Skip to content ↓ | Skip to navigation ↓

Digital attackers are sending around love-themed malicious emails in an attempt to infect recipients with the Nemty ransomware.

If you’ve been kicking around in the world of IT security for more years than you’d like to admit, then you’ll surely remember the ILOVEYOU virus (also known as the “Love Bug” or “Loveletter”).

When the Love Bug virus struck in May 2000, it tricked millions of people into opening its malicious attachment by posing as a love letter from a friend or colleague. It wasn’t a particularly sophisticated piece of malware, but as a piece of social engineering, it was undeniably genius.

After all, who doesn’t love the idea of receiving an email with the subject line “ILOVEYOU”?

Perhaps memories of the Love Bug were high in the minds of those responsible for a current campaign involving the Nemty ransomware, which seems to be using very similar tactics.

As Bleeping Computer reports, malicious emails are being sent out with subject lines like:

  • I love you
  • Can’t forget you
  • Don’t tell anyone
  • Letter for you
  • Will be our secret

Attached to each email is a ZIP archive file named LOVE_YOU_######_2020.zip (where the ###### represents random characters), and inside that archive is a malicious script called LOVE_YOU.js.

As in affairs of the heart, one things lead to another. In this case, the malicious Javascript downloads the Nemty ransomware from the internet and runs it on your computer, encrypting files and demanding a ransom payment for the decryption key.

The start of the ransom note reads as follows:

—> NEMTY 2.5 REVENGE <—

Some (or maybe all) of your files got encryped.
We provide decryption tool if you pay a ransom.

Don’t worry, if we can’t help you with decrypting – other people won’t trust us. We provide test description, as proof that we can decrypt your data.

You have 3 month to pay (after visiting the ransom page) until decryption key will be deleted from server. After 3 month no one, even our service can’t make decryptor.

In an attempt to frustrate recovery of encrypted data for those organizations who did not make secure backups, Nemty makes a point of deleting the shadow copies of all files it encrypts.

Worryingly the criminals behind the Nemty ransomware have indicated that they are planning to release data stolen from victims if ransoms are not paid, a tactic which is growing in popularity amongst extortionists.

Users and organizations alike would be wise to follow security best practices designed to prevent a ransomware infection from happening in the first place.