Nao_sec cyber security expert discovered that cybercrime is spreading Nemty ransomware via a fake Paypal page
A fake Paypal page is spreading a new variant of Nemty ransomware. It has been discovered by nao_sec cyber security expert. Cybercrime, to reinforce the lure, also promised to return 3-5% from purchases made through the payment system. According to Bleeping Computer, at a first look, the fake web page seems genuine as cyber criminals used visuals and the structure present on the original one. To add to the deception, they also use a “homograph domain name” spoofing for links to various sections of the site (Help & Contact, Fees, Security, Apps, and Shop). The crooks achieved this by using in the domain name Unicode characters from different alphabets. To distinguish between them, browsers automatically translate them into Punycode. In this case, what in Unicode looks like paypal.com translates to ‘xn--ayal-f6dc.com’ in Punycode.
The malware doesn’t affect computers in Russia, Belarus, Kazakhstan, Tajikistan, or Ukraine. Otherwise, everybody are targets
There is no confirmation, but probably the new variant of Nemty has been developed by Russian linked cyber criminals. This because, according to the cyber security expert Vitali Kremez, the malware checks if the infected computer is in Russia, Belarus, Kazakhstan, Tajikistan, or Ukraine. In that case, the ransomware does not move with the file-encrypting function. Otherwise it does. The ransom to unlock data is 0.09981 Bitcoin and that the payment portal is hosted in the Tor network for anonymity. Before the fake Paypal page, cybercrime distributed Nemty on other channels. At the end of August the researcher Mol69 saw the ransomware being spread via RIG EK. Fortunately in this last case several clues point to the fraudulent nature of the page, flagged as dangerous by major browsers.