Rewterz Threat Alert – Nemty Ransomware Delivered via Trik Botnet Using SMB Protocol

Wednesday, November 6, 2019



Analysis Summary

Nemty ransomware has partnered with Trik botnet which delivers Nemty to compromised computers. The criminals behind the botnet use the infected computers to send email spam and have been observed pushing out a wide range of malware families, now including Nemty. In the past, Nemty has been observed being spread via the RIG exploit kit, as well as via malicious spam campaigns targeting users in Korea and China, where the malware is attached inside an archive. 36% targets are located in China while Korea houses 40% of Nemty’s targets.

We observed a recent version of Trik delivering a tiny component that uses the Server Message Block (SMB) protocol and a list of hardcoded credentials to try to connect to remote computers with port 139 open.

First, the SMB component creates a registry entry. Trik then checks if the file winsvcs.txt is present or not in the %AppData% directory on the compromised computer. If winsvcs.txt is not present, the Nemty ransomware is downloaded and executed. If winsvcs.txt is present, the SMB component checks if it is running as a service or not. If it is not running as a service, the component tries to spread itself through the SMB protocol. To find targets, the SMB component generates random IP addresses then tries to connect to them on port 139. The malware can infect public IP addresses with port 139 open that are using any of the common administrator usernames and passwords on its list. If access is granted, the malware uses the SMB protocol to copy itself to the remote machine. It then uses the Windows Service Control Manager to start the SMB component’s process on the remote machine. It deletes shadow copies and backups before, rather than after encryption.

The developers behind the Nemty ransomware are constantly updating and improving its code, as well as its delivery methods, in an attempt to reach more victims.


  • Files Encryption
  • Unauthorized Access

Indicators of Compromise


  • 6c05aa998d0523f2855769bd30b2d0d1
  • 7334c27a6a2531b01ec94922160b87cf
  • a24bb61df75034769ffdda61c7a25926
  • e3b9f2863742a134506a017edbd09594
  • 80f5f2296cae3bea63fc14a867d97dd4
  • 3282f6c806a89359ec94f287cf6c699c
  • 95a2272ee95654fd51b5351811f3d989
  • 89eadd686c2dff611578028a608a6168
  • 51960de3286cf12fc93374cc8b87dd90
  • bb08689787fcb4bc029679acd1708177
  • 4297543f5744a0d90a1e5504fc807927
  • 76291be32823737f50c0a2593567019e
  • a37356a3804652f5484b891de66925e1
  • 712a19e062672ca95f393732f9250b6e
  • 36a8bf060f86867226c4268b41965e48
  • 87f19914a9966998a89839dbdc978d4f
  • ab97f71125a89d4d3d0855b8a419d3e1
  • f8dcf54aa841455db600fd9dd5243727
  • c6eeb9b0ffc0dcb664a25a4b3b0b4d40


  • 62c3b52b5310393dbf0590bc246161249632a1d2f21c3aa7fb779dc8018a0edf
  • 5078a0940abc31a7fa271483ac345044a91a0e21c517bceb85091cd3fca310f7
  • 0c77b260ee3fdd2754cd4f289efce709519aad34fa3cb84663655a6240e45973
  • 1ab8feefd67f3706a42f996a3291d24a7ab2c5eb67d98236eb73995d587576ad
  • 3ecb650c471d7c8291d084fffd634da0eddc9a473d29792d5033fe5fdcbf4ddd
  • 64d187bed40d023e14d41b1a80d528f5c12dcf743fcb4de91530567d3244e09e
  • 77689e7752470501d26cf8a5e2eb9b4e1ac372b27b2151268e0acf024e355f99
  • 81dab2787f72997afb09fb98ada159f78c3e93f9d3fa83f844e580620d08322a
  • 87fb207ae29baa300c2377625b745667a516e2243e1904ef81b4f7b97b5da1b0
  • 9875c102bbe89ad636096efca6b04d6b843529eb9717d822f7b0b42a087c7332
  • a0170a01e656cf7089a0d68a1803c3e2ba64ba8996c8eb5ffa8098940cb4c0ec
  • b9b4511065cb56bd162e143c22cf2afe32e3ee6617ba5a4852182cb0781f18f1
  • c6f43bedad8b0c3f60d71a2a6c1fab297e144483f17deeb5150bdbe6c73755a4
  • d746e41e18bb637062881aca207186dc3d005e79c857e025f89ce2a1b3e52ecf
  • d9edee0541b9a5baf2cb2b1915aef1d034efd4edd4b3c030b508669da1e2aaf2
  • db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5
  • f4909c420e208e4728116e8b0f4254c9f741d864f9618cddbe3f51b71f602066
  • fa2993f2455971244350178008cc671fb739b53d79b594c80e69047421ce1666
  • bf480a5862210b9e033f270379bb95c1d1fadd16bf0d21db5bfbc9268ae595ac


  • Block the threat indicators at their respective controls.
  • Do not download email attachments/click on URLs coming from untrusted email addresses.
  • Actively monitor Port 139.

Data Sheets

Corporate Brochure

Our Story



Managed Security

Upcoming Rewterz Trainings/Events

Rewterz News

  • 17, February 2020 Rewterz Threat Alert – Satan ransomware rebrands as 5ss5c ransomware
  • 20, January 2020 Rewterz Threat Alert – Iranian APT Group “MuddyWater” Resurfaces
  • 20, January 2020 Rewterz Threat Alert – STOP (djvu) Ransomware Actively Spread
  • 20, January 2020 Rewterz Threat Advisory – Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution

Copyright © Rewterz. All rights reserved.