NEMTY REVENUE 3.1 – How to remove & fix computer?

NEMTY virus modifies all popular file types by means of adding the NEMTY_XXXXXXX extension, thus making the data absolutely unavailable.
NEMTY virus modifies all popular file types by means of adding the NEMTY_XXXXXXX extension, thus making the data absolutely unavailable.
Written by Brendan Smith

What is NEMTY REVENUE 3.1?

NEMTY modifies your files by means of AES encrypting them and demanding the ransom to be paid allegedly to restore access to them.

NEMTY REVENUE 3.1 virus modifies all popular file types by means of adding the .NEMTY_XXXXXXX extension, thus making the data absolutely unavailable. The victims simply cannot open their important documents anymore. The ransomware also assigns its unique identification key, just like all previous representatives of the virus family. As soon the file is encrypted by the ransomware, it obtains a special new extension becoming the secondary one. The file virus also generates a ransom note NEMTY_XXXXXXX-DECRYPT.txt providing the users want instructions allegedly to restore the data.

Nemty Threat Summary

NameNemty virus
RisksNemty ransomware operators publish data stolen from the victims and
DetectionTroj/Nemty-A, Ransom:Win32/Nemty.ARJ!MTB, Ransom.Nemty, Trojan.Ransom.Nemty
Short DescriptionThe ransomware modifies the documents on the attacked device through encryption and asks for the ransom to be paid by the victim supposedly to restore them.
SymptomsThe file virus encrypts the data by adding the NEMTY extension, also generating the one-of-a-kind identifier.
Distribution MethodSpam, Email attachments, Compromised legitimate downloads, Attacks exploiting weak or stolen RDP credentials1.
Fix ToolSee If Your System Has Been Affected by .nemty file virus
Nemty 3.1

Nemty 3.1


What Is It and How Did I Get It?

The Nemty ransomware is most commonly spread by means of a payload dropper. It runs the malicious script that eventually installs the file virus. The threat circulates actively on the web, considering the facts about the ransomware mentioned in the VirusTotal database. The Nemty ransomware may also promote its payload files through popular social networks and via file-sharing platforms. Alternatively, some free applications hosted on many popular resources may also be disguised as helpful tools, whereas they instead may lead to the malicious scripts that injected the ransomware. Your personal caution to prevent the Nemty virus attack matters a lot!

Nemty File Virus is a infection that encrypts your data and presents a frustrating ransomware notice. Below is the screenshot depicting the ransomware note:


NEMETY Revenue 3.1 - Ransom Files

NEMETY Revenue 3.1 – Ransom Files

Quotation of the scary message


Some (or maybe all) of your files got encrypted.
We provide a decryption tool if you pay a ransom.

Don’t worry, if we can’t help you with decrypting – other people won’t trust us.
We provide test decryption, as proof that we can decrypt your data.

You have 3 month to pay (after visiting the ransom page) until decryption key will be deleted from server.
After 3 month no one, even our service can’t make decryptor.

1) Web-Browser
a) Open your browser.
b) Open this link:
c) Upload this file.
d) Follow the instructions.

2) Tor-Browser
a) Download&Install Tor-Browser.
b) Open Tor-Browser.
c) Open this link: http://zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad.onion/public/pay.php
d) Upload this file.
e) Follow the instruction.
What’s happen?
Files are encrypted. Only our service can provide full decryption!

We are providing 1 test decrypt, to prove that we can recover your files.
Click “Test Decrypt” at the menu on the top of this page to decrypt 1 file for free.

Attention! We are decrypting only image files for free, as they don’t have any significant value to you. Don’t try to cheat us.

To recover your files, you must pay the fee.
Your current fee: 750$ (price is changing every hour)

You must hurry up because your 50% discount will expire after the counter in the footer of this page will reach zero. If you fail to pay until that time, the fee will be doubled, so if it was 750$ it will become 1500$.

To pay the fee you must buy Bitcoin, and send exactly 0.09602912 BTC to this address: 3EKmodX3aehnS4YRE8QoqSZ1ftYU3avo89

To see how to buy the bitcoins, click “Buy BTC” at the tab menu on top of the page.

Received: 0BTC

Used URL:


List of countries in NEMTY PROJECT ransomware's whitelist:

  • Armenia
  • Azerbaijan
  • Belarus
  • Kazakhstan
  • Kyrgyzstan
  • Moldova
  • Russia
  • Tajikistan
  • Ukraine

Execute this commands:

cmd.exe /c vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
cmd.exe /c vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
cmd.exe /c taskkill /f /im sql.*
cmd.exe /c taskkill /f /im winword.*
cmd.exe /c taskkill /f /im wordpad.*
cmd.exe /c taskkill /f /im outlook.*
cmd.exe /c taskkill /f /im thunderbird.*
cmd.exe /c taskkill /f /im oracle.*
cmd.exe /c taskkill /f /im excel.*
cmd.exe /c taskkill /f /im onenote.*
cmd.exe /c taskkill /f /im virtualboxvm.*

Kill processes:

vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
taskkill /f /im sql.*
C:\Windows\System32\cmd.exe /c taskkill /f /im sql.*
taskkill /f /im winword.*
C:\Windows\System32\cmd.exe /c taskkill /f /im winword.*
taskkill /f /im wordpad.*
C:\Windows\System32\cmd.exe /c taskkill /f /im wordpad.*
C:\Windows\System32\cmd.exe /c taskkill /f /im outlook.*
taskkill /f /im outlook.*
taskkill /f /im thunderbird.*
C:\Windows\System32\cmd.exe /c taskkill /f /im thunderbird.*
C:\Windows\System32\cmd.exe /c taskkill /f /im oracle.*
taskkill /f /im oracle.*
C:\Windows\System32\cmd.exe /c taskkill /f /im excel.*
taskkill /f /im excel.*

The image below gives a clear vision of how the files with NEMTY extension look like:

nemty files

NEMTY PROJECT screenshot of delivering a ransom-demand message:

nemty decryptor


Remove Nemty Virus

Reasons why I would recommend GridinSoft2

The is an excellent way to deal with recognizing and removing threats - using Gridinsoft Anti-Malware. This program will scan your PC, find and neutralize all suspicious processes3.

Download GridinSoft Anti-Malware.

You can download GridinSoft Anti-Malware by clicking the button below:

Run the setup file.

When setup file has finished downloading, double-click on the install-antimalware-fix.exe file to install GridinSoft Anti-Malware on your PC.

Run Setup.exe

An User Account Control asking you about to allow GridinSoft Anti-Malware to make changes to your device. So, you should click “Yes” to continue with the installation.

GridinSoft Anti-Malware Setup

Press "Install" button.

GridinSoft Anti-Malware Install

Once installed, Anti-Malware will automatically run.

GridinSoft Anti-Malware Splash-Screen

Wait for the Anti-Malware scan to complete.

GridinSoft Anti-Malware will automatically start scanning your computer for Nemty infections and other malicious programs. This process can take a 20-30 minutes, so I suggest you periodically check on the status of the scan process.

GridinSoft Anti-Malware Scanning

Click on "Clean Now".

When the scan has completed, you will see the list of infections that GridinSoft Anti-Malware has detected. To remove them click on the “Clean Now” button in right corner.

GridinSoft Anti-Malware Scan Result

How to decrypt .nemty files?

Jan 02, 2020 - Update to the #Nemty #Ransomware decryptor for Nemty versions 2.2 & 2.3

You can download and use Nemty Decryptor that Tesorion4 released if you were hit by Nemty virus.

For using Nemty Decryptor, please read the instructions on the Usage tab, it explains what files you can upload:

Hi, and thank you for using our Nemty decryptor! 
You will have to go through a few steps to decrypt your files. 

1.	First please upload the ransom note from your encrypted system using File/Open. 
	This file is named: “NEMTY-DECRYPT.txt” or “_NEMTY_#######_-DECRYPT.txt” and
	can be found in every folder with encrypted files.

2a.	Optional step, depending on the result of step 1.
	Please upload a single encrypted file from your system using File/Open. 
	The file may be in one of the formats below: 
		a.	.docx
		b.	.pdf
		c.	.png
		d.	.pptx
		e.	.xlsx
		f.	.zip

2b.	Please wait for the decryption server to finish processing your file. 
	This may take several minutes or up to half an hour, depending on how busy the decryption server is.
	After this step, this application should be able to decrypt your files.

3.	Lastly, please select a folder to decrypt (default is the path of the selected file), using 'Select'. 
	After selecting this folder press 'Decrypt' to start the decryption, 
	it will try to decrypt all files in that folder, as well as in any folders below it.
	This may take a (very) long time.

For now;
                please select ‘File/Open...’ or 'Start' to start the first step.

What the next?

If the guide doesn’t help you to remove Nemty infection, please download the GridinSoft Anti-Malware that I recommended. Also, you can always ask me in the comments for getting help. Good luck!

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)


  1. How To Change Remote Desktop (RDP) Port:
  2. GridinSoft Anti-Malware Review from HowToFix site:
  3. More information about GridinSoft products:
  4. Tesorion site:

About the author

Brendan Smith

I'm Brendan Smith, a passionate journalist, researcher, and web content developer. With a keen interest in computer technology and security, I specialize in delivering high-quality content that educates and empowers readers in navigating the digital landscape.

With a focus on computer technology and security, I am committed to sharing my knowledge and insights to help individuals and organizations protect themselves in the digital age. My expertise in cybersecurity principles, data privacy, and best practices allows me to provide practical tips and advice that readers can implement to enhance their online security.

One Response

  1. BRACARA April 18, 2020

Leave a Reply