Remove NEMTY Ransomware Virus (2021 Decryption Guide)

NEMTY PROJECT ransomware returns with .nefilim extension variant

Contents

NEMTY PROJECT ransomware returns with .nefilim extension variant
- Ransom note urges to pay money in Bitcoin
- Threat Summary
NEMTY REVENGE ransomware fixes its flaws
- Update March 14: Nemty reappears as NEFILIM ransomware
The ransomware is distributed using the RIG exploit kit
Remove NEMTY ransomware virus safely
How to decrypt .nemty files

Nemty ransomware is a file-encrypting virus that corrupts data using the AES-256 encryption algorithm. After successful data corruption, the ransomware appends .nemty extension after the original filename. Finally, the malware creates so-called ransom notes (NEFILIM-DECRYPT.txt or NEMTY-DECRYPT.txt, _NEMTY_[random characters]_-DECRYPT.txt) in each folder containing encoded data. The latest known versions of this virus append .NEFILIM or ._NEMTY_[random characters]_ extensions. The good news is that some variants of this ransomware CAN BE decrypted.

This crypto-virus encodes files using AES encryption and then produces individual decryption keys for each victim. To secure the decryption key, the NEMTY PROJECT virus encodes it using RSA-2048 and RSA-8192 algorithms or AES-128 and RSA-2048 cryptography ciphers combination.

Due to flaws in the encryption routine, cybersecurity experts have managed to create a NEMTY decryption software that can restore your files for free. More information about the decryption will be provided further in this article.
NOTE. The decrypter may not work depending on the ransomware version that you have encountered. NEMTY REVENGE 2.0 version are updated.

Screenshots of the ransom note and encrypted files that can’t be opened after the cyber attack.

Ransom note urges to pay money in Bitcoin

As usual, Nemty ransomware virus developers want the victim to pay a ransom in order to be able to open and use them again. In the ransom notes created on the victim’s computer, the cybercriminals explain that all files including documents, photos, audio/video files, and databases have been encrypted. The attackers warn the victim that the files cannot be recovered in any other way than paying a ransom.

The further instructions in the ransom note suggest installing the TOR browser (required to access dark web domains) and visit a specific ransom payment website which instructs the victim how to obtain Bitcoins and pay the ransom. In the said website, the victim needs to upload and submit a ransom note. Next, the victim can upload one encrypted .nemty extension file (max file size 1Mb) to test the decryptor.

In the next page, the ransomware domain allows to download decrypted files and states the ransom price both in dollars and Bitcoins. Nemty ransomware typically asks for $1000 or 0.09817 in BTC. There is also a chat box which can be used to contact the ransomware developers.

The payment website allows sending message to the criminals.

It has been noticed that the majority of NEMTY PROJECT attacks were registered in Korea and China, although U.S. are also among the top target countries. It doesn’t stop the virus from spreading worldwide, though.

If your files have been encrypted by this particular ransomware, you can recover your files for free – simply follow the instructions below the article to remove NEMTY ransomware virus. Then recover your files using the decryption guide we provide.

Threat Summary

Name	NEMTY PROJECT, NEMTY REVENGE, NEFILIM, NEMTY SPECIAL EDITION
Type	Ransomware; Crypto-virus; File Locker
Exlusions	Doesn’t encrypt computers in Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Ukraine
Encryption methods	AES-256, RSA-2048 and RSA-8192
File marker	.nemty or ._NEMTY_[random chars]_
Ransom note	NEMTY-DECRYPT.TXT or _NEMTY_[random chars]_-DECRYPT
Ransom demand	$1000-$1300
Distribution methods	Hacked RDP connections, RIG EK and malicious websites
Decryption	Can be decrypted with Nemty decrypter
Removal	Can be removed using antivirus

NEMTY REVENGE ransomware fixes its flaws

NEMTY REVENGE 2.0 ransomware is the second edition of the primary malware version. This version uses an updated encryption routine which cannot be breaked down by the security experts. This update was released as a response to the decryption tool released by Tesorian. The ransomware marks files with .NEMTY_[victim’s ID] extension and in the ransom note called NEMTY_victim’sID-DECRYPT.txt suggests contacting one of the following emails:

elzmflqxj@tutanota.de;
helpdesk_nemty@aol.com.

Ransom note left by NEMTY REVENGE 2.0 ransomware version.

The latter versions, such as Nemty 2.3 or the latest, 2.5, do not provide contact e-mail addresses, but provide a dark web link accessible via Tor browser.

The updated virus version demand $1300 in Bitcoin as a ransom. Currently, NEMTY REVENGE 2.0 versions cannot be decrypted (no third-party tools can be helpful).

Update March 14: Nemty reappears as NEFILIM ransomware

On March 14, cybersecurity researchers spotted a new variant of Nemty called NEFILIM ransomware virus. The malware was traditionally dubbed so after the file-marking extensions it appends on encrypted data. The new variant uses NEFILIM-DECRYPT.txt as ransom note and suggests contacting one of the new criminals’ emails:

jamesgonzaleswork1972@protonmail.com;
pretty_hardjob2881@mail.com;
dprworkjessiaeye1955@tutanota.com.

The malware urges to contact the criminals within 7 days or collected private data about the victim will be published online.

The ransomware is distributed using the RIG exploit kit

The ransomware has been around since August 2019 and security experts have observed a variety of methods used for its distribution, each described below.

One of the most powerful ways it uses to reach target systems is RIG Exploit Kit. It has been used for the distribution of many well-known ransomware strains including Cerber, GandCrab, and others. The exploit kit targets computers still using outdated technologies such as Internet Explorer and Flash Player.
What is more, Nemty Project ransomware also uses the same method used by Phobos ransomware. It tends to attack computer networks via hacked Remote Desktop Connections (RDP).
Finally, the cyber attackers serve the malicious payload via a fake Paypal cashback website. The webpage promises a 3-5% return from purchases made via their system. The web page suggests downloading an executive file named cashback.exe, which is the ransomware file itself. Although the malicious website is marked as Deceptive Site Ahead or This Site Ahead Contains Harmful Programs, some people ignore the warning and continue to visit it.
TRIK Botnet is known to be distributing Nemty virus via SMB protocol. The botnet attempts to connect to computers with 139 port open, brute-forcing known weak username and password combinations to access the remote computer.

We strongly encourage you to learn these ransomware prevention techniques to avoid similar attacks in the future.

Remove NEMTY ransomware virus safely

Remove NEMTY ransomware virus as soon as possible to start the data decryption procedure. You can find detailed instructions on how to eliminate this malicious software from your computer right here below the article. Do not forget to update your security software before running a system scan. It helps to identify and delete files belonging to the described crypto-malware.

OUR GEEKS RECOMMEND

Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:

STEP 1. REMOVE AUTOMATICALLY WITH ROBUST ANTIVIRUS

REMOVE & PROTECT WITH INTEGO

Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7.. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs.

Use INTEGO Antivirus to remove detected threats from your computer.

Read full review here.

STEP 2. REPAIR VIRUS DAMAGE TO YOUR COMPUTER

DOWNLOAD RESTORO

RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically.

RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them.

Read full review here.

GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.

NEMTY ransomware Removal Guidelines

Method 1. Enter Safe Mode with Networking

Step 1. Start Windows in Safe Mode with Networking

Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it:

Instructions for Windows XP/Vista/7 users

First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.

Instructions for Windows 8/8.1/10 users

Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.

Step 2. Remove files associated with the virus

Now, you can search for and remove NEMTY ransomware files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).

REMOVE MALWARE & REPAIR VIRUS DAMAGE

1 Step. Get robust antivirus to remove existing threats and enable real-time protection

SECURE YOUR PC NOW

See Full Review

INTEGO Antivirus for Windows provides robust real-time protection, Web Shield against phishing and deceptive websites, blocks malicious downloads and blocks Zero-Day threats. Use it to remove ransomware and other viruses from your computer professionally.

2 Step. Repair Virus Damage on Windows Operating System Files

REPAIR VIRUS DAMAGE

See Full Review

Download RESTORO to scan your system for FREE and detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically.

Method 2. Use System Restore

In order to use System Restore, you must have a system restore point, created either manually or automatically.

Step 1. Boot Windows in Safe Mode with Command Prompt

Instructions for Windows XP/Vista/7 users

Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.

Instructions for Windows 8/8.1/10 users

Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.

Step 2. Start System Restore process

Wait until system loads and command prompt shows up.
Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
Click Yes to begin the system restoration process.

After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.

Alternative software recommendations

Malwarebytes Anti-Malware

Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.

System Mechanic Ultimate Defense

If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.

Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.

How to decrypt .nemty files

After Nemty ransomware removal, you can start decrypting your files using this tool developed by Tesorian. The decryptor works on files locked by ransomware versions 1.4 and 1.6. Victims of 1.5 and other versions should stay patient and wait for updates.

The currently known tool can decrypt these file extensions (more added with each decryptor update):

gif, mp3, jpeg, avi, bmp, jpg, mov, mp4, doc, mov, mp4, qt, 3gp, mpeg, mpg, doc, docb, dot, ole, pot, pps, ppt, xls, xlsb, xlt, pdf, png, tif, tiff, nef, txt, docm, docx, dotm, dotx, jar, potm, potx, ppsm, ppsx, pptm, pptx, xlsm, xlsx, xltm, xltx, zip, wbk, xlm.

The decryptor can restore the majority of your files encrypted by the annoying virus.

To get the decryptor, victims should contact Tesorian and ask them to provide NEMTY decryptor download link. Be patient and you will receive an email from them. The security firm works silently and generates the decryption key on their own servers. This is done in order to prevent decryptor analysis and possible future ransomware updates.

NOTE. Be careful of scammers who claim to able to recover your files for a higher cost. Some of them simply pay the criminals using your money. You can read more about such case on The Register.

Norbert Webb

Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.