Nemty Ransomware Closes Down RaaS Operations and Goes Private
- Nemty is closing for the public and goes private to focus resources on the targeting of specific victims.
- This is another RaaS that shuts down operation, and there aren’t many left out there anymore.
- The source code of the strain has also been released to a limited number of people, and potentially spewed “Nefilim”.
Nemty will no longer be offered in the context of a RaaS (Ransomware as a Service) package, as the platform is shutting its doors for the public. The developers behind the nasty strain want to focus on specific targeting instead of receiving cuts from widespread infections, so the project is going private now. Nemty was launched last summer, and it quickly became a popular choice of malicious ransomware actors. In September 2019, Nemty got upgraded to kill system processes and services and act more effectively. In November 2019, the project established ties with Trik Botnet to greatly expand its channels of distribution.
All of this development work and community love resulted in Nemty finding its place among the top most used strains, together with Sodinokibi, Ryuk, and Dharma. Since the buyers of Nemty were free to pick their own method of distribution, infections came from all over the place, through emails, exploit kits, malicious apps, crack file executables, and RDP endpoints. When distributors succeeded in their efforts and received a ransom payment, they got to keep 70% of the amount, while the remaining 30% went to the operators of the RaaS platform. After ten months of making profits this way, Nemty is going private. This leaves a big gap in the RaaS market, and will possibly pass its market share to Revil/Sodinokibi, which is one of the very few RaaS platforms that remain open to anyone.
Nemty was also operating a “leak website,” where it was publishing files stolen from the locked-down computers of victims who refused to pay the ransoms. This website was acting as a lever of pressure, and it has been taken down too now. Additionally, the Nemty source code has been shared with others on the dark web, as the original creator is planning to take a different path. Indeed, a new ransomware called “Nefilim” seems to derive from the Nemty source code, as researchers Vitali Kremez and Michael Gillespie confirmed that they are seeing similarities with Nemty version 2.5.
This move continues the trend that we saw throughout 2019 and Q1 2020, with ransomware infections targeting companies and organizations instead of random people. Focusing on bigger fish is simply way more profitable, have better chances of success, and is still doable thanks to the lack of robust security that characterizes a large number of entities. If an actor can extort millions of USD from a single infection, why go through the trouble of setting up RaaS platforms, providing guidance and technical support to hundreds, and do everything while trying to maintain anonymity? Sure, RaaS isn’t dead yet, but it will surely continue to decline as we move forward.