Fake PayPal App Site Infects Victims with Nemty Ransomware

• Actors are creating convincing PayPal websites and promise spending returns between 3% and 5%.
• The executable that is downloaded by the victims is not the PayPal app but a variant of the Nemty ransomware.
• Those who step in the trap will be asked for a ransom of $1000 in Bitcoin unless they come from Russia-speaking countries.

As reported by BleepingComputer, security researcher “nao_sec” discovered a malicious website that is distributing samples of a new variant of the Nemty ransomware. The actors are using the PayPal app as bait, luring unsuspecting victims to download it from their channel and win up to 5% of what they spend in returns. The website was made to look exactly like the official PayPal portal, so visitors who won’t notice the URL will be tricked into thinking that they have landed on a legitimate channel of software distribution.

Paypal Fake Site -> #NEMTY Ransomware
(CC: @malware_traffic, @jeromesegura, @VK_Intel, @BleepinComputer)https://t.co/YC7pVMSFwm pic.twitter.com/yzakaFEzi0

— nao_sec (@nao_sec) September 7, 2019

The malicious file that is offered for download is named “cashback.exe”, and most browsers will warn the user that the file they’re trying to download looks nasty. If the user answers that they trust the source in the prompt, they will get a copy of the Nemty ransomware on their system. According to VirusTotal data, the malicious executable is missed by 32 out of the 68 antivirus engines tested, so the chances of Nemty nesting in the host system and encrypting all files is just below 50% if the victim is using an AV solution in the first place.

The Nemty variant that is used in this campaign is version number 1.4, and the amount of money that is demanded by the actors is the equivalent of $1000 in Bitcoin. This is the standard amount that we have seen criminals who use Nemty ask, while the payment period that is given to the victims is 48 hours, also a standard one. The countries that are excluded from the infection activity are Belarus, Russia, Kazakhstan, Ukraine, and Tajikistan. If you live in one of those countries, or your system language is set to the corresponding languages, you’re safe from this campaign but don’t expect a 5% return on your spending nonetheless.

Source: Vitali Kremez | Twitter

If you were infected by a Nemty variant, you would notice that all your files got the “.nemty” extension. If that is the case, don’t pay the actors as you won’t have any guarantee that you will get your files back. SpyHunter 5, Malwarebytes, and Reimage are all capable of removing all traces of Nemty from your system, so make sure to wipe it before you start restoring from backups. Nemty is very persistent, and if you don't remove all of its components your files will get re-encrypted. If you are looking to get the official PayPal app, you can only find it on “paypal.com” or on the official app stores of your platform.

Are you using the PayPal app, or do you just head to the website for everything? Let us know in the comments down below, or on our socials, on Facebook and Twitter.