On December 2, 2019, ASEC Analysis Team spotted that new NEMTY ransomware 2.2 version updated from v2.0 are distributed in Korea. All the characteristics of the new version including distribution method disguising as ‘resume’ or’ notice on illegal breach of e-commerce act’, excluded countries, infection target, excluded file and folder.
[Name of distributed files]
- \강주경\이력서\포트폴리오.hwp.exe (translated: \Kang Ju-kyung\Resume\Portfolio.hwp.exe)
- \강주경\이력서\이력서.hwp.exe (translated: \Kang Ju-kyung\Resume\Resume.hwp.exe)
- \이시우\___\___.hwp.exe (translated: \Lee Si-woo\___\___.hwp.exe)
- \장민우\___\___.hwp.exe (translated: \Jang Min-woo\___\___.hwp.exe)
The difference from the previous version is that the name of mutext has changed.
- NEMTY 2.0 mutex name: just_a_game
- NEMTY 2.2 mutex name: just_a_little_game
The changed ransom note is as the figure below:
Figure 1. NEMTY 2.2 REVENGE ransom note
NEMTY ransomware has already been updated twice this year. Yet, the distribution method is same, it is hard to anticipate how it will transform in future so users should be vigilant about the ransomware. Since ransomware is constantly updated and distribute in Korea, users must be cautious with opening emails and executing attachments.
V3 products detect the ransomware under the following aliases:
[File Detection]
Trojan/Win32.MalPe (2019.12.02.04)
[Memory Detection]
Win-Trojan/MalPeP.mexp
[Behavior Detection]
Malware/MDP.SystemManipulation.M1751
Categories:Malware Information