Skip to content
Ransomware group

Nemty

Nemty is a ransomware-as-a-service (RaaS) operation active approximately from August 2019 through April 2020.

Profile source: Mallory opens in a new tab

Nemty

Family profile

Nemty is a ransomware-as-a-service (RaaS) operation active approximately from August 2019 through April 2020. The content states it was originally launched in January 2019 as JSWorm and rebranded as Nemty in August 2019. It is also referenced alongside related or historical RaaS operations including Nemty X, Karma, Nokoyawa, and JSWORM.

Operationally, Nemty used backend infrastructure centered on the single IP address 5.182.39.200 during its observed lifetime, with associated virtual hosts including nemty.top, nemty.hk, and nemty10.hk. Nemty used the BraZZZerS fast-flux/proxy protection service to protect at least nemty.top and nemty.hk. Researchers reported that BraZZZerS logging exposed Nemty panel activity, including socket.io polling and JWT tokens in GET requests; the leaked tokens could reportedly be reused in cookies to access the Nemty panel as the authenticated user.

The provided changelog excerpts indicate active development of both the ransomware and affiliate panel. Reported features and updates included builder and panel fixes, a drives section on the bots page, asynchronous threading to increase encryption speed, a file extension format of ._NEMTY_{filkeid}_, visibility of victims in the panel before encryption began, file-extension exclusions, and logic to kill processes and stop services prior to encryption. Named targeted processes/applications included SQL, Word, Outlook, Thunderbird, Oracle, Excel, OneNote, and VirtualBoxVM. Named targeted services included DbxSvc, OracleXETNSListener, OracleServiceXE, AcronisAgent, Apache2.4, MongoDB, SQLWriter, SQLBrowser, and MSSQL-related services. A September 2019 update introduced FastFlux, and an October 2019 update stated the ransomware changed its encryption algorithm and added its own key generator rather than using pseudo keys. The changelog also noted that if an affiliate had no Bitcoin address configured, victims could not open the payment page.

Nemty operated with affiliates, and the content identifies observed affiliate nicknames including jokeroo, symmetries, helliscod, and sprite77. The reporting emphasizes that these affiliates also participated in other ransomware ecosystems such as GandCrab, Dharma, and DJVU, reflecting overlap across RaaS programs. Nemty is also listed among ransomware groups that operated leak sites as part of double-extortion activity.

Association reporting in the content links Nemty to broader ransomware and cybercrime ecosystems. It is mentioned in connection with the aliases salfetka, rinc, and farnetwork, which were tied to Nokoyawa, JSWORM, Nefilim, Karma, and Nemty operations. Volodymyr Tymoshchuk is also described as linked to JSWORM, Karma, Nokoyawa, and Nemty ransomware gangs. Separate reporting cited in the content states LUNAR SPIDER maintained affiliations with Nemty and that Nemty leveraged IcedID for initial access.

A possible operational security failure is described in which a StackOverflow user posted code referencing 5.182.39.200 while debugging a Bitcoin node on September 25, 2019, suggesting a possible link to Nemty backend development, though this remains suggestive rather than conclusive based on the content alone.

High-confidence infrastructure and behavioral indicators mentioned in the content include domains nemty.top, nemty.hk, and nemty10.hk; backend IP 5.182.39.200; and the encrypted file extension pattern ._NEMTY_{filkeid}_.

Ransomware.live

Operational record

View group record ↗

MITRE ATT&CK

Nemty in ATT&CK

10 distinct techniques

Reporting

Research mentioning Nemty

Jun 17
Acronis

From emerging threat to top-tier ransomware-as-a-service: The evolution of INC ransomware

security researcher 3xp0rt mentioned that “salfetka” is linked to the aliases "rinc" and "farnetwork" which is tied to the Nokoyawa, JSWORM, Nefilim, Karma and Nemty ransomware operations.

Mar 6
Australian Acsc

INC Ransom Affiliate Model Enabling Targeting of Critical Networks | Cyber.gov.au

"...historical RaaS operations Nemty, Nemty X, Karma and Nokoyawa."

Sep 15
The Hacker News

⚡ Weekly Recap: Bootkit Malware, AI-Powered Attacks, Supply Chain Breaches, Zero-Days & More

In 2023, Group-IB also linked Tymoshchuk to JSWORM, Karma, Nokoyawa, and Nemty ransomware gangs.

Sep 10
Risky Biz Rss

Risky Bulletin: US charges major ransomware figure

Tymoshchuk appears to have also been involved with the JSWORM, Karma, Nemty, and Nokoyawa Ransomware-as-a-Service (RaaS) platforms.

Aug 8
Medium Csis Techblog

An inside view of domain anonymization as-a-service - the BraZZZerSFF infrastructure | by Benoit ANCEL | CSIS TechBlog | Medium

Nemty was using BraZZZers to protect its domains nemty.top and nemty.hk.

Jan 25
Medium Csis Techblog

The Nemty affiliate model. Almost a year after the end of the… | by Benoit ANCEL | CSIS TechBlog | Medium

As mentioned earlier, Nemty was running between August 2019 and April 2020 and we monitored the same single IP used as backend during the whole operation: 5[.]182[.]39[.]200.

May 26
Bleeping Computer

List of ransomware that leaks victims' stolen files if not paid

Originally launched in January 2019 as a Ransomware-as-a-Service (RaaS) called JSWorm, the ransomware rebranded as Nemty in August 2019.

May 2
Bleeping Computer

Sodinokibi, Ryuk ransomware drive up average ransom to $111,000

Several operators have created leak sites to post files from their victims. Among them: ... Netwalker, Nemty.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.