The Nemty affiliate model

Almost a year after the end of the operations of the Nemty ransomware, we are presenting some internal details of their operations between 2019 and 2020 in order to document the business model and the actors that evolved around that group.

This article is not meant to be a technical analysis of the capacities of the ransomware - McAfee has already published an amazing analysis covering the evolution and the technical capacities of Nemty. We are here trying to show how the RaaS was working internally and to characterise the different affiliates in order to document an important ransomware threat of 2019.

Nemty backend

Like lots of threat actors in 2019, the Nemty gang chose to hide their backend behind a Fast Flux called Brazzzer. Both domains nemty[.]top and nemty[.]hk were protected in order to not reveal the real IP of the control server.

The domains were resolving to different temporary IPs (nginx proxies) managed by the Fast Flux, and those proxies were redirecting the traffic to the real server.

However, staying anonymous on the internet is hard. The protection of a fast flux alone is far from enough to protect the IP of a hidden server. Also Nemty eventually leaked the real IP of their server: 5[.]182[.]39[.]200.

Their control server was poorly configured, allowing anyone to access the CnC directly from the IP, making our investigation much easier:

We observed this IP being used over the Nemty domains throughout the entire operation until the end of the ransomware.

Nemty backend

Nemty was a Ransomware-as-a-Service. The backend was a central panel poorly developed in JavaScript using the library socket.io. Each affiliate could login with their own credentials. The whole backend was managed through an admin account able to see and manipulate all the affiliate’s bots.

Each affiliate could see their own bots, interact with the encrypted victims, build new stubs of the ransomware and discuss with the admin.

Nemty Bot list

Bot details

Stub builder

Affiliates list

Affiliates

As shown in the last screenshot, the interesting part of the backend was the affiliates list. You can see below the full list of observed affiliates:

If you are familiar with the RaaS ecosystem of 2019/2020, you will quickly see some well-known nicknames. E.g. “jokeroo” was a well-known actor trying to run his own business, symmetries was also known around others RaaS, helliscod was also known on numerous forums buying different malware like Raccoon, and sprite77 was a well- known GandCrab affiliate.

All those nicknames can be found all over the place showing that the affiliates of RaaS are not spending their money on only one project. It was/is very common to see the same actors showing up on different RaaS and when we see lots of different campaigns distributing lots of ransomware families, it is, in fact, a small pool of actors. You can still find some of them around Dharma ransomware or DJVU in 2021.

The panel developer’s mistakes

As mentioned earlier, Nemty was running between August 2019 and April 2020 and we monitored the same single IP used as backend during the whole operation: 5[.]182[.]39[.]200.

When you do try to obtain open sourced intelligence about an infrastructure, one of the best places to dig is StackOverflow.

Criminals or not, behind these kind of operations at the end of the day it’s still humans developing products and having trouble debugging the code.

The 25th September 2019 a user using the nickname Sajan Maharjan opened a new thread asking for help to debug the implementation of a Bitcoin node:

Screenshot of the StackOverflow Post

We can see here the original poster pasting some code mentioning HOST = "5.182.39[.]200";. Curiously enough, the Nemty IP had that port 8333 opened too at that time.

That StackOverflow user seems to be working with JavaScript library and UI development and is living in South Korean where Nemty was the most active in the wild in 2019. Those elements can suggest that this user was related to the backend developers of the Nemty operation.

These kinds of mistakes are a good reminder about the power of the data exposed on StackOverflow. It’s not the first actor making that mistake and he will not be the last.

Conclusion

This article tries to document the affiliates model and the actors that evolved around Nemty in 2019/2020 in order to facilitate future investigation of fresh threats potentially used by those criminals.

For the whole history and technical details about Nemty I recommend reading the paper written by McAfee researchers: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/

Appendix

Virtual hosts observed on the IP 5.182.39[.]200:

• nemty[.]top
• nemty[.]hk
• nemty10[.]hk

Early Nemty change-log (translated from Russian):

- 08.20.2019 16:56:51 Release date 
Panel is ready
Cryptolocker is ready
- 08.22.2019 07:22:55 Update 1.0.1 & 1.0.2 
Fixed builder page Added page loader Added drives section on bots page
- 08.24.2019 09:32:35 Update 1.1 & 1.0.3 
Ransomware: 
Encryption speed increased significantly due to asynchronization of threads Extension changed to ._NEMTY_{filkeid}_ Web-Panel:
Added simple tags like “@admin” (admin will come) Fixed some bugs
- 08.25.2019 09:15:29 WARNING UPDATE BUILDS
- 08.26.2019 08:09:48 update your builds actual version — 1.3
- 08.26.2019 08:49:57 Important to read to everyone 
Now two victims from two different countries have tapped, both write the same:
Guy, test decrypt isn’t working, but I can’t pay you so much, because I’m not a rich man.
I went to look for a problem, why didn’t they decrypt the files from them.
Found this file that they were trying to decrypt.
Since I leave the encrypted key and the file extension at the end of the file, I noticed that the file extension does not match what it uploaded to the site, respectively, it could not decrypt this file.
It was decided to add a check for the extension in the file body, which will be available today.
- 08.28.2019 12:56:42 UPDATE RANSOMWARE 
Added:
No configuration file, everything in ransom note
Fix CD-ROM
- 08.29.2019 19:50:38 SECURITY WARNING 
check your BTC address, if you will have no BTC address in settings, victims couldn’t open payment page
- 08.31.2019 06:51:19 Update 
Added saving of any messages
- 09.06.2019 11:19:58 ransomware update 
victim will be appeared in the panel before encrypting files
- 09.09.2019 08:46:37 Mini update 
update build, now ransomware will skip files with 
“nemty”, “exe”, “log”, “cab”, “cmd”, “com”, “cpl”, “exe”, “ini”, “dll”, “url”, “ttf”, “url”
extension and even in upper case
added process kill
“sql”, “winword”, “wordpad”, “outlook”, “thunderbird”, “oracle”, “excel”, “onenote”, “virtualboxvm”
added service stop
“DbxSvc”, “OracleXETNSListener”, “OracleServiceXE”, “AcrSch2Svc”, “AcronisAgent”, “Apache2.4”, “SQLWriter”, “MSSQL$SQLEXPRESS”, “MSSQLServerADHelper100”, “MongoDB”, “SQLAgent$SQLEXPRESS”, “SQLBrowser”
if you want expand this lists — admin jabber is nemty@thesecure.biz
- 09.24.2019 05:35:24 update 1.5
FastFlux
- 09.27.2019 09:05:57 CLEANING 
OLD BOTS WERE DELETED BECAUSE USELESS
- 10.02.2019 15:28:23 1.6 ransomware update 
changed encryption algorithm 
added our own key generator (not pseudo keys)
- 10.10.2019 08:25:03 update builds
if there is no internet, it won’t get an IP and as a result the panel will not detect the IP string and will give the wrong configuration file
so update the builds, all bots that have no Internet or haven’t received an IP will be from IP Australia 1.1.1.1