FortiGuard Labs was investigating the Sodinokibi ransomware family, when we came across the newly discovered Nemty Ransomware. Interestingly, as we analyzed this new malware, we also encountered an artifact embedded in its binary that we were very much familiar with since it was also used by the GandCrab ransomware before the threat actors’ announced retirement. It is also interesting to see that the Nemty ransomware is being distributed using the same method as Sodinokibi, a malware that has strong similarities to GandCrab.
This report discusses the technical aspects of the new ransomware, including some irregularities that make us think that it is still in its early stage of development.
Discovery
The first sample that we were able to analyze came from a link that was shared by the @BotySrt twitter bot account, which posts Pastebin links leading to the Sodinokibi and Buran malware families.
The links lead to Powershell scripts that execute embedded malware payloads using Reflective PE Injection. We collected the links that were tagged as Sodinokibi, expecting to extract samples of that ransomware. However, as we were running our automation to extract the embedded binaries, we found an unsupported file, and as we investigated further, we discovered it was the new Nemty ransomware instead.
Full Article.