Nemty is a ransomware-as-a-service (RaaS) operation active approximately from August 2019 through April 2020. The content states it was originally launched in January 2019 as JSWorm and rebranded as Nemty in August 2019. It is also referenced alongside related or historical RaaS operations including Nemty X, Karma, Nokoyawa, and JSWORM.
Operationally, Nemty used backend infrastructure centered on the single IP address 5.182.39.200 during its observed lifetime, with associated virtual hosts including nemty.top, nemty.hk, and nemty10.hk. Nemty used the BraZZZerS fast-flux/proxy protection service to protect at least nemty.top and nemty.hk. Researchers reported that BraZZZerS logging exposed Nemty panel activity, including socket.io polling and JWT tokens in GET requests; the leaked tokens could reportedly be reused in cookies to access the Nemty panel as the authenticated user.
The provided changelog excerpts indicate active development of both the ransomware and affiliate panel. Reported features and updates included builder and panel fixes, a drives section on the bots page, asynchronous threading to increase encryption speed, a file extension format of .NEMTY{filkeid}_, visibility of victims in the panel before encryption began, file-extension exclusions, and logic to kill processes and stop services prior to encryption. Named targeted processes/applications included SQL, Word, Outlook, Thunderbird, Oracle, Excel, OneNote, and VirtualBoxVM. Named targeted services included DbxSvc, OracleXETNSListener, OracleServiceXE, AcronisAgent, Apache2.4, MongoDB, SQLWriter, SQLBrowser, and MSSQL-related services. A September 2019 update introduced FastFlux, and an October 2019 update stated the ransomware changed its encryption algorithm and added its own key generator rather than using pseudo keys. The changelog also noted that if an affiliate had no Bitcoin address configured, victims could not open the payment page.
Nemty operated with affiliates, and the content identifies observed affiliate nicknames including jokeroo, symmetries, helliscod, and sprite77. The reporting emphasizes that these affiliates also participated in other ransomware ecosystems such as GandCrab, Dharma, and DJVU, reflecting overlap across RaaS programs. Nemty is also listed among ransomware groups that operated leak sites as part of double-extortion activity.
Association reporting in the content links Nemty to broader ransomware and cybercrime ecosystems. It is mentioned in connection with the aliases salfetka, rinc, and farnetwork, which were tied to Nokoyawa, JSWORM, Nefilim, Karma, and Nemty operations. Volodymyr Tymoshchuk is also described as linked to JSWORM, Karma, Nokoyawa, and Nemty ransomware gangs. Separate reporting cited in the content states LUNAR SPIDER maintained affiliations with Nemty and that Nemty leveraged IcedID for initial access.
A possible operational security failure is described in which a StackOverflow user posted code referencing 5.182.39.200 while debugging a Bitcoin node on September 25, 2019, suggesting a possible link to Nemty backend development, though this remains suggestive rather than conclusive based on the content alone.
High-confidence infrastructure and behavioral indicators mentioned in the content include domains nemty.top, nemty.hk, and nemty10.hk; backend IP 5.182.39.200; and the encrypted file extension pattern .NEMTY{filkeid}_.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
10 distinct techniques documented for this family, organized by ATT&CK tactic.
09.09.2019 08:46:37 Mini update update build, now ransomware will skip files with “nemty”, “exe”, “log”, “cab”, “cmd”, “com”, “cpl”, “exe”, “ini”, “dll”, “url”, “ttf”, “url” extension and even in upper case added process kill “sql”, “winword”, “wordpad”, “outlook”, “thunderbird”, “oracle”, “excel”, “onenote”, “virtualboxvm”
In the log we can see that: A client 96.57.xx.xxx Sent a web request “GET tuneappservice.org/l3k42hj56h634gkj2lk14356jk4gh23k5jl6h4/gate.php?ped=RTY3M0E4NjhDQ0I5JE1DLTEwNw” We can see here what looks like a malware callback, it’s in fact Riltok.
The service is described as a Fast flux but in reality it’s more a simple proxy system. BraZZZers rents a pool of VPSs all around the internet and uses them as proxy IPs in order to hide the real IP of a server.
8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named ransomware operation referenced in connection with aliases linked to the seller of INC source code.
Referenced as a historical RaaS/ransomware operation with TTP overlap to INC Ransom (no additional details provided).
Nemty is a ransomware family associated with the same administrator as JSWORM, Karma, and Nokoyawa.
Ransomware-as-a-Service platform used for extortion and data encryption.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.