{"id":16344,"date":"2019-09-17T21:40:04","date_gmt":"2019-09-18T05:40:04","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/09\/17\/news-10085\/"},"modified":"2019-09-17T21:40:04","modified_gmt":"2019-09-18T05:40:04","slug":"news-10085","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/09\/17\/news-10085\/","title":{"rendered":"Nemty Ransomware 1.0: A Threat in its Early Stage"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>FortiGuard Labs was investigating the Sodinokibi ransomware family, when we came across the newly discovered Nemty Ransomware. Interestingly, as we analyzed this new malware, we also encountered an artifact embedded in its binary that we were very much familiar with since it was also used by the GandCrab ransomware before the threat actors\u2019 announced <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/gandcrab-threat-actors-retire.html\">retirement<\/a>. It is also interesting to see that the Nemty ransomware is being distributed using the same method as Sodinokibi, a malware that has strong similarities to GandCrab.<\/p>\n<p>This report discusses the technical aspects of the new ransomware, including some irregularities that make us think that it is still in its early stage of development.<\/p>\n<h2><b>Discovery<\/b><\/h2>\n<p>The first sample that we were able to analyze came from a link that was shared by the <a href=\"https:\/\/twitter.com\/BotySrt\">@BotySrt<\/a> twitter bot account, which posts Pastebin links leading to the Sodinokibi and Buran malware families.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/nemty-ransomware-early-stage-threat\/_jcr_content\/root\/responsivegrid\/image_420124331.img.png\" alt=\"Figure 1. Link that was supposed to lead to a Sodinokibi payload\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1. Link that was supposed to lead to a Sodinokibi payload<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The links lead to Powershell scripts that execute embedded malware payloads using <a href=\"https:\/\/powersploit.readthedocs.io\/en\/latest\/CodeExecution\/Invoke-ReflectivePEInjection\/\">Reflective PE Injection<\/a>. We collected the links that were tagged as Sodinokibi, expecting to extract samples of that ransomware. However, as we were running our automation to extract the embedded binaries, we found an unsupported file, and as we investigated further, we discovered it was the new Nemty ransomware instead.<\/p>\n<h2><b>A GandCrab Flashback<\/b><\/h2>\n<p>In our initial analysis of the ransomware, we found a link embedded in its binary which we are very familiar with. It is a statement that was actually used by GandCrab when it was having its vaccine war with Ahnlab, as we detailed previously in our article discussing the evolution of <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/a-chronology-of-gandcrab-v4-x.html\">GandCrab v4.x<\/a>.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/nemty-ransomware-early-stage-threat\/_jcr_content\/root\/responsivegrid\/image_837675417.img.png\" alt=\"Figure 2. Embedded link leading to an image\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2. Embedded link leading to an image<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/nemty-ransomware-early-stage-threat\/_jcr_content\/root\/responsivegrid\/image_1722981753.img.png\" alt=\"Figure 3. GandCrab\u2019s version of the image\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3. GandCrab\u2019s version of the image<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The similarities end there, however, so it is hard to say early on if there is any real relation to the two. But the inclusion of this artifact, combined with the fact that it is being distributed by the same group as Sodinokibi (which many see as the reincarnation of GandCrab) makes us curious.<\/p>\n<h2><b>Technical Analysis<\/b><\/h2>\n<h3>Obfuscation<\/h3>\n<p>The strings used throughout Nemty\u2019s execution are obfuscated using a combination of simple base64 encoding and RC4 encryption. And to express their unsurprising animosity towards the security industry, this variant use <i>\u2018f**kavx00\u2019 <\/i>as its vulgar RC4 encryption key.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/nemty-ransomware-early-stage-threat\/_jcr_content\/root\/responsivegrid\/image_1223571761.img.png\" alt=\"Figure 4. String decryption using base64 and RC4 algorithm\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4. String decryption using base64 and RC4 algorithm<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h3>File Encryption<\/h3>\n<p>Nemty ransomware uses a combination of AES-128 in CBC mode, RSA-2048, and the unusual RSA-8192 for its file encryption and key protection. The following steps summarize its encryption process.<\/p>\n<p style=\"margin-left: 40.0px;\">1. Generate a 32-byte value using a pseudo-random algorithm. This value is added to the <i>configuration <\/i>information later on. The first 16 bytes are used as the main AES key for file encryption.<u><\/u><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/nemty-ransomware-early-stage-threat\/_jcr_content\/root\/responsivegrid\/image_591584251.img.png\" alt=\"Figure 5. Function to generate random characters\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5. Function to generate random characters<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p style=\"margin-left: 40.0px;\">2. Generate an RSA-2048 key pair.<\/p>\n<p style=\"margin-left: 40.0px;\">3. Decrypt and import the embedded RSA-8192 Public Key using the same RC4-base64 function.\u00a0<\/p>\n<p><u>\u00a0<\/u><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/nemty-ransomware-early-stage-threat\/_jcr_content\/root\/responsivegrid\/image_994212675.img.png\" alt=\"Figure 6. Embedded RSA-8192 Public Key\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6. Embedded RSA-8192 Public Key<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p style=\"margin-left: 40.0px;\">4. Include the generated Private Key from step 2 to the <i>configuration<\/i> file, which also contains other information gathered from the system (discussed in the next section)<\/p>\n<p style=\"margin-left: 40.0px;\">5. Encrypt the <i>configuration<\/i> file using RSA-8192 Public Key imported in step 3 and encode it in base64.<\/p>\n<p style=\"margin-left: 40.0px;\">NOTE: Using RSA encryption with 8192 bits of key size is very unusual. In fact, this may be the first time that we have seen a ransom malware use such strong \u2013 albeit overkill and inefficient for its purpose \u2013 encryption algorithm to protect information. In most cases, 2048 and 4096 key sizes are more than enough to secure any message. Using the longer key size adds a large overhead due to significantly longer key generation and encryption times. And lastly, RSA-8192 can only encrypt 1024 bytes at a time, even less if we consider the reserved size for padding. Since the\u00a0<i>configuration<\/i>\u2019<i>s <\/i>size will surely be more than that due to the fact that it contains the encoded Private Key (from step 4), the malware cuts the information into chunks of 1000 (0x3e8) bytes and performs multiple operations of the RSA-8192 until the entire information is encrypted.<\/p>\n<p style=\"margin-left: 40.0px;\">6. Generate another 16-byte key using the same algorithm used in step 1. This is the IV (Initialization Vector) for the AES-128 CBC mode encryption. A new IV is generated for every file.<\/p>\n<p style=\"margin-left: 40.0px;\">7. Encrypt the file content using the main AES Key from step 1 and the current IV.<\/p>\n<p style=\"margin-left: 40.0px;\">8. Encrypt the current IV using RSA-2048 with the locally generated Public Key generated in step 2 and encode it in base64.<\/p>\n<p style=\"margin-left: 40.0px;\">9. Append the encrypted IV to the file.<\/p>\n<p><u>\u00a0<\/u><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/nemty-ransomware-early-stage-threat\/_jcr_content\/root\/responsivegrid\/image_157281215.img.png\" alt=\"Figure 7. File encryption process\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7. File encryption process<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/nemty-ransomware-early-stage-threat\/_jcr_content\/root\/responsivegrid\/image_1675047150.img.png\" alt=\"Figure 8. Structure of encrypted file\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8. Structure of encrypted file<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>This means that, as of now, file decryption is not practically possible without the threat actor\u2019s RSA Private Key pair of the embedded RSA Public Key.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/nemty-ransomware-early-stage-threat\/_jcr_content\/root\/responsivegrid\/image_122449978.img.png\" alt=\"Figure 9. File decryption process\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 9. File decryption process<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The screenshot below shows files that it avoids during its encryption process. Notice that \u201cboot.ini\u201d is being compared twice. This is clearly an error, which implies that this malware may be in its early stages.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/nemty-ransomware-early-stage-threat\/_jcr_content\/root\/responsivegrid\/image_741794780.img.png\" alt=\"Figure 10. Whitelisted folders\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 10. Whitelisted folders<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>It also avoids files with specific extensions, as listed in the next image, although it is done in a very unusual and rather inefficient way using case-insensitive string comparison.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/nemty-ransomware-early-stage-threat\/_jcr_content\/root\/responsivegrid\/image_1821519469.img.png\" alt=\"Figure 11. Whitelisted file extensions\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 11. Whitelisted file extensions<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The confusion continues when it checks to see if the IP address of the victim is located in Russia, Belarus, Kazakhstan, Tajikistan, or Ukraine by accessing hxxp:\/\/api.db-ip.com\/v2\/free\/<i>{IP address}\/<\/i>countryName. Ironically, regardless of the result, it still proceeds to the file encryption stage.<\/p>\n<h3>Victim Configuration File<\/h3>\n<p>The <i>configuration <\/i>file<i>,<\/i> as referred to in the malware\u2019s ransom note, acts as the victim\u2019s identification and key for file decryption. The information is assembled and written in JSON format to %USERPROFILE%\/{<i>FileID<\/i>}.nemty, wherein the <i>FileID<\/i> is _NEMTY_{<i>7 random characters<\/i>} (e.g. _NEMTY_NIZ8NSt_.nemty). In generating the random characters, it uses the same algorithm used in generating the AES Key and IVs.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/nemty-ransomware-early-stage-threat\/_jcr_content\/root\/responsivegrid\/image_1413881904.img.png\" alt=\"Figure 12. Configuration file in JSON format\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 12. Configuration file in JSON format<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/nemty-ransomware-early-stage-threat\/_jcr_content\/root\/responsivegrid\/image_1127859761.img.png\" alt=\"Figure 13. Configuration file information descriptions\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 13. Configuration file information descriptions<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The UserID is set to a value hardcoded in the binary. This is possibly an affiliate ID, which means that Nemty is possibly being sold as a Ransomware-as-a-Service (RaaS).<\/p>\n<h3>Ransom Note and Payment Page<\/h3>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/nemty-ransomware-early-stage-threat\/_jcr_content\/root\/responsivegrid\/image_1655297983.img.png\" alt=\"Figure 14. Ransom note\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 14. Ransom note<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The payment page is hosted in the Tor network for anonymity, which has become a standard for ransomware operations. To get to the main payment page, the victim must upload the encrypted configuration file and an encrypted file for a decryption test. As of this writing, the threat actors are demanding $1000 in bitcoins in exchange for the decryption of the victim\u2019s files.<\/p>\n<p>There is a function to send the encrypted configuration to ex-filtrate the <i>configuration <\/i>data from the victim\u2019s machine, although it clearly has not yet been practically implemented. This is because the hardcoded IP address, which is supposed to be the threat actors\u2019 C2 server, is actually the victim system\u2019s loopback address, 127.0.0.1. It is possible that they simply have not configured an operational server to receive the data yet, which is another clue that this ransomware is still in the development stage.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/nemty-ransomware-early-stage-threat\/_jcr_content\/root\/responsivegrid\/image_721160494.img.png\" alt=\"Figure 15. Function for sending configuration data \"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 15. Function for sending configuration data <\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As a result, all information needed for decryption and identification have to be manually submitted by the victim.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/nemty-ransomware-early-stage-threat\/_jcr_content\/root\/responsivegrid\/image_837045182.img.png\" alt=\"Figure 16. Upload pages for test decryption\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 16. Upload pages for test decryption<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The payment page supports the Russian language, which is very unusual and confusing. Considering the embedded image with the Russian statement that was discussed later, it is easy to assume that the developers of Nemty are of Russian descent. Normally, they would avoid infecting Russian users so as to not attract attention from authorities in their region. However, this does not seem to be the case for this ransomware.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/nemty-ransomware-early-stage-threat\/_jcr_content\/root\/responsivegrid\/image.img.png\" alt=\"Figure 17. Main payment page\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 17. Main payment page<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2><b>Conclusion<\/b><\/h2>\n<p>Nemty Ransomware is a new file encrypting malware that is being actively distributed. Although it is interesting to think that it may have some relation to GandCrab and Sodinokibi, aside from the insulting Russian statement and the similar distribution method, we have not found any compelling evidence to tie them together.<\/p>\n<p>It also appears that this malware may be yet another RaaS (Ransomware-as-a-Service) due to the existence of a possible affiliate ID. This means we might be seeing more of this malware being distributed through other means pretty soon.<\/p>\n<p>We have also discussed several irregularities and inefficiencies in its code, implying that it is still in its early stage of development. Despite that, however, in its current state it can still carry out file encryption on a victim\u2019s system, making it a real threat.<\/p>\n<p><i>As of this writing, a new version of this malware has been found and is already being analyzed. FortiGuard Labs will be releasing a new report about it.<\/i><\/p>\n<p>-= FortiGuard Lion Team =-<\/p>\n<h2><b>Solutions<\/b><\/h2>\n<p>Fortinet customers are protected by the following:<\/p>\n<ul>\n<li>Samples are detected by our W32\/Gen.NVV!tr.ransom signature<\/li>\n<li>FortiSandbox rates the malware\u2019s behavior as high risk<\/li>\n<\/ul>\n<h2><b>IOCs<\/b><br \/> <\/h2>\n<p>267a9dcf77c33a1af362e2080aaacc01a7ca075658beb002ab41e0712ffe066e (Nemty ransomware from Powershell) &#8211; W32\/Gen.NVV!tr.ransom<br \/> hxxps:\/\/pastebin.com\/raw\/NE3TJ3z1 (link to the Powershell loader)<br \/> 127.0.0.1:9050\/public\/gate?data=<i style=\"\">{encrypted configuration}<\/i><\/p>\n<p><i>Learn more about\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">FortiGuard Labs<\/a>\u00a0and the FortiGuard Security Services\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services\">portfolio<\/a>.\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">Sign up<\/a>\u00a0for our weekly FortiGuard Threat Brief.\u00a0<\/i><\/p>\n<p><i>Read about the FortiGuard\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/security-rating.html?utm_source=blog&amp;utm_campaign=2018-blog-security-rating-service\">Security Rating Service<\/a>, which provides security audits and best practices.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qxx1b0gslklfu2kjckea-holder\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/4RxOYgFbqPM\/nemty-ransomware-early-stage-threat.html\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/nemty-ransomware-early-stage-threat\/_jcr_content\/root\/responsivegrid\/image_420124331.img.png\"\/><br \/>Learn about the technical details of the recently discovered Nemty ransomware, including some interesting irregularities.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/fortinet\/blog\/threat-research\/~4\/4RxOYgFbqPM&#8221; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-16344","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16344","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=16344"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16344\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=16344"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=16344"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=16344"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}