Nguyen Hoang GiangSenior Threat Analysis Engineer
Eduardo AltaresSenior Threat Analysis Engineer
The Nemty ransomware (Ransom.Nemty), initially detected in August 2019, has increased its reach by partnering up with the Trik botnet (Trojan.Wortrik), which now delivers Nemty to compromised computers.
Trik, also known as Phorpiex, has been around for approximately 10 years. In its early days, the malware self-propagated via removable USB drives, Windows Live Messenger, or Skype private messages. The criminals behind the botnet use the infected computers to send email spam and have been observed pushing out a wide range of malware families, with Nemty being the latest to join the list.
Nemty, meanwhile, first appeared on the scene in mid-August 2019. While the malware first appeared to be a run-of-the-mill ransomware, a constant series of changes to the threat made it apparent that it was very much a work in progress and something to be taken seriously.
In the past, Nemty has been observed being spread via the RIG exploit kit, as well as via malicious spam campaigns targeting users in Korea and China, where the malware is attached inside an archive.
Figure 1. Fake résumé-themed Korean malicious spam containing Nemty in the attachment
Our data shows that most Nemty infections are found in Korea and China.
Figure 2. Nemty infections by country
In early October, we noticed that Trik had begun distributing Nemty as a payload, adding another channel for the ransomware’s delivery.
How Trik spreads Nemty using the SMB protocol
We observed a recent version of Trik delivering a tiny component that uses the Server Message Block (SMB) ..
Support the originator by clicking the read the rest link below.
