Nemty ransomware operators close public ransomware-as-a-service operation and switch to private mode

Victims have one week to purchase decryption keys from operators

The cyber criminals behind the Nemty ransomware-as-a-service (RaaS) operation are reportedly shutting down their public operation and switching to private mode in a bid to concentrate on a newly launched malicious encryptor.

According to BleepingComputer, Nemty operator 'jsworm' recently posted a message on a Russian hacking forum to announce their decision to quit the public ransomware operation.

"We leave in private. Victims have a week to acquire decryptors, then it will be no longer possible. In a week you can close the topic, do not merge the master keys :)," jsworm said in the post.

Jsworm's post on the forum was shared with BleepingComputer by security researcher Vitali Kremez.

As per the post, jsworm will not merge the old master encryption keys used in the public RaaS with the new keys to be used in private operation. That means victims of the old operation have just one week to purchase decryption keys from the group if they want their files back.

After one week, it won't be possible to decrypt victims' files, Jsworm warned.

Nemty is a classic ransomware-as-a-service (RaaS) which was launched in the summer of 2019 and heavily advertised on Russian hacking forums. However, it did not gain as much popularity as other ransomware groups. Recently, it started following other groups' tactics of exfiltrating victims' data before encrypting their systems.

Criminal groups who signed up with the Nemty RaaS were provided access to a web portal where they could create custom versions of the ransomware and distribute them using their own methods.

As part of the deal, the affiliates received 70 per cent of the ransom payments, while the ransomware operators received a 30 per cent cut.

The reputation of Nemty operators suffered to some extent in past months after security researchers decrypted three of its versions.

Last month, cyber actors behind the public RaaS launched a new ransomware dubbed Nefilim that shared the same code as Nemty 2.5.

The group also announced recently in a hacking forum that they had created a new version of ransomware and releasing it as "Nemty Revenue 3.1".