More

    Nemty Ransomware-Teaching by Doing

    Brief summary

    The 20th. In August 2019, McAfee’s Advanced Threat Research Group (ATR) discovered a new family of repayable programs called Nemti.

    This is a time when ransom developers face many challenges, from the enormous work of the security community to protect themselves from their malware, to initiatives such as the No More Ransom project, which offers some victims a way to decipher their files. Moreover, the underground criminal community that surrounds the initiators of such a ransom may be too critical, shout and prefer not to buy a ransom that has not been professionally made.

    After one of these developers, called jsworm, announced Nemty in underground forums, we noticed that ransom programs were not well received by some users in the criminal community. In some parts of this forum, jsworm began to blame the technical decisions that were made about the characteristics of the buy-back program, as well as the encryption mechanism used.

    Jsworm responded to all comments, added evidence that the assessments were wrong and showed the value of their new versions. They have also fixed some terrible bugs found by users in the forum:

    http://31.220.61.170/wp-content/uploads/2020/05/1588753414_597_Nemty-Ransomware-Learning-by-Doing.png

    A forum user reported a feature that allows Nemty to detect duplicate extensions on a system, which the author has to rewrite:

    Despite the shortcomings of their buy-out, Nemty’s developers are still in an underground forum, where they publish new samples and infect users through their affiliate program.

    Telemetry

    Thanks to our telemetry, we have seen Nemti’s activity at these locations:

    FIGURE 1. Telemetry card

    Technical analysis of Nemtia

    Nemty works according to the Ransomware-as-a-Service (RaaS) model. We saw that he came with help:

    • Explosion package RIG September 2019
    • Paypal dummy sites
    • Attacks on RDP by member companies in their campaigns
    • Botnet: will be distributed via the Phorpiex botnet in November 2019.
    • Charger: SmokeBot

    FIGURE 2. Ransom notice

    When the release was announced, Nemty’s developers proposed two types of collaboration: Membership or private partnership. We found two nicknames promoting Nemty, one of which is jsworm, which is very active in the forums and announces all the news and updates.

    This is the deployment plan for the Nemti crew:

    We’ve seen Nemty’s developers take over certain features from other old buyout families, such as the nonexistent Gandcrab. An example is reusing and linking to a URL that leads to an image with a Russian text and a picture of the Russian president as Gandcrab in his code.

    FIGURE 3. URL hard-coded into the Nemty ransom software pointing to the same image as GandCrab.

    Nemty’s authors have published several versions of their buy-back programs. In this research article we describe how the first version worked, as well as the most important changes added in later versions.

    Diamond: 505c0ca5ad0552cce9e047c27120c681ddce127d13afa8a8ad96761b2487191b

    Put the time together:    2019-08-20 19:13:54

    The version:                1.0

    An example of a malicious program is a 32-bit binary file. The packer and the malware are written in C/C++, as announced by the author in an underground forum.

    The date of the title of the MOU is 20. August 2019.

    ICR. 4. EXE image information

    Nemty uses RunPE during runtime, i.e. it decompresses it in memory before running.

    After analyzing the example, we were able to discover how, for example, the developer added some protection to his :

    • Decrypt certain information in memory only if the encryption process works as expected.
    • Clean the memory after a few operations
    • Exchanging information between different memory addresses, deleting previously used memory space.

    Creation of a message of refund

    To create a ransom demand, Nemty takes each row and stores it in memory. When the blackmail program has all the necessary strings in its hands, it pulls them together to create the complete ransom demand. In this operation, Nemty deciphers line by line, moves the data to a different storage address and deletes the previous address, leaving the information only in the new space.

    In the first version of Nemty, the encryption method wasn’t applied consistently to all lines, so you can see some lines and mark some functions or juicy files.

    FIGURE 5. Nemti’s own ropes

    Nemts and logical units

    During runtime, Nemty checks all logical units available in the system and stores their information in a static list with the following information

    • Device type
    • Free space

    Using the Windows API, GetDriveTypeA, the blackmailer can distinguish between devices :

    http://31.220.61.170/wp-content/uploads/2020/05/1588753423_687_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 6. Testing the type of logical unit

    To search for free space on the system, Nemty will use GetDiskFreeSpaceExA, again using the Windows API :

    http://31.220.61.170/wp-content/uploads/2020/05/1588753424_181_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 7. Free memory space control

    Victim’s public IP address extraction

    Since the first version, Nemty has implemented features to extract the victim’s public IP address. The information is obtained by contacting the IPIFY service at http://api.ipify.org. These services are often used by RaaS to determine where the victim is infected.

    FIGURE 8. Nemti acquires public intellectual property

    The user agent for some versions of Nemty was the Chrome Channel. The agent’s user is encoded on a single line in the eradication program instead of using the agent’s original user.

    http://31.220.61.170/wp-content/uploads/2020/05/1588753426_917_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 9. Determination of the IP address of the victim’s computer

    The IPIFY service is used to obtain the victim’s public IP address, and with the data extracted Nemti establishes another connection to http://api.db-api.com/v2/free/countryName, using the data previously obtained as an argument. The IP address and the extracted national data will later be used to prepare a ransom demand.

    http://31.220.61.170/wp-content/uploads/2020/05/1588753427_87_Nemty-Ransomware-Learning-by-Doing.png

    RIS. 10. Retrieving country name rules based on IP address

    Collection of information on victims

    Nemti will extract the following information from the victim:

    • Username
      • Using the GetUserNameA Window API
    • Computer name
      • Using the GetComputerNameA Window API
    • Profile of the equipment
      • Using the GetCurrentHwProfileA Window API

    With this data, the perpetrators ensure that the infected victim is unique, which helps the RaaS operators to calculate the number of victims that they may have infected themselves or with the help of their branches.

    http://31.220.61.170/wp-content/uploads/2020/05/1588753428_396_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 11. Determine the user name, computer name and hardware profile of the victim’s computer.

    Minor 1.0, misapplication of country protection

    RaaS families generally use some protection to prevent contamination of certain geographical areas. In the first version, Nemty was still developing this option, as our analysis showed that the buy-back programme did not check whether the victim belonged to one of the blacklisted countries. In our analysis of the ransom demand, it is very common to search for features that are still under development and will be included in future releases.

    http://31.220.61.170/wp-content/uploads/2020/05/1588753430_231_Nemty-Ransomware-Learning-by-Doing.png

    If the detected country is blacklisted, Nemty returns the real line and saves it in the configuration file. If no country is found, the field value is wrong.

    http://31.220.61.170/wp-content/uploads/2020/05/1588753430_131_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 12. Checks the name of the country and returns the string truthfully or falsely.

    Slightly sensitive encryption key

    Immediately after this check, Nemty deciphers the value of the base key64 and stores it at the storage address for later use. At the same time, it prepares a random line with a fixed size of 7 characters and uses it with the _NEMTY_ line to create a ransom note with a specific extension used in encoded files. In this process, Nemti will create an RSA key pair, a public and a private one.

    http://31.220.61.170/wp-content/uploads/2020/05/1588753431_469_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 13. Export of public and private RSA keys

    As part of this operation, Nemty will encrypt these keys into the database64 :

    http://31.220.61.170/wp-content/uploads/2020/05/1588753432_4_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 14. The RSA key encryption is generated

    After this encryption, Nemty will re-encrypt the victim’s public key and import it for further use.

    http://31.220.61.170/wp-content/uploads/2020/05/1588753433_428_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 15. RSA decryption of public keys for later use

    Same operation again, but this time with the RSA public key of the buyout developers.

    Slightly sensitive encryption key

    During the encryption process, Nemty creates his configuration file with all the data received from the user, all in memory. The configuration file is a structured JSON file with all collected data and a previously created AES key. The key used is the same for all files, but Nemty uses a different IV for each file.

    Small configuration file:

    An example of the information collected by Nemty that will later be used in the configuration file is shown below:

    http://31.220.61.170/wp-content/uploads/2020/05/1588753434_293_Nemty-Ransomware-Learning-by-Doing.png

    Here is an example of Nemty’s configuration file:

    FIGURE 16. Small configuration file

    Different fields for the configuration file :

    http://31.220.61.170/wp-content/uploads/2020/05/1588753435_784_Nemty-Ransomware-Learning-by-Doing.png

    The configuration file is stored on the hard disk as a file encrypted with an 8192-bit RSA public key and encrypted with Base64.

    http://31.220.61.170/wp-content/uploads/2020/05/1588753556_998_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 17. Encrypt the configuration file and encode it into base64.

    Nemty retrieves the name of the user logged in via SHGetFolderPathW and stores it and encrypts it in this folder with the .nemty extension.

    http://31.220.61.170/wp-content/uploads/2020/05/1588753558_259_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 18. Retrieving the user’s root folder

    http://31.220.61.170/wp-content/uploads/2020/05/1588753559_201_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 19. Creating a configuration file on the hard disk

    Current of light numbers

    For encoding, Nemty creates a new thread for each logical unit found on the system to encode files.

    The method used to encrypt files is similar to that used by other RaaS families, with all files being determined using the FindFirstFileW and FindNextFileW functions. Nemti avoids encrypting folders with the following names:

    The encryption process also avoids the use of files with the following names:

    http://31.220.61.170/wp-content/uploads/2020/05/1588753560_986_Nemty-Ransomware-Learning-by-Doing.png

    http://31.220.61.170/wp-content/uploads/2020/05/1588753561_2_Nemty-Ransomware-Learning-by-Doing.png

    20. Checking folder names and files on the blacklist

    This test is performed with the insensitive lstrcmpiW function. When Nemty encodes the file, he tries two combinations, one in lowercase and one in uppercase.

    Verified extensions :

    http://31.220.61.170/wp-content/uploads/2020/05/1588753562_566_Nemty-Ransomware-Learning-by-Doing.png

    http://31.220.61.170/wp-content/uploads/2020/05/1588753563_975_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 21. Check file extensions

    When Nemty performs successful checks, he creates a random IV and encrypts part of the file with the previously generated AES keys. Next, the IV is started using the victim’s public key and is added to the encrypted file.

    http://31.220.61.170/wp-content/uploads/2020/05/1588753563_94_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 22. Write down the encrypted file and put a drop on it.

    Nemty places the information needed to decrypt the file in the encrypted area, then adds the .nemty extension and moves on to the next folder or file.

    http://31.220.61.170/wp-content/uploads/2020/05/1588753564_791_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 23. Rename a new file with the Nemty extension

    Once the encryption process is complete, Nemty uses the WaitForSingleObjects function and waits for any delayed wires. It also loads the Tor Browser and opens a reverse loop connection to the configuration file.

    As a last action, Nemty will execute a machine command line with the hard-coded word cmd.exe and open a ransom demand.

    http://31.220.61.170/wp-content/uploads/2020/05/1588753565_985_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 24. Opening the ransom claim

    The style of the ransom demand has changed in the different versions published by the developers of Nemty.

    FIGURE 25. Different refund notes between versions

    On the left side we see version 1.4 of Nemty On the right side the salvation note belongs to version 1.0 of Nemty.

    Like other ransom families, Nemti will perform these actions:

    • Remove shadow copies with vssadmin
    • Boot protector partition with bcedit and wbadmin
    • Delete the Windows directory with WMIC using a hidden copy of the class

    All these calls are made using the ShellExecuteA function with the cmd.exe line as the main program and the others as arguments.

    http://31.220.61.170/wp-content/uploads/2020/05/1588753567_603_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 26. Deleting shadow volumes, disabling startup protection and deleting the folder

    Mutex

    Nemty will create a specific mutex in the system each time he infects the system:

    http://31.220.61.170/wp-content/uploads/2020/05/1588753568_111_Nemty-Ransomware-Learning-by-Doing.png

    The blackmail program checks the existence of the mutex with the GetLastError function.

    http://31.220.61.170/wp-content/uploads/2020/05/1588753568_69_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 27. Creating a hard-coded mutex

    If the system has already been infected by Nemty and it contains a mutex, the repurchase program ends with the ExitThread function. This call will complete the main malware flow, complete the execution and return the control to the operating system.

    The ExitProcess function is often used to avoid simple PLC monitoring.

    Nemty uses RC4 to encrypt his strings, which are deciphered and deciphered at base64 runtime and then used in the ransom demand.

    http://31.220.61.170/wp-content/uploads/2020/05/1588753569_278_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 28. Calculation of the memory size for basic decoding64

    The RC4 key used for Nemty 1.0 is f*ckav. Other malware families also often use offensive names or phrases related to the security industry in their implementations.

    For decoding, the developers implemented a function via the API to reserve the correct location with malloc and then decode the string in memory. If the blackmailer cannot reach the size or during decoding, ExitThread will terminate the execution.

    http://31.220.61.170/wp-content/uploads/2020/05/1588753570_217_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 29. Data decryption with RC4

    Nemti – Learning by doing

    Since the release of the first version of Nemty, the authors have started developing their buy-back programs, adding new features and correcting some aspects of the code.

    If we look at earlier versions of Nemty, we can say that they were more advanced than the other RaaS families in terms of technology and obfuscation, but the first version still contained features with some bugs, such as references to API calls that were not used in the ransom.

    At the time of writing this article, the developers behind the redemption have released 9 different versions:

    Nemti change blog 1.4

    We’ve seen changes in different versions of Nemty. For version 1.4, the developers have made the following changes:

    • The ransom program collects information about the logical units after checking whether the victim has a nemti mutex.
    • Language test
      • In this version, Nemty will respect and avoid file encryption for victims in CIS countries.

    http://31.220.61.170/wp-content/uploads/2020/05/1588753572_571_Nemty-Ransomware-Learning-by-Doing.png

    30 FIGURE. Check that cryptography is avoided if the language is blacklisted.

    CHANGES IN VERSION 1.5

    Compared to Nemty 1.4, this new version is the most important version to which the following changes have been added:

    • Information on victims in the register
    • Perseverance
    • The ability to kill processes and services
    • new mutex
    • Changing the hard code image
    • Panel C2 is open to the public
    • 4 new countries on the blacklist

    Information on victims in the register

    The first major change in this version of Nemty was the use of the Windows registry to store information about the infected computer. HKCU with NEMTY ID is used as a beehive.

    http://31.220.61.170/wp-content/uploads/2020/05/1588753573_827_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 31. Information stored in the register

    Capacity of killing processes and services

    The second added feature is the ability to disable certain processes to simplify file encryption in the system, which is usually used by other RaaS families.

    http://31.220.61.170/wp-content/uploads/2020/05/1588753574_154_Nemty-Ransomware-Learning-by-Doing.png

    To stop these processes, Nemti will use taskkill / in PROCESSNAME.

    http://31.220.61.170/wp-content/uploads/2020/05/1588753575_500_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 32. process interruption

    According to certain killing methods, Nemty will block certain services in the system for the same purposes:

    http://31.220.61.170/wp-content/uploads/2020/05/1588753576_720_Nemty-Ransomware-Learning-by-Doing.png

    To stop the Nemty service, we use the net stop and the name of the service.

    http://31.220.61.170/wp-content/uploads/2020/05/1588753577_309_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 33. Disabling the service on the victim’s computer

    Persistence

    Early versions of Nemty did not have a persistence technique, so the author decided to add it to version 1.5. Persistence is implemented by a task programmed to create /sc onlogon. The binary file is copied to the user’s home directory with the hard-coded name (it can be modified for any shared binary file) AdobeUpdate.exe and the task is started with ShellExecute.

    http://31.220.61.170/wp-content/uploads/2020/05/1588753578_746_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 34. Creating a task according to a persistence scheme

    Hard Crystal Image Shift

    Regarding the image encoded in the first versions, Nemty has decided to change it for this version and add a new version.

    FIGURE 35. New image invoked by malware

    C2 Public accessible panel

    The author has decided to modify the terms of reference of the public C2 panel, to which Nemti will send the victim’s details.

    https://nemty.hk/public/gate?data=

    4 New blacklisted countries

    For this version, the author has added four new countries to the blacklist:

    http://31.220.61.170/wp-content/uploads/2020/05/1588753579_956_Nemty-Ransomware-Learning-by-Doing.png

    Changes in version 1.6

    Compared to the previous version, only one change has been made to Nemty in version 1.6. The author used his own implementation of the AES algorithm instead of CryptoAPI.

    The way the malware was used to generate a random key was based on time functions, but in version 1.6 a different value was usually used to generate a random key.

    http://31.220.61.170/wp-content/uploads/2020/05/1588753580_598_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 36. Changes to the key generation function

    One of the partners of the No More Ransom project, Tesorion, has decided to make a free decoder available to Nemty’s victims. After the announcement, Nemty released a new version that uses the appropriate AES function with CryptoAPI.

    http://31.220.61.170/wp-content/uploads/2020/05/1588753581_81_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 37. New implementation of AES encryption with CryptoAPI

    Regarding the cat and mouse game, Tesorion has also released a new decoder for this special version. The authors of Nemta reacted by inserting an arcodic message for Tesorion in the samples:

    Tesorion Tesorion, thanks for the article.

    Second version 1.6

    Instead of changing the version number of Nemty in this new binary, the authors released the new version 1.6 with some changes.

    Added changes for this version:

    • New vssadmin utility used
    • New methods and services for killing
    • FakeNet function

    This new version was released only 2 days after the release of version 1.6; this means that the actor is quite actively involved in the development of this buyout.

    Used the new wssadmin utility

    The first change for this version is the way the logical units are listed. The author of Nemty implemented the utility of vssadmin and also reduced the capacity of ghost volumes to 401 MB. This change is likely to have increased absorption in terms of productivity.

    http://31.220.61.170/wp-content/uploads/2020/05/1588753582_47_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 38. Redimensioning of shadow volumes in the logical unit of the target

    The idea behind this change was to keep the access point security products secret instead of simply removing screenshots and making queries via WMI, BCEDIT, etc. The idea behind this change was to keep the access point security products secret instead of simply removing screenshots and making queries via WMI, BCEDIT, etc. The idea behind this change was to keep the access point security products secret. The author changed the approach to use vssadmin with the delete flag.

    New killing procedures and services

    The authors of Nemty have added new shredding methods to the encryption of :

    http://31.220.61.170/wp-content/uploads/2020/05/1588753583_454_Nemty-Ransomware-Learning-by-Doing.png

    In addition to the new procedures, the author has also included new services:

    http://31.220.61.170/wp-content/uploads/2020/05/1588753584_928_Nemty-Ransomware-Learning-by-Doing.png

    False characteristics

    For this version, the authors of Nemty have decided to add an interesting feature. In the case of a binding buy-out, the function of obtaining the victim’s public IP address has been implemented. If Nemty cannot connect to an external IP address, the blackmail program will add false data to continue the encryption process. Incorrect data will be:

    http://31.220.61.170/wp-content/uploads/2020/05/1588753585_800_Nemty-Ransomware-Learning-by-Doing.png

    http://31.220.61.170/wp-content/uploads/2020/05/1588753586_299_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 39. Deduct using a spoofed IP address and country name when it is impossible to connect to the URL to get the WAN IP.

    This feature, implemented by Nemty, exposes users from protected countries because the system is encrypted, even if the user belongs to one of the countries specified in the static blacklist.

    Version 2.0

    In this version, the developers have decided to remove a number of functions and add a new encryption method:

    • The FakeNet feature was removed, and Nemty used only the old mechanism to check the victim’s region.
    • A first function that prepares a container for the use of the RC4 algorithm called rc4 and receives a key based on a hard-coded string (this can change in other examples) sosorin :). This key is used to decipher part of the ransom demand and certain lines. This changes the use of your own RC4 implementation to use the RC4 algorithm with CryptoAPI.
    • A new generation of RSA key containers that improve the key generation process.
    • The text of a note about a redemption instead of NEMTY PROJECT contained NEMTY REVENGE and also added a sentence: You can’t trust anyone. Even your dog.

    ICR. 40. Demand a little ransom.

    Version 2.2

    For this version, Nemty’s developers have only made two minor changes:

    • Changing the name of the mutex
    • A new ransom demand:

    http://31.220.61.170/wp-content/uploads/2020/05/1588753588_48_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 41. Example of a new ransom claim

    Version 2.3

    In this version we have found important changes compared to the previous version:

    • New mutex value
    • The service used to change the public IP address was changed from https://api.ipify.org to https://www.myexternalip.com/raw.
      • If the search fails, the external address of NONE changes to NOT_DEFINED.
    • The Windows for XP exam was misleading in earlier versions and now has only one specific exam.
    • The configuration fields have been changed, some fields have been removed and new fields have been added.
      • This is an example of a new :

    {

    Phyllid: NEMTY_E1EIVPU,

    configurable: mArJi2x3q3yFrbvL8EYkKKezDeGgPgWeOG,

    compid: {a3cande1-f85f-1341-769f-806d6172f54544},

    ip: NO,

    Earth: {Error code: INVALID_ADDRESS , Error: Invalid address , Version : 2.3 , Computer_Name : USERPC , username : User, Bones: Windows XP , pr_key :. Training: {\an5}[{\an5}] [{\an5}] [{\an5}] FIXED , drive_letter : C : /, Total size: 9GB , used_size :9GB },{ Drive_Type : NETWORK , Letter_of_conduct : E : /, Total size: 9GB, used_size: 9GB.}

    • The user agent has switched to a new one, Naruto Uzumake.
    • Concentration of different Taskkill commands with ShellExecuteA; this version of Nemty kills many new processes

    http://31.220.61.170/wp-content/uploads/2020/05/1588753589_539_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 42. FGW Homicide

    • For this release, the authors have added PowerShell command line execution using ShellExecuteA:

    http://31.220.61.170/wp-content/uploads/2020/05/1588753589_417_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 43. Executing the PowerShell command

    • This version adds a new subkey to the Run registration key in the HKEY_CURRENT_USER branch, called daite drobovik :

    http://31.220.61.170/wp-content/uploads/2020/05/1588753590_485_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 44. Sustainability in construction

    • The ransom demand has been changed again for this version:

    http://31.220.61.170/wp-content/uploads/2020/05/1588753591_583_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 45. Example of a ransom note in version 2.3

    Version 2.4

    This version was a smaller version, like Nemty 2.2. In our analysis we only found changes in the ransom demand:

    http://31.220.61.170/wp-content/uploads/2020/05/1588753592_250_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 46. Example of a ransom note in version 2.4

    Version 2.5

    This is the latest version of Nemti we found. This version is a small version and we have only noticed two changes for this version:

    • New mutex value
    • A new ransom demand:

    http://31.220.61.170/wp-content/uploads/2020/05/1588753593_611_Nemty-Ransomware-Learning-by-Doing.png

    FIGURE 47. An example of a ransom claim in version 2.5

    Relationship between JSWORM and Nemty

    Our Advanced Threat Research (ATR) team has followed the activities of JWORM users in the underground forums and discovered another part of their salvation program called JSWORM Ransom. You will find below an announcement they made in the same forum where they introduced Nemty:

    FIGURE 48. JSWORM buyout and Nemti display

    We analyzed all available samples from JSWORM and Nemty and found no connection between them in the code base, but it is clear that both salvation fragments belong to the same nickname.

    HASH FAMILY Compilation time stamp
    0b33471bd9fbf08983eff34ee4ddc9 Names 2019-08-29 08:31:32
    0e0b7b238a06a2a37a4de06a5ab5e615 Names 2019-08-19 04:34:25
    27699778d2d27872f99ee491460485aaa. JSWORM 1992-06-19 22:22:17
    31adc85947ddef5ce19c401d040aee82 JSWORM 2019-07-19 05:21:52
    348c3597c7d31c72ea723d5f7082ff87 Names 2019-08-25 11:58:28
    37aaba6b18c9c 150dae4f1d37d Names 2019-08-20 19:13:54
    4ca39c0aeb0daeb1be36173fa7c2a25e Names 2019-08-13 14:46:54
    5126b88347c24245a9b141f76552064e Names 2019-08-21 16:16:54
    5cc1bf6122d38de907d558d558ec6851377c Names 2019-08-21 14:27:55
    74701302d6cb1e2f3874817ac499b84a JSWORM 2019-07-10 08:44:29
    7def79329823f3c81a6d27d2c92460ef JSWORM 2019-07-09 18:54:23
    dcec4fed3b60705eafdc5cbff4062375 Names 2019-08-21 19:25:16
    and9e1a5fc0f0a29b97eb99542d1f297a JSWORM 2019-07-09 20:25:14
    f270805668e8aecf13d27c09055bad5d Names 2019-08-21 18:42:10
    f796af497399c256129f2ce61eb8855b JSWORM 2019-07-19 05:24:00
    fbf7ba464d564dbf42699c34b239b73a JSWORM 1992-06-19 22:22:17
    0f3deda483df5e5f8043ea20297d243b Names 2018-12-04 11:00:39

    Some of the published examples contain custom packers, so the compilation time stamp is not correct for these cases.

    Based on the binaries found, we can see how Nemty’s activity started some time after the disappearance of the JSWORM port. This could indicate that jsworm, which poses a threat, developed both buy-back programmes at the same time.

    Free decryptor available because there is no redemption anymore

    One of the partners of NoMoreRansom has been able to release a working version of the Nemty decoder. If someone has received this ransom, you can contact him via NoMoreRansom to get the decryption.

    Nemti publishes information about its customers

    In our analysis of Nemty ransomware, we found a new trend in the way offenders manage their victims’ data.

    In this case, as for other buy-out families such as Maze, Nemty has its own website where customer information is published.

    Image source: computer on standby

    Conclusion

    Despite the number of RaaS families released this year, Nemty is another piece of material to watch and follow. Since we started monitoring this ransom, the criminals behind it have released several new versions with bug fixes and improvements. Such activities indicate that the ransom offenders are under pressure from investigators and security organisations, in the case of Nemta even from the clandestine criminal community, which itself quickly criticised some of its functions and implementations.

    Tesorion, now a partner of No More Ransom, has released a working decoder for Nemty, and we are now waiting for the author to change the ransom software again to continue his work. The last action we saw from this group was the website shown above, which was used to disclose customer data.

    ATT&CK bolster

    In the example, the following MITRE ATT&CK™ methods are used:

    Technical data sheet Description of the technique
    T1124 Detection of system time
    T1083 File and folder recognition
    T1012 Registration of applications
    T1057 Recognition of the process
    T1047 Windows management toolbox
    T1035 performance of services
    T1215 Core and expansion modules
    T1179 Hawking
    T1112 Modification of the register
    T1107 Deleting a file
    T1089 Deactivation of safety tools
    T1055 Process injection
    T1179 Hawking
    T1055 Process injection
    T1132 Data coding

    Coverage

    Generic trojan.

    GenericRXIS-SF! 348C3597C7D3

    GenericRXIS-SF! 37AABA6B18C9

    GenericRXIS-SF! 5CC1BF6122D3

    GenericRXIU-OJ! 0B33471BBD9F

    Ransom Nemty! 09F3B4E8D824

    Ransom Nemti! 2FAA102585F5

    Ransom Nemti! 65B07E2FD628

    Ransom Nemti! 9D6722A4441B

    RDN/GenDownloader.alr

    RDN/Generic.fps

    RDN/Generic.fqr

    RDN/General. Fish Fry

    RDN/Generic.ftv

    RDN/Generic.fxs

    Displaced persons/General.ufai

    РДН/Buyback

    РДН/Buyback

    Trojan FRGK! 484036EE8955

    Compromise figures

    Hash PE time stamp
    64a1ce2faa2ab624afcbb6f43955e116b6c170d705677dba6c4818770903aah 1992:06:20 00:22:17+02:00
    c537c695843ab87903a9dbc2b9466dfbe06e8e0dde0c4703cbac0feb79353a 1992:06:20 00:22:17+02:00
    8e6f56ef6ef12a9a201cad3cad3be2d0bca4962b2745f087da34eaa4af0bd09b75f 1992:06:20 00:22:17+02:00
    ca46814881f2d6698f64f3 390fe155b9fd f50b6ab304725a2251434aa7 2009:08:13 23:36:24+01:00
    5d04d789d66152e3fc0a2d84a53c3d7a0f5d953c466619deeb699f3866e26 2017:01:02 12:16:24+01:00
    a743d29b16f9b4a59b2fd8c89e59053bdccce362f544fe82974e80d58 8f6 2018:03:27 07:09:32+02:00
    5439452012a052851fdd0625abc4559302b9d4f4580e2ec9868 947841d75d 2018:04:17 01:50:07+02:00
    20d432c171ec17e7c5105f03221 6ea726ffc52154b79ec43acd62d66e3f304 2018:06:09 22:43:06+02:00
    9fad280bb034a4683be9ab4a35d2859e61dc796a6134436b4403c2cb9a9ebfea 2018:06:09 23:45:15+00:00
    7c1aaccca9dd236b9271c734d987d0fccc3e91bfa4c445c5e1c7c41e61effe3ca 2018:06:16 17:31:40+02:00
    2f2aeb72dd127057fac1eefdc0539fc3fa7bdff36d288bd7e20f2756194253d 2018:06:16 23:24:06+02:00
    6b3fea34cb8bb5cc6d698e30933884e1fe55c942d8768da85eb 085525bb41 2018:06:20 00:56:49+01:00
    34538 40249081cba552af4ab28d7c65d4052f6e4bedd748b673b8853e6e96 2018:06:20 01:56:49+02:00
    0f6e82387a5fe0f64d7cec15466b17a623a8faaf9971df3c49ab65d49d1422e 2018:07:06 02:30:25+02:00
    4b86f102eff21382c1a40a28bd4db19356e1efd323336bcec6645e68592e754a 2018:07:07 17:59:57+01:00
    604a25ae4a668170bf28bfc885d0e137f4ff3a29eb7f772ba7098ecfb9bacb3 2018:07:08 12:47:46+02:00
    664b45ba61cf7e17012b22374c0c2a52a52a2e66c8c1c40982137c910095179a 2018:07:14 02:09:27+01:00
    536209365d143bf90a44f063eff9254639d7976b2f77edcc2a0ff6ac1e5a5464 2018:07:23 22:32:23+02:00
    e29d154b067f298bab794d9f85ee7b3d58ebf17b56f6cff6601fb6ce48482f09 2018:08:01 20:19:32+02:00
    c2a32b7094f4c171a56ca9da3005e7cc30489ae9d2020a6ccb53ff02b32e0be3 2018:08:06 17:50:00+02:00
    5d58c85ba5bd7a4ca3d5ade7bff08942a12399f82defa370691524d8797a1095 2018:08:09 01:11:34+02:00
    c8d44e8c91ed028626a8e2b3a526627790a2ac3e7078316172e35371fb984eee 2018:08:09 01:11:34+02:00
    7eb2b5125f9fbcc2672c05031456b6a2432c892fa561bb7d7fa72010638b0 2018:08:22 21:17:21+01:00
    06c1428e1a41c3 0a60b5b136d7cb4a8ffb2f43619ef7f72a6bb223dd3 2018:08:22 22:17:21+02:00
    66e55d3ffc0dcc4c8c135474cb8549072f8b1015742038f2ebb6 c5dbd77c 2018:08:24 01:21:20+02:00
    7fab9295f28e9a6e746420cdf39a37fe2ae3a1c668e2b3ae08c9de2de4c10024 2018:08:27 18:49:08+02:00
    bf3368254c8e62f17e610273e53f6f29cccc9c679245f55f9ee7dc41343c384 2018:08:28 00:50:58+02:00
    eb98285ef506a5b6d38bd441db692b832f7edcb1dc4e2fec45369c8432a 2018:08:29 19:54:20+02:00
    676224fb3ab782fc096351c2419bd8f7df95a9180407f725c57e772d2bec5b1 2018:08:29 20:05:56+02:00
    9b5067d5e7e7f7fb52b5069f557d5b0cf45752a6b720f5a737b412600da8c845 2018:09:07 18:40:54+02:00
    30832d5709f93b16a6972fca9159fbd886a4e9815ef0f029fade5ca663e9761e 2018:09:08 01:26:36+01:00
    e5527d1bfc8b1448dcd698f23ac7142a066bb19b6109ef2df4d6214a2d6a2d6a2d6a2d6a 2018:09:11 22:58:35+02:00
    c09272b4a547a5e675f9da4baf70670bd192b1dfd8d33b52a42ee83f782cac 2018:09:30 18:36:38+02:00
    aa36a7425e9591531d5dad33b7e1de7ffbe980376fc39a7961133f5df8ab31a 2018:10:03 22:27:20+02:00
    a54bca66aac95cb281d313375e38cd8058ace1e07c5176995531da241c50dbd6 2018:10:06 10:02:23+02:00
    63ed68751000f7004bf951bc4a4c22799a94d28602f4022d901b6558ff93b46b 2018:10:09 22:04:03+02:00
    fe639627cf827e72c30992c627fffd458f7afb86d5b87e811415b87c2276e59c 2018:10:12 20:11:41+02:00
    74f8c39f3b0e4338eeabad97c9303139336be9ebe059501a78174570540eb9e 2018:10:14 01:10:44+02:00
    0a472cb6772f554afc9720064a0ba0ba286ddc0225 249cace39b3bdd77b5265c 2018:10:20 16:38:09+02:00
    0a0fb6e146bf8473b8931c3775529b2a baf0db9afae7d3b53f3d1da8c6ca 2018:10:21 23:30:07+02:00
    0285a046eca82e685275ea53ae56134cb992991ef0d2ac5af3f5c15ebd136cc 2018:10:25 23:28:29+02:00
    3d852ca618763ced2e280f0c0079e804935b70dcd4adc3912c2e2b3965e196c4 2018:11:03 16:59:21+01:00
    4f3c6b42a2182b530f44d37fb82df8c2e1ca3858bfdd6d921aa363efe3e6e7bb 2018:11:03 16:59:21+01:00
    3d9742b2ca3756645f88e885d1dadb2827a19f01ca6fb4a5170f2888cced35e1 2018:11:03 16:59:21+01:00
    a2f6c36cb8f46207028fbd3f69e306d3bdc4fc0391cfda5609812df880be07 2018:11:10 17:30:47+01:00
    b3dbfbd64088691b4bf07b9001890bc60ff7f95fb44acdc2 5e8dd3c72c050 2018:11:11 00:53:46+01:00
    5e4a090b75ca915fc42a149c7ddfba0dbe1a6846fe3b36249923549656c31218 2018:11:25 19:51:19+01:00
    a559 87d125a8ca6629e33e3ff1f3eb7d5f41f62133025d3476e1a6e4c6130 2018:12:04 12:00:39+01:00
    a7558decb9516122781243e7982977660152813817fb7ed00359365fcb0d3 2018:12:06 17:53:43+01:00
    b2c11e6126a7a7the326e5f14679279bf9fa920b7ba7142984d9979 9155b69 2018:12:06 17:53:43+01:00
    4379f688682395f0ebcd70acd14c304a1074928198b4d0bbb5362d56328f76e 2018:12:06 21:13:33+01:00
    8dca973cccf5073a9f53f055fa275215520ba67416b5d206c673df533532efe5 2018:12:07 01:04:23+01:00
    9913afe01dc4094bd3c5ff90ca27cc9e9ef7d77b6a7bdf5f3042a8256325 2018:12:10 19:04:48+01:00
    17864c4e21c0ebaf30cca1f35d67f46d3c33a5b8ea87d4c33d86d805965 2018:12:15 23:24:41+01:00
    36bd705f58c11c22529a9299d8c0c1a33cf94fb9b7cce0a39a79e4d8f523308d 2018:12:16 21:12:50+01:00
    1b18d04d4c37ecc25bd8d4f22912 9a57c80615d40ff94868f380cdfaed7c 2018:12:24 21:33:38+01:00
    b0bd94cf4f409bb5ba266 75e0488e59492c95a539508172e2670d74feb0ea 2018:12:27 21:42:57+01:00
    b9ff00a4b426742892e21601a68b19ffa44668f3274ec250e60843c3224b6b42 2018:12:30 01:14:36+01:00
    4f5bb92d861601642aec31ecbd7864b2dcca9027ef3ff7256c0d12915580181b 2019:01:10 22:35:38+01:00
    2a5f9e5d72b4841538a73ee2556865d8ed76e3da38571f00148368874edf55c8 2019:01:19 23:44:33+01:00
    708922215acc1ddbe35a9549afce408a0aa74caa78feca96150e755ebf7b98 2019:02:02 11:07:14+01:00
    03e46ba0d430afd4c85eaef47dcb38faf8cd7ef78ef25f8aa911c216a598245c 2019:02:02 23:01:04+01:00
    cbb016cab1718c610f2bd98e0190bb5a426a2de38ddfccfec86196294e47bca0 2019:02:05 04:34:44+01:00
    2ebe4c68225206161c70cf3e0da39294e9353ee295db2dc5d4f86ce7901210c5 2019:02:08 18:17:02+01:00
    947bddf40d6dcf4cbbf174b2067a9f5e09fa2eb03d039974feba1d398ddeb184 2019:02:11 23:26:07+01:00
    3207b5da6ecf0d6ea787c5047c 86c0ee6342a5d79e4bcb757e7e817caa889 2019:02:16 17:40:03+01:00
    ee3a8512f4109ec7a21831aee68ba53fb431d5eac613b6bf9877f50118c0cd4 2019:02:16 19:26:22+01:00
    9caae99f53cc1446f04703754fa03b98a6303882e0999653c2c5fbfe656e3164 2019:02:26 00:00:02+01:00
    cfe5682a41c5b4a3fd9c09070262171a05e0ce99868ef0e2058a5d65385ed681 2019:03:10 18:09:02+01:00
    1ac 7c3ff27dc6d630cb3f543311fb48edfc88d33470836438b1d388ae9687 2019:03:12 20:03:50+01:00
    57a73c98866cd1a0e57b84c0a13a13a54901077d23b6683d16b713d652d74fd1c7 2019:03:24 20:58:51+01:00
    f2c6e0e0a2500876a3426b191cfbd3b65625bb182f23fda68d256f56a644f4f123 2019:04:02 11:44:51+02:00
    5078a0940abc31a7fa271483ac345044a91a0e21c517bceb85091cd3fca310f7 2019:04:03 01:09:42+01:00
    92981ed851493d6897339df02a7799645a0edf078daaa8cf6cf09293f0801b7c 2019:04:06 02:29:49+02:00
    084da93689b04f0a162bcd6fa2d43937f84182ac94d4 7 65 9501c2bd 2019:04:10 00:40:47+01:00
    e563bfae9ee7effe4c9766ded059dc2e91f7f76830973dadfb203c47fe8c2a 2019:04:12 17:33:50+01:00
    a77beff2bf75a2a82b7c96438e9c55e2839cba2ea057892422b714876b8def58 2019:04:12 21:09:21+01:00
    d34157b8ea62f52b9563ca1fb77bee5127a2a5b93d00682622eb116db0275 2019:04:12 22:26:26+01:00
    510c0746a5d8b0175e80e2fbbf194c8e20e20e56ccd5a9ec5fac4ad2e2f7f7 2019:04:15 19:01:48+02:00
    e07 8883634bf7105f9744123fd3890947e8da4754d2560293e68f809f10 2019:04:17 01:57:08+02:00
    44c6edb224810748a0b15512a47647f5e35157fdaa30357d2820c1eb250273e4 2019:04:17 20:57:27+01:00
    db25fd682243d4449c423a57591bd0d69a98f3e6149b815e6c556a76b5fb71a 2019:04:19 19:05:12+02:00
    405df2b5aa985c8386d347b6e7f269e546231a02abd1e793ae792010248bc9da 2019:04:27 00:59:44+02:00
    081444b3b8b82c06c631d3106859ab530435af68292a8009c4b6eb2285cb9929 2019:04:27 22:03:27+02:00
    a380640490d3a7380255ed9269bb967a4daee6d2d20353a50154e7e6d399746 2019:04:28 23:52:25+02:00
    fe244ab332b490623a8a8a313a8b64a1d280f3e03b2457f6c3235d01ee8f21c701 2019:04:29 00:49:00+02:00
    abf148370f7cc9c16e20c30590a08f85208f4e594062c8a9e59c 9cd8ff43f 2019:04:29 02:32:07+02:00
    034b86e971f24282bd0c1b74a257c7c60ec7d83fa45ac5d5321e7c436675be89 2019:05:04 17:03:52+02:00
    859e8f98203fa9b8fb68cf1e4c6f9a1143c970bd283060184 3ee49b2a72ba 2019:05:05 22:59:32+02:00
    2e436f4277a6cac69c5b484284160559752ef0679e27e2af8112e78c9074a17c 2019:05:07 23:20:09+02:00
    6be9cc0bda98fee59c94d687c293b83f1b41588ca991f35328f4d56c9c1f38e4 2019:05:17 12:12:43+01:00
    29ba2b8099985501ae9afa964daeca66d964e9fbc1d0025928b49fcae0efb63 2019:05:17 12:58:42+02:00
    a08dc1e27b9e92ba70dcd2bce611fa51ec3601e4a2e7cdb713b656160c3773 2019:05:28 21:36:33+02:00
    cc496cec38bc72bae3cb64416baca38b3706443c4f360bd4ba8300d64b210d2 2019:08:13 16:46:54+02:00
    267a9dcf77c33a1af362e2080aacc01a7ca075658beb002ab41e0712ffe066e 2019:08:19 05:34:25+01:00
    505c0caca5ad0552cce9e047c27120c681ddce127d13afa8a8ad96761b2487191b 2019:08:20 20:13:54+01:00
    6a07996bc77bc6fe54acc8fd8d551a00dea3cc48f097f18955b06098c4bd3 2019:08:21 16:27:55+02:00
    d42b0cc9ce69fc4dea1d4bd230b66b15868e4778d227ead38b7572463253 2019:08:21 17:16:54+01:00
    f854d7639a5db4c42b51aecd541aaf61879591adf42ebcba068f3b111fb61a34 2019:08:21 19:06:44+01:00
    688994783ce56427f20e6e2d206e5ee009fcc157ba37737dce1b14a326cc612 2019:08:21 20:25:16+01:00
    4cf87dd16d57582719a8fe6a144360f3dfa5d21196711dc140ce1a738ab9816e 2019:08:21 20:34:34+02:00
    15084aa0f30f5797bd66f18d0992dfcdb1c08 d25cf2f6d97f9166e45b93b 2019:08:31 14:06:01+01:00
    7c638c17b3fc92393c421dff34a245c26f9526fb20699af567e6a38535a06 2019:09:04 14:05:11+02:00
    022076c2c8f1555ee98a08ff5714aa1db20e1841fe3b8d1362fed0d6bef 7d 2019:09:19 22:32:44+02:00
    fb8 212604a66492579 3763f7dceb2adaa4aeaf8af24f7986e1f12 2019:09:24 12:28:55+02:00
    a41949b9cddc2838534c0f70c0a615a7135fc95e452270ff661247a60d6b638d 2019:09:24 14:55:26+01:00
    3aeaeaf37af33b92dfa62489250ec2857d6bab1098fcf356cdb58e05efabe359cb 2019:09:27 12:59:27+02:00
    9f2a0b1553f8b2e1a5c0c40023ac9abed76455cdb0f5a346601088615606eac0 2019:09:28 11:31:11+02:00
    068575719283c1e33abb8530340d7ac0b4d44b15da1ee0877c03537216df3001 2019:09:30 02:31:49+02:00
    9574f57f7a4192f0507fa3361fb3e00e1f1101fdd818fc8e27aaba6714cd373c 2019:10:02 17:22:33+01:00
    98f260b52586edd447eaab38f113fc98b9ff6014e291c59c9cd639df48556e12 2019:10:04 09:56:21+02:00
    30ad724c9b869ff9e732e95c7e3b94a0d118297c168ffd4c24bac240e0cba184 2019:10:04 13:01:21+01:00
    62c3b52b5310393dbf0590bc246161249632a1d2f21c3a7fb779dc8018a0edf 2019:10:05 03:10:25+01:00
    d041cc7e2e9d8d6366b28abc0428b7d41ad75bcfb6763183 38c32e49fd365 2019:10:07 17:57:43+02:00
    88fcdfd4c89a9d3108582e5746b58beda9e538f357f3b390a008a7e5925c19f5 2019:10:07 18:22:30+02:00
    9b5a42c4db2df3e1457e8a7bdbe93a2a4b4382a4de70077ace34a3c5a04ba1f 2019:10:10 02:55:12+02:00
    2497543441cf35647afa60d6bc76825cfebf24e3421fbe101b38838aed63ba21 2019:10:11 02:44:30+02:00
    5e2c0b6d2f74605f11047a6b6bff7026035471bccd3e2c6ba03df576eef08cd 2019:10:12 20:12:30+02:00
    aaa143d36133fa952b79f3e447264a56a4db223a046906b95802e50a359f9f9f9 2019:10:25 11:04:07+02:00
    0c18068dab291fcdd5a9a94fb6cb07b8aeec1e4ecbab3746c3b0586e7bd692 2019:10:26 06:58:37+01:00
    36e66c1d562af0df6c493cb998b24f8b52da555452dce6514d92e14ee64ab41c6 2019:11:26 20:09:10+01:00
    2160391fc7c69bc30dea5c4e0e0e3e6ca2045d021087d4f1170d74eacedae9ebd2 2019:11:26 20:09:10+01:00
    b01054d750aa982359bee75707847f30df668135ca139e25b142e18f8cf2f51 2019:11:26 20:09:10+01:00
    97c5eeddaa99a578a94609a69be099d7ac61f4d797f14a5f9a69656205366e 2019:11:26 20:09:10+01:00
    c5d43698296b4e9b9f7491669b7b20ef651302593c72b827462c08c9d6e76ae3 2019:11:26 20:09:10+01:00
    d5b4f6cd5c6d142cdfeca789b58942ee01270cb52the1d0f4c8d3cb7f44fa6e4 2019:12:14 15:45:13+01:00
    e04d28b43fcc11ef8869641c2795774ae139ee6ed06c295c72d8a4f238 31 2019:12:15 09:55:10+01:00
    1d3f2ba1c701ecf04c288b64d9f2470c6f58744d5284174c1cb8e8b3753f3fae 2019:12:15 09:55:10+01:00
    45c3faeb8cdd2cbdcf6161f05b2e72aba7927594138da693b0020f24db9e6 2019:12:15 09:55:10+01:00
    4402b31f717bfe82498d162adac b4f5a9ca413c883ac94ab8e322c50f11db 2019:12:23 09:17:02+01:00
    a3cb6814fcdb42517728815c875f2dc169ac7b15f615b971eff209c4e2937527 2019:12:23 17:10:14+01:00
    0a14d4313ded36716d9de16b8487ac91b0dcf6a77c9f0c21531916c31a0a5ee9 2019:12:24 05:03:25+00:00
    735ef043f3f64a9c57ba938dddc6fdac60ed30fa746a728635c7162729710 2019:12:25 20:14:11+01:00
    92cf38b5bee56490871c19e1ee31239c550a0eb6d177a37d02079465be9e4f7d 2019:12:27 18:55:35+01:00
    4b4feffffb0783aca42f c38961340a76b4a2b3fd324f71e764a88ab500f1372 2019:12:27 18:55:35+01:00
    5a022aba75d4986adedb1a5fb62fce8946d43f06846f663a851ba93e9e317f8c 2019:12:27 18:55:35+01:00
    3ae7d44569b2885de360c0e6c3448772f74c1c3ff4ee3f594053a95bfc73850f 2019:12:27 18:55:35+01:00
    42e9356feb10e5814fb73c6c8d702f010d4bd742e25550ae91413fa2a7e7c888 2019:12:27 18:55:35+01:00
    bf6b8563773f7a05de33edcb1333d9e39e39e5bc6 1d111d3fb4ec7f5cfb6c43 2019:12:28 03:06:43+01:00
    842b92ed20115ff28fd5b8b204e8 8168594a5ce44c288a560ec6f907516a 2019:12:28 03:06:43+01:00
    eedefda5ff588f0b194b97a0244d6d3e4892b9a5f1539b33a0fa86a47be7ea1 2019:12:28 03:06:43+01:00
    d398280940af9fcb5aad2f0eb38d7b0 d241ad1c4abfe3ca726accded70e2a 2019:12:29 09:38:39+01:00
    6e18acc14f36010c4c07f022e853d25692687186169e50929e402c2adf2cb897 2020:01:07 10:57:37+00:00
    8e056ccffad1f5315a38abff14bcd3a7b662b440bda6a0291a648edcc1819eca6 2020:01:18 12:03:36+01:00

    x3Cimg height=1 width=1 style=display:no src=https://www.facebook.com/tr?id=766537420057144&ev=PageView&noscript=1 />x3C/noscript>’) ;nefilim ransomware,maze ransomware decryptor,maze ransomware vulnerability,maze ransomware victims,maze malware mcafee,what is maze ransomware attack,kill switch maze ransomware,chacha ransomware

    Recent Articles

    Unravel the XDR Noise and Recognize a Proactive Approach

      Cybersecurity professionals know this drill nicely all too nicely. Making sense of heaps of info and noise to entry what actually issues. XDR (Prolonged Detection & Response) has been a technical acronym thrown round within the cybersecurity business with many notations and...

    PLATYPUS: Hackers Can Obtain Crypto Keys by Monitoring CPU Power Consumption

      Researchers have disclosed the small print of a brand new side-channel assault technique that can be utilized to acquire delicate data from a system...

    The Container configurations in Amazon ECS

      Revealed: November 7, 2020 | Modified: November 7, 2020 | Zero views A fast put up on superior container configurations in Amazon ECS. ECS container superior...

    Antivirus Testing – VIPRE for your Home and Business

      Individuals typically marvel, “What’s one of the best antivirus?” A number of distributors will declare that their product is one of the best within...

    Antivirus Testing – VIPRE for your Home and Business

      Individuals typically marvel, “What’s one of the best antivirus?” A number of distributors will declare that their product is one of the best within...

    Related Stories