August 27, 2019 By David Bisson 2 min read

A sample of the Nemty ransomware family hid a strongly worded message directed at the antivirus industry within its code.

In its analysis of the threat, Bleeping Computer found that the ransomware deleted the shadow copies for the files it encrypted. This step effectively removed one way by which victims could recover their files for free. Upon completing its encryption routine, the crypto-malware then displayed a ransom note instructing victims to visit a payment portal hosted on the Tor network and submit 0.09981 BTC (worth $1,010.74 at the time of writing) in exchange for a decryption tool.

This particular ransomware stood out among other families, however, because it arrived with several messages hidden in its code. First, Bleeping Computer observed that the sample used “hate” as the name for its mutex object. Second, researchers noted how Nemty used a strongly worded message directed at the antivirus industry as the name for its key that decodes base64 strings and creates URLs.

A Look at Other Threats’ Hidden Messages

Nemty isn’t the only threat with hidden messages in its code. In December 2015, for instance, Emsisoft analyzed a variant of Radamant ransomware and found that the executables and domain names for the threat’s command-and-control (C&C) servers used strings that expressed displeasure toward the security firm.

Just a few months after in June 2016, the antivirus provider came across a sample of Apocalypse directing insults at its research team. That’s around the same time that Bleeping Computer reported on a sample of Black Shades Crypter ransomware that used hidden messages to taunt security researchers who might be analyzing it.

How to Defend Against Nemty Ransomware

Security professionals can bolster enterprise defenses against threats like Nemty ransomware by developing an incident response plan and practicing it ahead of real attacks. Organizations should also continue to focus on user education by investing in a security awareness training program that helps employees learn about phishing attacks, ransomware and other threats.


UPDATE: Researchers at Tesorion took a close look at Nemty and noticed a few crucial deviations in the threat’s implementation of the AES-CBC encryption algorithm. Using those deviations, the researchers developed a process that allows victims in some cases to recover their affected files for free.

More from

Generative AI security requires a solid framework

4 min read - How many companies intentionally refuse to use AI to get their work done faster and more efficiently? Probably none: the advantages of AI are too great to deny.The benefits AI models offer to organizations are undeniable, especially for optimizing critical operations and outputs. However, generative AI also comes with risk. According to the IBM Institute for Business Value, 96% of executives say adopting generative AI makes a security breach likely in their organization within the next three years.CISA Director Jen…

Q&A with Valentina Palmiotti, aka chompie

4 min read - The Pwn2Own computer hacking contest has been around since 2007, and during that time, there has never been a female to score a full win — until now.Valentina Palmiotti, aka chompie, changed that. At the March 2024 competition, Palmiotti scored a full win with her discovery of an Improper Update of Reference Count bug to escalate privileges on Windows 11. It was her first time entering Pwn2Own.Pwn2Own is considered one of the most — if not the most — prestigious…

Self-replicating Morris II worm targets AI email assistants

4 min read - The proliferation of generative artificial intelligence (gen AI) email assistants such as OpenAI’s GPT-3 and Google’s Smart Compose has revolutionized communication workflows. Unfortunately, it has also introduced novel attack vectors for cyber criminals. Leveraging recent advancements in AI and natural language processing, malicious actors can exploit vulnerabilities in gen AI systems to orchestrate sophisticated cyberattacks with far-reaching consequences. Recent studies have uncovered the insidious capabilities of self-replicating malware, exemplified by the “Morris II” strain created by researchers. How the Morris…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today