Tesorion associate partner of NoMoreRansom project

By 7 november 2019 Nieuws

Tesorion is proud to announce that it was awarded an associate partnership of the NoMoreRansom project, because of our contribution of the Nemty ransomware decryptor. Tesorion is the 17th contributor to the project.

Nemty is a new ransomware family that seems to be just starting up. We suspect it is used to drive ransomware as a service (RaaS) offerings on the dark net. It bares resemblance with the Sudinokibi and GandCrab ransomware families. FortiGuard Labs first analysed Nemty in September 2019. Tesorion Technology independently analysed Nemty and was able to come up with a decryptor by exploiting a vulnerability in the Nemty code. A decryptor for version 1.4 was offered at the end of September 2019, with an update to include version 1.6 two weeks later and another update with support for version 1.5 a week after that.

As we discovered a way to develop a working decryptor and published our first blog post on Nemty, we contacted Europol regarding their NoMoreRansom project. We were initially hesitant to publish our decryptor on the NoMoreRansom website, because we did not want to show the Nemty authors how to fix the bugs that allowed us to decrypt Nemty 1.4. While working on decrypting Nemty 1.5 and 1.6 we had several good discussions with Europol, and together we arrived at a setup where the actual ‘cracking’ of the encryption could be performed on our servers. This enabled us to distribute a simple decryptor binary that could use the result from our servers to decrypt the actual files on the victim’s machine. Interestingly, the authors of Nemty have taken notice of our analysis of their code. In 1.6 the string “tesorion thanks for your article” has been found. Even though they fixed their bug in the encryption, our decryptor is able to decrypt Nemty version 1.6.

The Tesorion CSIRT team has helped many Nemty victims over the past weeks, but as of this week our universal decryptor for Nemty versions up to and including 1.6 is available through the NoMoreRansom website, empowering Nemty victims to decrypt their files without Tesorion CSIRT assistance. We are proud to contribute our decryptor to the NoMoreRansom project as their latest associate partner.

Public acclaim for the decryptor: