Nemty
Nemty is a ransomware-as-a-service (RaaS) operation active approximately from August 2019 through April 2020.
Profile source: Mallory opens in a new tabNemty
Family profile
Nemty is a ransomware-as-a-service (RaaS) operation active approximately from August 2019 through April 2020. The content states it was originally launched in January 2019 as JSWorm and rebranded as Nemty in August 2019. It is also referenced alongside related or historical RaaS operations including Nemty X, Karma, Nokoyawa, and JSWORM.
Operationally, Nemty used backend infrastructure centered on the single IP address 5.182.39.200 during its observed lifetime, with associated virtual hosts including nemty.top, nemty.hk, and nemty10.hk. Nemty used the BraZZZerS fast-flux/proxy protection service to protect at least nemty.top and nemty.hk. Researchers reported that BraZZZerS logging exposed Nemty panel activity, including socket.io polling and JWT tokens in GET requests; the leaked tokens could reportedly be reused in cookies to access the Nemty panel as the authenticated user.
The provided changelog excerpts indicate active development of both the ransomware and affiliate panel. Reported features and updates included builder and panel fixes, a drives section on the bots page, asynchronous threading to increase encryption speed, a file extension format of ._NEMTY_{filkeid}_, visibility of victims in the panel before encryption began, file-extension exclusions, and logic to kill processes and stop services prior to encryption. Named targeted processes/applications included SQL, Word, Outlook, Thunderbird, Oracle, Excel, OneNote, and VirtualBoxVM. Named targeted services included DbxSvc, OracleXETNSListener, OracleServiceXE, AcronisAgent, Apache2.4, MongoDB, SQLWriter, SQLBrowser, and MSSQL-related services. A September 2019 update introduced FastFlux, and an October 2019 update stated the ransomware changed its encryption algorithm and added its own key generator rather than using pseudo keys. The changelog also noted that if an affiliate had no Bitcoin address configured, victims could not open the payment page.
Nemty operated with affiliates, and the content identifies observed affiliate nicknames including jokeroo, symmetries, helliscod, and sprite77. The reporting emphasizes that these affiliates also participated in other ransomware ecosystems such as GandCrab, Dharma, and DJVU, reflecting overlap across RaaS programs. Nemty is also listed among ransomware groups that operated leak sites as part of double-extortion activity.
Association reporting in the content links Nemty to broader ransomware and cybercrime ecosystems. It is mentioned in connection with the aliases salfetka, rinc, and farnetwork, which were tied to Nokoyawa, JSWORM, Nefilim, Karma, and Nemty operations. Volodymyr Tymoshchuk is also described as linked to JSWORM, Karma, Nokoyawa, and Nemty ransomware gangs. Separate reporting cited in the content states LUNAR SPIDER maintained affiliations with Nemty and that Nemty leveraged IcedID for initial access.
A possible operational security failure is described in which a StackOverflow user posted code referencing 5.182.39.200 while debugging a Bitcoin node on September 25, 2019, suggesting a possible link to Nemty backend development, though this remains suggestive rather than conclusive based on the content alone.
High-confidence infrastructure and behavioral indicators mentioned in the content include domains nemty.top, nemty.hk, and nemty10.hk; backend IP 5.182.39.200; and the encrypted file extension pattern ._NEMTY_{filkeid}_.
Ransomware.live
Operational record
MITRE ATT&CK
Nemty in ATT&CK
10 distinct techniquesReporting
Research mentioning Nemty
From emerging threat to top-tier ransomware-as-a-service: The evolution of INC ransomware
security researcher 3xp0rt mentioned that “salfetka” is linked to the aliases "rinc" and "farnetwork" which is tied to the Nokoyawa, JSWORM, Nefilim, Karma and Nemty ransomware operations.
INC Ransom Affiliate Model Enabling Targeting of Critical Networks | Cyber.gov.au
"...historical RaaS operations Nemty, Nemty X, Karma and Nokoyawa."
⚡ Weekly Recap: Bootkit Malware, AI-Powered Attacks, Supply Chain Breaches, Zero-Days & More
In 2023, Group-IB also linked Tymoshchuk to JSWORM, Karma, Nokoyawa, and Nemty ransomware gangs.
Risky Bulletin: US charges major ransomware figure
Tymoshchuk appears to have also been involved with the JSWORM, Karma, Nemty, and Nokoyawa Ransomware-as-a-Service (RaaS) platforms.
An inside view of domain anonymization as-a-service - the BraZZZerSFF infrastructure | by Benoit ANCEL | CSIS TechBlog | Medium
Nemty was using BraZZZers to protect its domains nemty.top and nemty.hk.
The Nemty affiliate model. Almost a year after the end of the… | by Benoit ANCEL | CSIS TechBlog | Medium
As mentioned earlier, Nemty was running between August 2019 and April 2020 and we monitored the same single IP used as backend during the whole operation: 5[.]182[.]39[.]200.
List of ransomware that leaks victims' stolen files if not paid
Originally launched in January 2019 as a Ransomware-as-a-Service (RaaS) called JSWorm, the ransomware rebranded as Nemty in August 2019.
Sodinokibi, Ryuk ransomware drive up average ransom to $111,000
Several operators have created leak sites to post files from their victims. Among them: ... Netwalker, Nemty.