Nemty ransomware “LOVE_YOU” malspam campaign

Pierluigi Paganini March 02, 2020

Security experts uncovered an ongoing campaign delivering Nemty Ransomware via emails disguised as messages from secret lovers.

Researchers from Malwarebytes and X-Force IRIS have uncovered an ongoing spam campaign distributing the Nemty Ransomware via messages disguised as messages from secret lovers.

The attackers employed messages with several subject lines and attachment filenames composed to appear as sent by lovers, they used statements such as “Don’t tell anyone,” “I love you,” “Letter for you,” “Will be our secret,” and “Can’t forget you.”

The body of all the spam messages only contains the ‘;)' text emoticon.

Nemty Ransomware

All the spam messages used a ZIP archive as attachment with a filename with a specific format (‘LOVE_YOU_######_2020.zip’)

“Attached to each email is a ZIP archive with a name formatted as with only the #s changing,” reads the advisory published by IBM X-Force IRIS.

“The hash of the file contained within each of these archives remains the same and is associated with a highly obfuscated JavaScript file named LOVE_YOU.js,”

The detection rate of the LOVE_YOU Javascript was low when the campaign was spotted, but is rapidly increasing.

The malicious Javascript acts as a dropper for the Nemty ransomware, the final payload is downloaded from a remote server and then it is executed.

In an update provided on February 28, 2020, IBM researchers reported that this campaign appears to have temporarily halted.

Nemty ransomware first appeared on the threat landscape in August 2019, the name of the malware comes after the extension it adds to the encrypted file names. The ransomware deletes shadow copies of encrypted files to make in impossible any recovery procedure.

In October 2019, researchers from the security firm Tesorion developed a decryptor tool that works on Nemty versions 1.4 and 1.6, they also announced a working tool for version 1.5.

In February, Nemty ransomware operators announced that they will set up a website to leak the data stolen for ransomware victims who refused to pay the ransom.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, undersea cables)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment