Nemty ransomware “LOVE_YOU” malspam campaign

Security experts uncovered an ongoing campaign delivering Nemty Ransomware via emails disguised as messages from secret lovers.

Researchers from Malwarebytes and X-Force IRIS have uncovered an ongoing spam campaign distributing the Nemty Ransomware via messages disguised as messages from secret lovers.

The attackers employed messages with several subject lines and attachment filenames composed to appear as sent by lovers, they used statements such as “Don’t tell anyone,” “I love you,” “Letter for you,” “Will be our secret,” and “Can’t forget you.”

The body of all the spam messages only contains the ‘;)' text emoticon.

All the spam messages used a ZIP archive as attachment with a filename with a specific format (‘LOVE_YOU_######_2020.zip’)

“Attached to each email is a ZIP archive with a name formatted as with only the #s changing,” reads the advisory published by IBM X-Force IRIS.

“The hash of the file contained within each of these archives remains the same and is associated with a highly obfuscated JavaScript file named LOVE_YOU.js,”

The detection rate of the LOVE_YOU Javascript was low when the campaign was spotted, but is rapidly increasing.

The malicious Javascript acts as a dropper for the Nemty ransomware, the final payload is downloaded from a remote server and then it is executed.

In an update provided on February 28, 2020, IBM researchers reported that this campaign appears to have temporarily halted.

Nemty ransomware first appeared on the threat landscape in August 2019, the name of the malware comes after the extension it adds to the encrypted file names. The ransomware deletes shadow copies of encrypted files to make in impossible any recovery procedure.

In October 2019, researchers from the security firm Tesorion developed a decryptor tool that works on Nemty versions 1.4 and 1.6, they also announced a working tool for version 1.5.

In February, Nemty ransomware operators announced that they will set up a website to leak the data stolen for ransomware victims who refused to pay the ransom.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, undersea cables)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.