com_KMSAuto_Net_Office_2007.rar

This file is in the Downloads and in the Recycle Bin - C:\$Recycle.Bin\***.
You need to remove it physically and empty the Trash (Recycle Bin). 

Share this post

Link to post
Share on other sites

Didi    0

Didi
Posted

@GT500 and @Amigo-A, I ran the commands but they made no difference. I still get an error message when I access Windows Defender Firewall (shown in the screenshot).

Also, I've been unable to decrypt my files using the Tesorion decryptor (v2.0.7228.29806). Everything starts off fine when I upload the ransom note but once I upload a file, it always fails to be decrypted. Is there way I could get help with getting my files back?

image.png
Download Image

Share this post

Link to post
Share on other sites

GT500    654

GT500
Posted
22 hours ago, Didi said:

@GT500 and @Amigo-A, I ran the commands but they made no difference. I still get an error message when I access Windows Defender Firewall (shown in the screenshot).

You've done just about everything I can think of to repair the Windows Firewall. The only other thing I can think of is Windows Repair (All In One), however it does have a ton of extra fixes that aren't going to be necessary, and it does like to add a startup item so that it can display an icon in your System Tray/Notification Area. There's also a good possibility that it may not work either.

If that doesn't fix it either, then it's possible that someone at BleepingComputer may know how to fix this. There's also Tech Support Forum and the StackExchange tech sites, and some pretty good experts hang around both of those websites and answer questions.

 

22 hours ago, Didi said:

Also, I've been unable to decrypt my files using the Tesorion decryptor (v2.0.7228.29806). Everything starts off fine when I upload the ransom note but once I upload a file, it always fails to be decrypted. Is there way I could get help with getting my files back?

I'll ask one of our ransomware analysts and see what they say about this.

Share this post

Link to post
Share on other sites

Didi    0

Didi
Posted

@GT500 Thank you so much for your help with both issues.

OK, I'l get in touch with people form all sites to see if they have any solutions.

I also look forward to hearing what the ransomware analysts have to say.

Share this post

Link to post
Share on other sites

GT500    654

GT500
Posted

It looks like there's nothing we can do about Nemty at the moment. We understand the technical details about how the encryption works, and in theory we know how to make a decrypter, but we don't know for certain if we could do any better than Tesorion because we can't analyze their decrypter.

Our best guess right now is that the file you're trying to decrypt is a type of file that Tesorion's decryption service isn't familiar with, and thus it can't verify if it was able to decrypt the file properly. If there's a way to contact them about it, then that might be the best course of action, as only they know for certain how their decryption service works.

Share this post

Link to post
Share on other sites

Didi    0

Didi
Posted

@GT500 Thanks for you comment. I've gotten in touch with Tesorion via email but haven't heard from them since and I really need their help to get my files back.

@Amigo-A Oh gosh! That's awful! I wish something could be done to elimate ransomware from the web.

Share this post

Link to post
Share on other sites

Amigo-A    63

Amigo-A
Posted
Quote

I wish something could be done to elimate ransomware from the web.

Unfortunately, this human factor is a consequence of social and economical inequality and ineradicable.

Share this post

Link to post
Share on other sites

Amigo-A    63

Amigo-A
Posted

Elementary, if you use a Tesorion decryptor, then you should contact Tesorion for help. 

Did you contact Tesorion before requesting here or after that event? 

 

Share this post

Link to post
Share on other sites

wergo    0

wergo
Posted

Amigo-A: Yes, of course. They won't deal with our business, according to automatic reply:

Quote

 

If you are contacting us regarding Nemty, all information can be found here:

https://www.nomoreransom.org/en/decryption-tools.html#Nemty

https://www.tesorion.nl/tesorion-associate-partner-of-nomoreransom-project/

https://www.tesorion.nl/bug-in-nemty-corrupting-the-encryption-of-large-files/

Please note that we are currently unavailable to handle individual requests.

 

And there is no usable help...

Didi: Thanks for your reply!

Share this post

Link to post
Share on other sites

GT500    654

GT500
Posted
8 hours ago, wergo said:

Amigo-A: Yes, of course. They won't deal with our business, according to automatic reply:

...

And there is no usable help...

It's unfortunate that they won't provide support for their decrypter. It makes it seem too much like they did it only for the publicity.

Share this post

Link to post
Share on other sites

GT500    654

GT500
Posted

Amigo-A posted a link to this in another topic:
https://www.tesorion.nl/nemty-2-2-and-2-3-analysis-of-their-cryptography-and-a-decryptor-for-some-file-types/

Apparently Tesorion was was still working on their decrypter, and just not providing support for the existing one. I don't know if their updated decerypter will help either of you, but it might be worth a shot just to see.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go To Topic Listing

  • Recently Browsing   0 members

    No registered users viewing this page.