Nemty ransomware uses ‘overkill’ encryption to hack infected systems

19 Sep 2019

Image: © zefart/

Security researchers at Fortinet have stumbled across a new breed of ransomware that may be related to infamous GandCrab and Sodinokibi strains.

FortiGuard Labs has discovered a new strain of ransomware entitled Nemty, which uses a unique mechanism with what researchers are calling “overkill” levels of encryption to breach infected systems.

The ransomware, which the team came across while investigating the Sodinokibi ransomware family, first came from a Pastebin link shared by a bot Twitter account purporting to lead to Sodinokibi and Buran malware families.

However, when the team collected, expecting to tag Sodinokibi samples, they discovered the Nemty variant while running automation to extract binaries.

The team found that the new Nemty ransomware has a link embedded in its binary to a statement also used in the GandCrab ransomware before the cybercriminals behind it announced their retirement. Prior to the ransomware’s retirement, it was responsible for as much as 40pc of all ransomware infections globally.

“The similarities end there, however, so it is hard to say early on if there is any real relation to the two. But the inclusion of this artefact, combined with the fact that it is being distributed by the same group as Sodinokibi, which many see as the reincarnation of GandCrab, makes us curious,” the team said.

Sodinokibi has been referred to by some as the “crown prince” of ransomware. First appearing in early 2019, the strain quickly rose to prominence due to its alleged ties to GandCrab, as well as due to the variety of tactics it employs to infect targets ranging from exploiting zero-day vulnerabilities to injecting ransomware payloads into antivirus processes.

Researchers have yet to provide evidence of solid ties between Nemty, Sodinokibi and GandCrab, but the initially discovered structural similarities have begun to raise questions, with some wondering whether this could be the latest offering of cybercriminals participating in ransomware-as-a-service (RaaS) schemes.

‘Not practically possible’ to decrypt

The research team at Fortinet noted that Nemty’s use of RSA encryption with 8192 bits of key size is highly unusual, amounting to “overkill”. “This may be the first time that we have seen a ransom malware use such strong encryption algorithm,” the researchers explained.

“Using the longer key size adds a large overhead due to significantly longer key generation and encryption times.”

Fortinet notes that due to this unusual quirk of Nemty’s programme, file decryption is “not practically possible” without the threat actor’s RSA Private Key. This could potentially make it impossible for a cybersecurity firm to recover files lost to ransomware infections unless the victim pays the ransom. As of time of writing, the cost for decryption for victims is $1,000 in Bitcoin.

The research team also noted that there is a lot of evidence of errors, which may indicate the ransomware is still in its early stage of development.

Eva Short was a journalist at Silicon Republic