Contents
Nemty ransomware is a file-encrypting virus that corrupts data using the AES-256 encryption algorithm. After successful data corruption, the ransomware appends .nemty extension after the original filename. Finally, the malware creates so-called ransom notes (NEFILIM-DECRYPT.txt or NEMTY-DECRYPT.txt, _NEMTY_[random characters]_-DECRYPT.txt) in each folder containing encoded data. The latest known versions of this virus append .NEFILIM or ._NEMTY_[random characters]_ extensions. The good news is that some variants of this ransomware CAN BE decrypted.
This crypto-virus encodes files using AES encryption and then produces individual decryption keys for each victim. To secure the decryption key, the NEMTY PROJECT virus encodes it using RSA-2048 and RSA-8192 algorithms or AES-128 and RSA-2048 cryptography ciphers combination.
Due to flaws in the encryption routine, cybersecurity experts have managed to create a NEMTY decryption software that can restore your files for free. More information about the decryption will be provided further in this article.
NOTE. The decrypter may not work depending on the ransomware version that you have encountered. NEMTY REVENGE 2.0 version are updated.
As usual, Nemty ransomware virus developers want the victim to pay a ransom in order to be able to open and use them again. In the ransom notes created on the victim’s computer, the cybercriminals explain that all files including documents, photos, audio/video files, and databases have been encrypted. The attackers warn the victim that the files cannot be recovered in any other way than paying a ransom.
The further instructions in the ransom note suggest installing the TOR browser (required to access dark web domains) and visit a specific ransom payment website which instructs the victim how to obtain Bitcoins and pay the ransom. In the said website, the victim needs to upload and submit a ransom note. Next, the victim can upload one encrypted .nemty extension file (max file size 1Mb) to test the decryptor.
In the next page, the ransomware domain allows to download decrypted files and states the ransom price both in dollars and Bitcoins. Nemty ransomware typically asks for $1000 or 0.09817 in BTC. There is also a chat box which can be used to contact the ransomware developers.
It has been noticed that the majority of NEMTY PROJECT attacks were registered in Korea and China, although U.S. are also among the top target countries. It doesn’t stop the virus from spreading worldwide, though.
If your files have been encrypted by this particular ransomware, you can recover your files for free – simply follow the instructions below the article to remove NEMTY ransomware virus. Then recover your files using the decryption guide we provide.
Name | NEMTY PROJECT, NEMTY REVENGE, NEFILIM, NEMTY SPECIAL EDITION |
Type | Ransomware; Crypto-virus; File Locker |
Exlusions | Doesn’t encrypt computers in Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Ukraine |
Encryption methods | AES-256, RSA-2048 and RSA-8192 |
File marker | .nemty or ._NEMTY_[random chars]_ |
Ransom note | NEMTY-DECRYPT.TXT or _NEMTY_[random chars]_-DECRYPT |
Ransom demand | $1000-$1300 |
Distribution methods | Hacked RDP connections, RIG EK and malicious websites |
Decryption | Can be decrypted with Nemty decrypter |
Removal | Can be removed using antivirus |
NEMTY REVENGE 2.0 ransomware is the second edition of the primary malware version. This version uses an updated encryption routine which cannot be breaked down by the security experts. This update was released as a response to the decryption tool released by Tesorian. The ransomware marks files with .NEMTY_[victim’s ID] extension and in the ransom note called NEMTY_victim’sID-DECRYPT.txt suggests contacting one of the following emails:
The latter versions, such as Nemty 2.3 or the latest, 2.5, do not provide contact e-mail addresses, but provide a dark web link accessible via Tor browser.
The updated virus version demand $1300 in Bitcoin as a ransom. Currently, NEMTY REVENGE 2.0 versions cannot be decrypted (no third-party tools can be helpful).
On March 14, cybersecurity researchers spotted a new variant of Nemty called NEFILIM ransomware virus. The malware was traditionally dubbed so after the file-marking extensions it appends on encrypted data. The new variant uses NEFILIM-DECRYPT.txt as ransom note and suggests contacting one of the new criminals’ emails:
The malware urges to contact the criminals within 7 days or collected private data about the victim will be published online.
The ransomware has been around since August 2019 and security experts have observed a variety of methods used for its distribution, each described below.
We strongly encourage you to learn these ransomware prevention techniques to avoid similar attacks in the future.
Remove NEMTY ransomware virus as soon as possible to start the data decryption procedure. You can find detailed instructions on how to eliminate this malicious software from your computer right here below the article. Do not forget to update your security software before running a system scan. It helps to identify and delete files belonging to the described crypto-malware.
OUR GEEKS RECOMMEND
Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
NEMTY ransomware Removal Guidelines
Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it:
Instructions for Windows XP/Vista/7 users
Instructions for Windows 8/8.1/10 users
Now, you can search for and remove NEMTY ransomware files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).
REMOVE MALWARE & REPAIR VIRUS DAMAGE
1 Step. Get robust antivirus to remove existing threats and enable real-time protection
INTEGO Antivirus for Windows provides robust real-time protection, Web Shield against phishing and deceptive websites, blocks malicious downloads and blocks Zero-Day threats. Use it to remove ransomware and other viruses from your computer professionally.
2 Step. Repair Virus Damage on Windows Operating System Files
Download RESTORO to scan your system for FREE and detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically.
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Instructions for Windows XP/Vista/7 users
Instructions for Windows 8/8.1/10 users
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
After Nemty ransomware removal, you can start decrypting your files using this tool developed by Tesorian. The decryptor works on files locked by ransomware versions 1.4 and 1.6. Victims of 1.5 and other versions should stay patient and wait for updates.
The currently known tool can decrypt these file extensions (more added with each decryptor update):
gif, mp3, jpeg, avi, bmp, jpg, mov, mp4, doc, mov, mp4, qt, 3gp, mpeg, mpg, doc, docb, dot, ole, pot, pps, ppt, xls, xlsb, xlt, pdf, png, tif, tiff, nef, txt, docm, docx, dotm, dotx, jar, potm, potx, ppsm, ppsx, pptm, pptx, xlsm, xlsx, xltm, xltx, zip, wbk, xlm.
To get the decryptor, victims should contact Tesorian and ask them to provide NEMTY decryptor download link. Be patient and you will receive an email from them. The security firm works silently and generates the decryption key on their own servers. This is done in order to prevent decryptor analysis and possible future ransomware updates.
NOTE. Be careful of scammers who claim to able to recover your files for a higher cost. Some of them simply pay the criminals using your money. You can read more about such case on The Register.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
VLFF ransomware is a virtual menace to your computer files VLFF ransomware is a newly…
UIGD ransomware encrypts all files on a computer, asks for a ransom UIGD ransomware is…
EYRV ransomware takes your computer files hostage, demands a ransom EYRV ransomware is a destructive…
Private Internet Access (PIA) VPN maintains its long-term role as a leader Private Internet Access…
XCBG ransomware aims to lock your files and demand a ransom XCBG ransomware is a…
BPQD ransomware encrypts all computer files, demands a ransom from the user BPQD ransomware is…
This website uses cookies.