New ransomware strain uses ‘overkill’ encryption to lock down your PC

New ransomware strain uses ‘overkill’ encryption to lock down your PC 1

A new form of ransomware that has been spotted in the wild uses what researchers call “overkill” levels of encryption to hijack infected systems. 

This week, FortiGuard Labs said the new variant, known as Nemty, was recently shared as a sample by a Twitter bot that posts PasteBin links to malware code.

One of the samples shared by the bot was meant to link to a Sodinokibi ransomware variant, but the source ended up being a new malware family altogether. 

Sodinokibi, also known as Sodin or REvil, is malware in a constant state of evolution and employs tactics ranging from Windows zero-day exploits to compromised remote management software consoles to infect systems.

Due to the discovery of a key which gives the ransomware’s operators the opportunity to decrypt any file regardless of public and private key setups, it is possible the malware is being offered as ransomware-as-a-service (RaaS). Researchers have previously outlined the similarity between GandCrab and Sodinokibi code. 

While a link embedded in the binary of the Nemty sample was also used by GandCrab before the operator’s ‘retirement’ — having made their money — and the Nemty appears to be distributed through the same channels as Sodinokibi, the researchers say they are yet to prove a solid link between the trio.

It is not known whether or not Nemty has any links to these malware families beyond the binary link and distribution by the Sodinokibi group, but it is possible that the early-stage ransomware could be the latest malware offering of cyberattackers connected to RaaS schemes. 

Nemty appears to still be in the development stage. A payment page has been set up in the Tor network and $1000 in Bitcoin (BTC) is requested in return for a decryption key to unlock infected systems. 

See also: Financial asset firm PCI ordered to pay $1.5 million for poor cybersecurity practices

While there is a function to send encrypted configuration information from a target machine to the ransomware’s command-and-control (C2) server, at the moment, the IP address intended to be used for the C2 is just a loopback address. 

“It is possible that they simply have not configured an operational server to receive the data yet,” the researchers say. 

In order to encrypt a victim’s PC, Nemty utilizes both base64 encoding and RC4 encryption. In a snide jab at any researchers reverse-engineering the code, the developers have used a Russian phrase, “f**kav\x00,” as their RC4 encryption key. 

AES-128 in CBC mode, RSA-2048, and RSA-8192 are used for encrypting files and generating keys. A 32-byte value is used as an AES key, an RSA-2048 key pair is generated, and unusually, RSA encryption with 8192 bits of key size is used to encrypt both configuration files and a private key.

CNET: The pivot to privacy could come with a $100 million grant

FortiGuard Labs says that 2048 and 4096 strings are generally more than adequate to encrypt and secure messages, and so the use of an 8192 size is “overkill and inefficient for its purpose.”

“Using the longer key size adds a large overhead due to significantly longer key generation and encryption times […] RSA-8192 can only encrypt 1024 bytes at a time, even less if we consider the reserved size for padding,” the researchers note. “Since the configuration’s size will surely be more than that due to the fact that it contains the encoded private key, the malware cuts the information into chunks of 1000 (0x3e8) bytes and performs multiple operations of the RSA-8192 until the entire information is encrypted.”

The heavy use of encryption means that it is “not practically possible” to decrypt a compromised system, according to the cybersecurity firm. This is unfortunate, as decryption programs offered by cybersecurity firms can sometimes be the only way to recover files lost to ransomware infections without paying up.

TechRepublic: DNS amplification attacks increase by 1,000% since 2018

There are issues with the code which indicate development may be underway, such as file comparison repetition without purpose and an inefficient method employed to whitelist some file extensions. The malware will also check to see if the system’s IP address relates to Russia, Belarus, Kazakhstan, Tajikistan, or Ukraine — but regardless of the result, encryption will continue. 

Indicators of affiliate IDs buried in the malware’s code also point to RaaS.

Despite code issues and indicators that Nemty is still in development, the researchers say that as it can still encrypt systems effectively, the malware is “a real threat” even in its current state. Indeed, as the report was being finalized, a new variant of Nemty was found — which may suggest distribution is underway. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

E-Crypto News Executive Interviews



bitcoin
Bitcoin (BTC) $ 62,257.00
ethereum
Ethereum (ETH) $ 3,778.39
binance-coin
Binance Coin (BNB) $ 480.87
tether
Tether (USDT) $ 1.00
cardano
Cardano (ADA) $ 2.14
xrp
XRP (XRP) $ 1.09
solana
Solana (SOL) $ 157.54
polkadot
Polkadot (DOT) $ 41.33
dogecoin
Dogecoin (DOGE) $ 0.256239
usd-coin
USD Coin (USDC) $ 1.00
USD
EUR
GBP
bitcoinBitcoin (BTC)
$ 62,257.00
ethereumEthereum (ETH)
$ 3,778.39
tetherTether (USDT)
$ 1.00
bitcoin-cashBitcoin Cash (BCH)
$ 609.68
litecoinLitecoin (LTC)
$ 184.40
bitcoinBitcoin (BTC)
53.673,94
ethereumEthereum (ETH)
3.257,48
tetherTether (USDT)
0,862135
bitcoin-cashBitcoin Cash (BCH)
525,63
litecoinLitecoin (LTC)
158,98
bitcoinBitcoin (BTC)
45,294.27
ethereumEthereum (ETH)
2,748.92
tetherTether (USDT)
0.727537
bitcoin-cashBitcoin Cash (BCH)
443.56
litecoinLitecoin (LTC)
134.16

Automated trading with HaasBot Crypto Trading Bots

Crypto Scams

Behind The Scenes: How this Crypto Community Responded to + $50m Hack
October 18, 2021
Crypto Scams
Crypto Scams Still Persistent In 2021, SEC Warns About Red Flags To Watch
September 9, 2021
Poly Network
Here’s How Hackers Stole Over $600 million in the Poly Network Attack
August 12, 2021
The World’s Most Infamous Crypto Hacks and Scams
July 31, 2021
Cryptocurrency Exchanges
Cryptocurrency Exchanges and the Plague of Scams and Bans
June 29, 2021

Blockchain/Cryptocurrency Questions and Answers

ICo Presale
The Science Behind ICO Presales…
October 14, 2021
Beginner’s Guide to Investing in Cryptocurrency
August 9, 2021
Short-Sell Cryptocurrency
How to Short-Sell Cryptocurrency: A Brief Overview
July 17, 2021
Klaytn
What Is Klaytn (KLAY) And How Does It Work?
July 16, 2021
Cryptocurrencies
Our Crypto Roundup Interview Asks- Do Cryptocurrencies Have a Future?
July 15, 2021


CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin62,218 0.34 % 1.83 % 13.72 %
Ethereum3,758.2 0.15 % 1.66 % 9.53 %
Binance Coin479.70 0.28 % 2.67 % 18.64 %
Tether0.9986 0.03 % 0.08 % 0.23 %
Cardano2.130 0.17 % 1.65 % 3.13 %
XRP1.090 0.01 % 3.24 % 4.29 %
Solana156.64 0.44 % 2.69 % 6.05 %
Polkadot30.87 2.19 % 17.29 % 10.73 %
Dogecoin0.2558 1.24 % 7.75 % 11.54 %
USD Coin1.000 0.14 % 0.20 % 0.17 %

bitcoin
Bitcoin (BTC) $ 62,257.00
ethereum
Ethereum (ETH) $ 3,778.39
binance-coin
Binance Coin (BNB) $ 480.87
tether
Tether (USDT) $ 1.00
cardano
Cardano (ADA) $ 2.14
xrp
XRP (XRP) $ 1.09
solana
Solana (SOL) $ 157.54
polkadot
Polkadot (DOT) $ 41.33
dogecoin
Dogecoin (DOGE) $ 0.256239
usd-coin
USD Coin (USDC) $ 1.00