NEMTY virus (.NEMTY files) – How to FIX & DECRYPT data with Nemty decryptor?

NEMTY virus modifies all popular file types by means of adding the NEMTY_XXXXXXX extension, thus making the data absolutely unavailable.
NEMTY virus modifies all popular file types by means of adding the NEMTY_XXXXXXX extension, thus making the data absolutely unavailable.
Written by Brendan Smith

What is NEMTY virus?

NEMTY modifies your files by means of AES encrypting them and demanding the ransom to be paid allegedly to restore access to them. Used e-mails: elzmflqxj@tutanota.de and elzmflqxj@tutanota.de as a channel for contacting the ransomware authors.

NEMTY virus modifies all popular file types by means of adding the .NEMTY_XXXXXXX extension, thus making the data absolutely unavailable. The victims simply cannot open their important documents anymore. The ransomware also assigns its unique identification key, just like all previous representatives of the virus family. As soon the file is encrypted by the ransomware, it obtains a special new extension becoming the secondary one. The file virus also generates a ransom note NEMTY_XXXXXXX-DECRYPT.txt providing the users want instructions allegedly to restore the data.

Nemty Threat Summary

Name Nemty virus
Extension .NEMTY_XXXXXXX
Type Ransomware
Ransom note NEMTY_XXXXXXX-DECRYPT.txt
Emails elzmflqxj@tutanota.de and elzmflqxj@tutanota.de
Detection Trojan.Win32.Makoob.a, Trojanpws.Kpot, Win32/Kryptik.GZOV
Short Description The ransomware modifies the documents on the attacked device through encryption and asks for the ransom to be paid by the victim supposedly to restore them.
Symptoms The file virus encrypts the data by adding the NEMTY extension, also generating the one-of-a-kind identifier.
Distribution Method Spam, Email attachments, Compromised legitimate downloads, Attacks exploiting weak or stolen RDP credentials1.
Fix Tool See If Your System Has Been Affected by .nemty file virus

NEMTY Ransomware

What Is It and How Did I Get It?

The Nemty ransomware is most commonly spread by means of a payload dropper. It runs the malicious script that eventually installs the file virus. The threat circulates actively on the web, considering the facts about the ransomware mentioned in the VirusTotal database. The Nemty ransomware may also promote its payload files through popular social networks and via file-sharing platforms. Alternatively, some free applications hosted on many popular resources may also be disguised as helpful tools, whereas they instead may lead to the malicious scripts that injected the ransomware. Your personal caution to prevent the Nemty virus attack matters a lot!

Nemty File Virus is a infection that encrypts your data and presents a frustrating ransomware notice. Below is the screenshot depicting the ransomware note:

NEMTY DECRYPT.txt

Quotation of the scary message

---=== NEMTY PROJECT ===---
[+] Whats Happen? [+]
Your files are encrypted, and currently unavailable. You can check it: all files on you computer has extension .NEMTY_XXXXXXXX
By the way, everything is possible to restore, but you need to follow our instructions. Otherwise, you cant return your data (NEVER).
[+] What guarantees? [+]
It's just a business. We absolutely do not care about you and your deals, except getting benefits.
If we do not do our work and liabilities - nobody will not cooperate with us.
It's not in our interests.
If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key.
In practise - time is much more valuable than money.
[+] How to get access on website? [+]
  1) Download and install TOR browser from this site: https://torproject.org/
  2) Open our website: zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad.onion/pay
When you open our website, upload this note, follow the instructions and you will get your files back.
NEMTY DECRYPTION KEY:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Used URL:

  • api.db-ip.com/v2/free/54.39.189.18/countryName
  • www.myexternalip.com
  • ghs.googlehosted.com

List of countries in NEMTY PROJECT ransomware’s whitelist:

  • Armenia
  • Azerbaijan
  • Belarus
  • Kazakhstan
  • Kyrgyzstan
  • Moldova
  • Russia
  • Tajikistan
  • Ukraine

Execute this commands:

cmd.exe /c vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
cmd.exe /c vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
cmd.exe /c taskkill /f /im sql.*
cmd.exe /c taskkill /f /im winword.*
cmd.exe /c taskkill /f /im wordpad.*
cmd.exe /c taskkill /f /im outlook.*
cmd.exe /c taskkill /f /im thunderbird.*
cmd.exe /c taskkill /f /im oracle.*
cmd.exe /c taskkill /f /im excel.*
cmd.exe /c taskkill /f /im onenote.*
cmd.exe /c taskkill /f /im virtualboxvm.*

Kill processes:

vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
taskkill /f /im sql.*
C:\Windows\System32\cmd.exe /c taskkill /f /im sql.*
taskkill /f /im winword.*
C:\Windows\System32\cmd.exe /c taskkill /f /im winword.*
taskkill /f /im wordpad.*
C:\Windows\System32\cmd.exe /c taskkill /f /im wordpad.*
C:\Windows\System32\cmd.exe /c taskkill /f /im outlook.*
taskkill /f /im outlook.*
taskkill /f /im thunderbird.*
C:\Windows\System32\cmd.exe /c taskkill /f /im thunderbird.*
C:\Windows\System32\cmd.exe /c taskkill /f /im oracle.*
taskkill /f /im oracle.*
C:\Windows\System32\cmd.exe /c taskkill /f /im excel.*
taskkill /f /im excel.*

The image below gives a clear vision of how the files with NEMTY extension look like:

nemty files

NEMTY PROJECT screenshot of delivering a ransom-demand message:

nemty decryptor

Remove Nemty Virus

Reasons why I would recommend GridinSoft2

There is no better way to recognize, remove and prevent ransomware than to use an anti-malware software from GridinSoft3.

Download GridinSoft Anti-Malware.

You can download GridinSoft Anti-Malware by clicking the button below:

Run the setup file.

When setup file has finished downloading, double-click on the install-antimalware-fix.exe file to install GridinSoft Anti-Malware on your PC.

Run Setup.exe

An User Account Control asking you about to allow GridinSoft Anti-Malware to make changes to your device. So, you should click “Yes” to continue with the installation.

GridinSoft Anti-Malware Setup

Press “Install” button.

GridinSoft Anti-Malware Install

Once installed, Anti-Malware will automatically run.

GridinSoft Anti-Malware Splash-Screen

Wait for the Anti-Malware scan to complete.

GridinSoft Anti-Malware will automatically start scanning your computer for Nemty infections and other malicious programs. This process can take a 20-30 minutes, so I suggest you periodically check on the status of the scan process.

GridinSoft Anti-Malware Scanning

Click on “Clean Now”.

When the scan has completed, you will see the list of infections that GridinSoft Anti-Malware has detected. To remove them click on the “Clean Now” button in right corner.

GridinSoft Anti-Malware Scan Result

How to decrypt .nemty files?

Jan 02, 2020 – Update to the #Nemty #Ransomware decryptor for Nemty versions 2.2 & 2.3

You can download and use Nemty Decryptor that Tesorion4 released if you were hit by Nemty virus.

For using Nemty Decryptor, please read the instructions on the Usage tab, it explains what files you can upload:

Hi, and thank you for using our Nemty decryptor! 
You will have to go through a few steps to decrypt your files. 

1.	First please upload the ransom note from your encrypted system using File/Open. 
	This file is named: “NEMTY-DECRYPT.txt” or “_NEMTY_#######_-DECRYPT.txt” and
	can be found in every folder with encrypted files.

2a.	Optional step, depending on the result of step 1.
	Please upload a single encrypted file from your system using File/Open. 
	The file may be in one of the formats below: 
		a.	.docx
		b.	.pdf
		c.	.png
		d.	.pptx
		e.	.xlsx
		f.	.zip

2b.	Please wait for the decryption server to finish processing your file. 
	This may take several minutes or up to half an hour, depending on how busy the decryption server is.
	After this step, this application should be able to decrypt your files.

3.	Lastly, please select a folder to decrypt (default is the path of the selected file), using 'Select'. 
	After selecting this folder press 'Decrypt' to start the decryption, 
	it will try to decrypt all files in that folder, as well as in any folders below it.
	This may take a (very) long time.


For now;
                please select ‘File/Open...’ or 'Start' to start the first step.

What the next?

If the guide doesn’t help you to remove Nemty infection, please download the GridinSoft Anti-Malware that I recommended. Also, you can always ask me in the comments for getting help. Good luck!

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

References

  1. How To Change Remote Desktop (RDP) Port: https://howtofix.guide/change-remote-desktop-port-on-windows-10/
  2. GridinSoft Anti-Malware Review from HowToFix site: https://howtofix.guide/gridinsoft-anti-malware/
  3. More information about GridinSoft products: http://gridinsoft.com/products/
  4. Tesorion site: https://www.tesorion.nl/

About the author

Brendan Smith

Journalist, researcher, web content developer, grant proposal editor. Efficient and proficient on multiple platforms and in diverse media. Computer technology and security are my specialties.

Leave a Reply

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.