What is NEMTY virus?
NEMTY modifies your files by means of AES encrypting them and demanding the ransom to be paid allegedly to restore access to them. Used e-mails: firstname.lastname@example.org and email@example.com as a channel for contacting the ransomware authors.
NEMTY virus modifies all popular file types by means of adding the .NEMTY_XXXXXXX extension, thus making the data absolutely unavailable. The victims simply cannot open their important documents anymore. The ransomware also assigns its unique identification key, just like all previous representatives of the virus family. As soon the file is encrypted by the ransomware, it obtains a special new extension becoming the secondary one. The file virus also generates a ransom note NEMTY_XXXXXXX-DECRYPT.txt providing the users want instructions allegedly to restore the data.
Nemty Threat Summary
|Emailsfirstname.lastname@example.org and email@example.com|
|Detection||Trojan.Win32.Makoob.a, Trojanpws.Kpot, Win32/Kryptik.GZOV|
|Short Description||The ransomware modifies the documents on the attacked device through encryption and asks for the ransom to be paid by the victim supposedly to restore them.|
|Symptoms||The file virus encrypts the data by adding the NEMTY extension, also generating the one-of-a-kind identifier.|
|Distribution Method||Spam, Email attachments, Compromised legitimate downloads, Attacks exploiting weak or stolen RDP credentials1.|
|Fix Tool||See If Your System Has Been Affected by .nemty file virus|
What Is It and How Did I Get It?
The Nemty ransomware is most commonly spread by means of a payload dropper. It runs the malicious script that eventually installs the file virus. The threat circulates actively on the web, considering the facts about the ransomware mentioned in the VirusTotal database. The Nemty ransomware may also promote its payload files through popular social networks and via file-sharing platforms. Alternatively, some free applications hosted on many popular resources may also be disguised as helpful tools, whereas they instead may lead to the malicious scripts that injected the ransomware. Your personal caution to prevent the Nemty virus attack matters a lot!
Nemty File Virus is a infection that encrypts your data and presents a frustrating ransomware notice. Below is the screenshot depicting the ransomware note:
Quotation of the scary message
---=== NEMTY PROJECT ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has extension .NEMTY_XXXXXXXX By the way, everything is possible to restore, but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] It's just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. It's not in our interests. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad.onion/pay When you open our website, upload this note, follow the instructions and you will get your files back. NEMTY DECRYPTION KEY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
List of countries in NEMTY PROJECT ransomware’s whitelist:
Execute this commands:
cmd.exe /c vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB cmd.exe /c vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded cmd.exe /c taskkill /f /im sql.* cmd.exe /c taskkill /f /im winword.* cmd.exe /c taskkill /f /im wordpad.* cmd.exe /c taskkill /f /im outlook.* cmd.exe /c taskkill /f /im thunderbird.* cmd.exe /c taskkill /f /im oracle.* cmd.exe /c taskkill /f /im excel.* cmd.exe /c taskkill /f /im onenote.* cmd.exe /c taskkill /f /im virtualboxvm.*
vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded taskkill /f /im sql.* C:\Windows\System32\cmd.exe /c taskkill /f /im sql.* taskkill /f /im winword.* C:\Windows\System32\cmd.exe /c taskkill /f /im winword.* taskkill /f /im wordpad.* C:\Windows\System32\cmd.exe /c taskkill /f /im wordpad.* C:\Windows\System32\cmd.exe /c taskkill /f /im outlook.* taskkill /f /im outlook.* taskkill /f /im thunderbird.* C:\Windows\System32\cmd.exe /c taskkill /f /im thunderbird.* C:\Windows\System32\cmd.exe /c taskkill /f /im oracle.* taskkill /f /im oracle.* C:\Windows\System32\cmd.exe /c taskkill /f /im excel.* taskkill /f /im excel.*
The image below gives a clear vision of how the files with NEMTY extension look like:
NEMTY PROJECT screenshot of delivering a ransom-demand message:
Remove Nemty Virus
Reasons why I would recommend GridinSoft2
There is no better way to recognize, remove and prevent ransomware than to use an anti-malware software from GridinSoft3.
Download GridinSoft Anti-Malware.
You can download GridinSoft Anti-Malware by clicking the button below:
Run the setup file.
When setup file has finished downloading, double-click on the install-antimalware-fix.exe file to install GridinSoft Anti-Malware on your PC.
An User Account Control asking you about to allow GridinSoft Anti-Malware to make changes to your device. So, you should click “Yes” to continue with the installation.
Press “Install” button.
Once installed, Anti-Malware will automatically run.
Wait for the Anti-Malware scan to complete.
GridinSoft Anti-Malware will automatically start scanning your computer for Nemty infections and other malicious programs. This process can take a 20-30 minutes, so I suggest you periodically check on the status of the scan process.
Click on “Clean Now”.
When the scan has completed, you will see the list of infections that GridinSoft Anti-Malware has detected. To remove them click on the “Clean Now” button in right corner.
How to decrypt .nemty files?
Jan 02, 2020 – Update to the #Nemty #Ransomware decryptor for Nemty versions 2.2 & 2.3
For using Nemty Decryptor, please read the instructions on the Usage tab, it explains what files you can upload:
Hi, and thank you for using our Nemty decryptor! You will have to go through a few steps to decrypt your files. 1. First please upload the ransom note from your encrypted system using File/Open. This file is named: “NEMTY-DECRYPT.txt” or “_NEMTY_#######_-DECRYPT.txt” and can be found in every folder with encrypted files. 2a. Optional step, depending on the result of step 1. Please upload a single encrypted file from your system using File/Open. The file may be in one of the formats below: a. .docx b. .pdf c. .png d. .pptx e. .xlsx f. .zip 2b. Please wait for the decryption server to finish processing your file. This may take several minutes or up to half an hour, depending on how busy the decryption server is. After this step, this application should be able to decrypt your files. 3. Lastly, please select a folder to decrypt (default is the path of the selected file), using 'Select'. After selecting this folder press 'Decrypt' to start the decryption, it will try to decrypt all files in that folder, as well as in any folders below it. This may take a (very) long time. For now; please select ‘File/Open...’ or 'Start' to start the first step.
What the next?
If the guide doesn’t help you to remove Nemty infection, please download the GridinSoft Anti-Malware that I recommended. Also, you can always ask me in the comments for getting help. Good luck!
User Review( votes)
- How To Change Remote Desktop (RDP) Port: https://howtofix.guide/change-remote-desktop-port-on-windows-10/
- GridinSoft Anti-Malware Review from HowToFix site: https://howtofix.guide/gridinsoft-anti-malware/
- More information about GridinSoft products: http://gridinsoft.com/products/
- Tesorion site: https://www.tesorion.nl/