NEMTY PROJECT ransomware returns with .nefilim extension variantRansom note urges to pay money in BitcoinThreat SummaryNEMTY REVENGE ransomware fixes its flawsUpdate March 14: Nemty reappears as NEFILIM ransomwareThe ransomware is distributed using the RIG exploit kitRemove NEMTY ransomware virus safelyHow to decrypt .nemty files

This crypto-virus encodes files using AES encryption and then produces individual decryption keys for each victim. To secure the decryption key, the NEMTY PROJECT virus encodes it using RSA-2048 and RSA-8192 algorithms or AES-128 and RSA-2048 cryptography ciphers combination. Due to flaws in the encryption routine, cybersecurity experts have managed to create a NEMTY decryption software that can restore your files for free. More information about the decryption will be provided further in this article. NOTE. The decrypter may not work depending on the ransomware version that you have encountered. NEMTY REVENGE 2.0 version are updated.

Ransom note urges to pay money in Bitcoin

As usual, Nemty ransomware virus developers want the victim to pay a ransom in order to be able to open and use them again. In the ransom notes created on the victim’s computer, the cybercriminals explain that all files including documents, photos, audio/video files, and databases have been encrypted. The attackers warn the victim that the files cannot be recovered in any other way than paying a ransom. The further instructions in the ransom note suggest installing the TOR browser (required to access dark web domains) and visit a specific ransom payment website which instructs the victim how to obtain Bitcoins and pay the ransom. In the said website, the victim needs to upload and submit a ransom note. Next, the victim can upload one encrypted .nemty extension file (max file size 1Mb) to test the decryptor. In the next page, the ransomware domain allows to download decrypted files and states the ransom price both in dollars and Bitcoins. Nemty ransomware typically asks for $1000 or 0.09817 in BTC. There is also a chat box which can be used to contact the ransomware developers. It has been noticed that the majority of NEMTY PROJECT attacks were registered in Korea and China, although U.S. are also among the top target countries. It doesn’t stop the virus from spreading worldwide, though. If your files have been encrypted by this particular ransomware, you can recover your files for free – simply follow the instructions below the article to remove NEMTY ransomware virus. Then recover your files using the decryption guide we provide.

Threat Summary

NEMTY REVENGE ransomware fixes its flaws

NEMTY REVENGE 2.0 ransomware is the second edition of the primary malware version. This version uses an updated encryption routine which cannot be breaked down by the security experts. This update was released as a response to the decryption tool released by Tesorian. The ransomware marks files with .NEMTY_[victim’s ID] extension and in the ransom note called NEMTY_victim’sID-DECRYPT.txt suggests contacting one of the following emails: The latter versions, such as Nemty 2.3 or the latest, 2.5, do not provide contact e-mail addresses, but provide a dark web link accessible via Tor browser. The updated virus version demand $1300 in Bitcoin as a ransom. Currently, NEMTY REVENGE 2.0 versions cannot be decrypted (no third-party tools can be helpful).

Update March 14: Nemty reappears as NEFILIM ransomware

On March 14, cybersecurity researchers spotted a new variant of Nemty called NEFILIM ransomware virus. The malware was traditionally dubbed so after the file-marking extensions it appends on encrypted data. The new variant uses NEFILIM-DECRYPT.txt as ransom note and suggests contacting one of the new criminals’ emails:

jamesgonzaleswork1972@protonmail.com;pretty_hardjob2881@mail.com;dprworkjessiaeye1955@tutanota.com.

The malware urges to contact the criminals within 7 days or collected private data about the victim will be published online.

The ransomware is distributed using the RIG exploit kit

The ransomware has been around since August 2019 and security experts have observed a variety of methods used for its distribution, each described below.

One of the most powerful ways it uses to reach target systems is RIG Exploit Kit. It has been used for the distribution of many well-known ransomware strains including Cerber, GandCrab, and others. The exploit kit targets computers still using outdated technologies such as Internet Explorer and Flash Player.What is more, Nemty Project ransomware also uses the same method used by Phobos ransomware. It tends to attack computer networks via hacked Remote Desktop Connections (RDP).Finally, the cyber attackers serve the malicious payload via a fake Paypal cashback website. The webpage promises a 3-5% return from purchases made via their system. The web page suggests downloading an executive file named cashback.exe, which is the ransomware file itself. Although the malicious website is marked as Deceptive Site Ahead or This Site Ahead Contains Harmful Programs, some people ignore the warning and continue to visit it.TRIK Botnet is known to be distributing Nemty virus via SMB protocol. The botnet attempts to connect to computers with 139 port open, brute-forcing known weak username and password combinations to access the remote computer.

We strongly encourage you to learn these ransomware prevention techniques to avoid similar attacks in the future.

Remove NEMTY ransomware virus safely

Remove NEMTY ransomware virus as soon as possible to start the data decryption procedure. You can find detailed instructions on how to eliminate this malicious software from your computer right here below the article. Do not forget to update your security software before running a system scan. It helps to identify and delete files belonging to the described crypto-malware. OUR GEEKS RECOMMEND Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system: GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs. Use INTEGO Antivirus to remove detected threats from your computer. Read full review here. RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically. RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them. Read full review here.

Alternative software recommendations

Malwarebytes Anti-Malware

Method 1. Enter Safe Mode with Networking

Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it: Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10 users Now, you can search for and remove NEMTY ransomware files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO Antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).

Method 2. Use System Restore

In order to use System Restore, you must have a system restore point, created either manually or automatically. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10 users After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won’t be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future. Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.

System Mechanic Ultimate Defense If you’re looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek’s Advice approval. Get it now for 50% off. You may also be interested in its full review.

Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.

How to decrypt .nemty files

After Nemty ransomware removal, you can start decrypting your files using this tool developed by Tesorian. The decryptor works on files locked by ransomware versions 1.4 and 1.6. Victims of 1.5 and other versions should stay patient and wait for updates. The currently known tool can decrypt these file extensions (more added with each decryptor update): gif, mp3, jpeg, avi, bmp, jpg, mov, mp4, doc, mov, mp4, qt, 3gp, mpeg, mpg, doc, docb, dot, ole, pot, pps, ppt, xls, xlsb, xlt, pdf, png, tif, tiff, nef, txt, docm, docx, dotm, dotx, jar, potm, potx, ppsm, ppsx, pptm, pptx, xlsm, xlsx, xltm, xltx, zip, wbk, xlm. To get the decryptor, victims should contact Tesorian and ask them to provide NEMTY decryptor download link. Be patient and you will receive an email from them. The security firm works silently and generates the decryption key on their own servers. This is done in order to prevent decryptor analysis and possible future ransomware updates. NOTE. Be careful of scammers who claim to able to recover your files for a higher cost. Some of them simply pay the criminals using your money. You can read more about such case on The Register.