BleepingComputer has published a blog analysing a new version of the Nemty ransomware being spread through a fake PayPal website. The Nemty ransomware has been seen testing various distribution methods, such as via exploit kits, but this article discusses a new vector. In this case, the attacker used content from a legitimate PayPal website to host a fake copy on a homograph domain name.
If a user downloads the falsely-advertised cash back app, a malicious executable is retrieved instead. Upon execution, this payload, which has been identified as the Nemty ransomware version 1.4, checks whether the host is in Russia, Belarus, Kazakhstan, Tajikistan, or Ukraine. If it is, execution stops. Otherwise, the ransomware proceeds with the encryption process.
The ransom note demands 0.09981 BTC (about 1,000 USD) be paid via a Tor payment portal in exchange for the decryption key.
Indicators of Compromise