.NEMTY file extension is an extension that is appended to the file that is encrypted with the NEMTY ransomware including its latest version, which is called ‘NEMTY 2.5 REVENGE’. NEMTY virus is a malware that makes the contents of victim files inaccessible by encrypting them. Encrypted files cannot be unlocked by removing the new file extension. The only way to recover .NEMTY files is to decrypt them using the decryptor and a unique key. Fortunately, there is a free decryptor. It allows everyone to decrypt files that are encrypted by most versions of the ransomware. Scroll down to find out more about the decryptor, where to download it and how to use it to decrypt .NEMTY files.
NEMTY virus is really a nasty program. It infects a computer when a victim downloads or runs malware infected files. Criminals lure unwary users into downloading ransomware by hiding malicious code within freeware, cracked versions of paid software, key generators, and so on. Upon execution, an instance of ransomware is installed on victim’s computer.
Once installed on a computer, NEMTY encrypts victim’s files using a strong encryption algorithm and a long key. This key is unique for each infection, which means that the decryption from one victim is not suitable for decrypting files from another victim.
NEMTY tries to encrypt as many files as possible, therefore it encrypts files quickly. Even files located on external drives and cloud storage are not safe. If at the time of file encryption these disks are connected to the computer, then all data on them will also be encrypted. Of course, it does not encrypt Windows system files, as this will cause the computer to stop working. All other files on the victim’s computer will be encrypted. So files of the following types can be encrypted:
.wp5, .sis, .xdl, .docm, .pst, .vcf, .pkpass, .zip, .wpe, .orf, .ws, .2bp, .slm, .dxg, .wp, .svg, .xy3, .jpg, .vfs0, .vpk, .apk, .wdb, .wpd, .erf, .ibank, .asset, .xlsm, .lvl, .ltx, .wpd, .wma, .pptx, .xls, .epk, .wpw, .mlx, .wb2, .zw, .7z, .wmf, .odm, .hkdb, .fsh, .crw, .jpe, .fos, .bik, .vtf, .py, .xxx, .mdb, .wn, .wav, .mef, .xlsx, .js, .wpb, .xlsb, .pfx, .bkf, .wcf, .zdc, .bc6, .xpm, .itdb, .bsa, .t12, .eps, .p12, .cr2, .sql, .srf, .qic, .zip, .gdb, .0, .rtf, .ai, .xls, .cfr, .yal, .mcmeta, .crt, .arw, .wdp, .wsh, .dazip, .sum, .map, .wmv, .yml, .rw2, .jpeg, .p7c, .tax, .layout, .gho, .mp4, .zabw, .iwi, .ppt, .wire, .der, .forge, .ntl, .dwg, .xbplate, .litemod, .dng, .xlgc, .raw, .wpg, .xf, .png, .sav, .tor, .doc, .pdd, .bar, .kf, .sb, .cdr, .p7b, .esm, .snx, .xml, .odb, .zif, .wps, .x3f, .sid, .wbz, .bkp, .wbmp, .pdf, .rim, .icxs, .ncf, .y, .xmmap, .kdc, .xlsm, .sidd, wallet, .w3x, .ybk, .pef, .mdf, .webp, .cer, .db0, .ods, .1, .x3d, .bc7, .desc, .dbf, .bay, .dba, .indd, .odt, .hplg, .das, .fpk, .t13, .wgz, .xyp, .arch00, .odc, .ptx, .wot, .xlk, .wsd, .wmd, .iwd, .kdb, .flv, .wma, .pem, .r3d, .accdb, .itl, .mdbackup, .sidn, .wmo, .wp7, .3dm, .wbm, .mpqge, .pak, .rwl, .lrf
Each file that has been encrypted gets a new filename, which consists of its old filename and the extension ‘.NEMTY-[string of random characters]’ appended to the right. This literally means the following: if the file was called ‘price.xlsx’, then its encrypted version will be called ‘price.xlsx.NEMTY-DK1S8JQ’. NEMTY virus encrypts files in each directory on all drives on the computer. When all the files in the directory are encrypted, it drops a new file with the name ‘NEMTY_[string of random characters]-DECRYPT.txt’ in this directory. The following is the contents of such a file.
This file contains a ransom demand message from NEMTY authors. This ransom note says that all the files on the computer are encrypted and the only working way to decrypt them is to buy a decryptor and a key. Attackers offer the victim to open a page with the address nemty.top/public/pay.php, which contains information on how to decrypt files. Attackers demand a ransom, which must be paid by bitcoins. If the victim does not pay the ransom within 3 months, then the criminals threaten to remove the decryption key from their server and decryption of the victim’s files will be impossible. Criminals offer to decrypt one file for free. Of course, a successful decryption of a single file does not at all guarantee that paying a ransom is a way that will allow the victim to decrypt .NEMTY files.
The full text of NEMTY ransom demand message:
NEMTY 2.5 REVENGE
Some (or maybe all) of your files got encryped.
We provide decryption tool if you pay a ransom.Don’t worry, if we can’t help you with decrypting – other people won’t trust us.
We provide test decryption, as proof that we can decrypt your data.You have 3 month to pay (after visiting the ransom page) until decryption key will be deleted from server.
After 3 month no one, even our service can’t make decryptor.1) Web-Browser
a) Open your browser.
b) Open this link: http://nemty.top/public/pay.php
c) Upload this file.
d) Follow the instructions.2) Tor-Browser
a) Download&Install Tor-Browser.
b) Open Tor-Browser.
c) Open this link : http://zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad.onion/public/pay.php
d) Upload this file.
e) Follow the instruction.
Threat Summary
Name | NEMTY ransomware virus |
Latest version | NEMTY 2.5 REVENGE |
Type | File locker, Filecoder, Crypto virus, Crypto malware, Ransomware |
Encrypted files extension | .NEMTY |
Ransom note | NEMTY_DECRYPT.txt, NEMTY_[string of random characters]-DECRYPT.txt |
Contact | nemty.top/public/pay.php, zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad.onion/public/pay.php |
Ransom amount | $1000 – $1500 in Bitcoin |
Detection Names | Trojan.Ransom.Nemty, Trojan.Siggen9.1296, A Variant Of Win32/Kryptik, W32/Kryptik, Win32.Packed.Kryptik, Trojan.Win32.Crypt, Trojan.Win32.Zenpak.tff |
Symptoms | Unable to open photos, documents and music. Your personal files have a wrong name, suffix or extension, or don’t look right when you open them. Your file directories contain a ‘ransom note’ file that is usually a .html, .jpg or .txt file. |
Distribution ways | Spam mails that contain malicious links. Drive-by downloading (when a user unknowingly visits an infected webpage and then malicious software is installed without the user’s knowledge). Social media, such as web-based instant messaging applications. Torrent web sites. |
Removal | To remove NEMTY ransomware use the removal guide |
Decryption | To decrypt NEMTY ransomware use the steps |
NEMTY authors tell the truth, saying that the victim’s files are encrypted. Security researchers confirm this, as well as the fact that to decrypt files the victim needs to use the decryptor and the key. Fortunately, a free decryptor was created, which can be used to decrypt files encrypted by most versions of the ransomware. This means that .NEMTY files can be decrypted by this decryptor. If the decryptor does not help decrypt the files, there are several alternative methods, each of which gives a chance to recover encrypted files.
If your files were encrypted with NEMTY virus, we recommend using the following action plan, which will allow you to remove the ransomware and decrypt (restore) the encrypted files. Read carefully the entire instructions below, print it, or open it on your smartphone. This will allow you not to miss anything important.
How to remove NEMTY ransomware and Decrypt (Recover) .NEMTY files for free
- Remove NEMTY ransomware
- Decrypt .NEMTY files
- Restore .NEMTY files
- Protect your computer from NEMTY ransomware
How to remove NEMTY ransomware
Before you start decrypting files, you need to check your computer for malware, find all NEMTY virus components and remove them. If you do not delete the ransomware, then it can again encrypt the recovered files. Moreover, do not forget that active malware is a breach in protecting your computer, criminals can access the entire computer, control your computer, or use your computer to hack into other computers.
We recommend using free malware removal tools to detect and remove NEMTY ransomware. At the same time, it is better to use not one tool, but two or more. This will allow you to scan your computer best and be sure that NEMTY virus will be found and completely removed.
Remove NEMTY virus with Zemana Free
Zemana Anti Malware can find all kinds of malicious software, including ransomware, as well as a variety of Trojans, viruses and rootkits. After the detection of the NEMTY virus, you can easily and quickly remove it.
First, visit the page linked below, then click the ‘Download’ button in order to download the latest version of Zemana AntiMalware.
163843 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When the downloading process is done, close all programs and windows on your PC. Open a directory in which you saved it. Double-click on the icon that’s called Zemana.AntiMalware.Setup as on the image below.
When the setup starts, you will see the “Setup wizard” which will allow you install Zemana Free on your system.
Once installation is done, you will see window as shown on the image below.
Now click the “Scan” button for scanning your system for the NEMTY crypto virus, other malicious software, worms and trojans. Depending on your computer, the scan can take anywhere from a few minutes to close to an hour.
Once finished, Zemana will open a list of all threats found by the scan. You may remove the found security threats (move to Quarantine) by simply press “Next” button.
The Zemana will remove NEMTY ransomware virus related folders,files and registry keys and add threats to the Quarantine.
Run MalwareBytes to remove NEMTY virus
We suggest using the MalwareBytes. You may download and install MalwareBytes Anti-Malware (MBAM) to locate and delete NEMTY virus from your PC. When installed and updated, this free malicious software remover automatically scans for and removes all security threats exist on the system.
- Download MalwareBytes Anti Malware from the following link. Save it to your Desktop.
Malwarebytes Anti-malware
326146 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- When the download is finished, close all apps and windows on your machine. Open a folder in which you saved it. Double-click on the icon that’s named mb3-setup.
- Further, click Next button and follow the prompts.
- Once installation is complete, click the “Scan Now” button to perform a system scan with this utility for the NEMTY crypto malware, other malicious software, worms and trojans. A system scan can take anywhere from 5 to 30 minutes, depending on your computer. When a threat is found, the number of the security threats will change accordingly. Wait until the the scanning is complete.
- Once the scan get completed, you can check all threats detected on your PC system. Review the scan results and then press “Quarantine Selected”. Once the cleaning process is finished, you can be prompted to restart your machine.
The following video offers a step-by-step tutorial on how to uninstall browser hijackers, adware and other malware with MalwareBytes Free.
Remove NEMTY ransomware with Kaspersky virus removal tool
Kaspersky virus removal tool (KVRT) is a free malware removal utility that can be downloaded and used to remove ransomware viruses, adware, malware, potentially unwanted applications, toolbars and other threats from your personal computer. You may run this tool to search for threats even if you have an antivirus or any other security program.
Download Kaspersky virus removal tool (KVRT) on your PC system by clicking on the link below.
128977 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the downloading process is done, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is done, you will see the Kaspersky virus removal tool screen as on the image below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button to start scanning your personal computer for the NEMTY crypto malware and other trojans and harmful apps. This process can take quite a while, so please be patient. While the tool is checking, you can see how many objects and files has already scanned.
Once KVRT has completed scanning, you will be displayed the list of all detected threats on your computer like the one below.
Next, you need to click on Continue to start a cleaning task.
Decrypt .NEMTY files
Files with extension .NEMTY are encrypted files that cannot be decrypted without a decryptor and a key. NEMTY authors demand a ransom for the key and the decryptor. Of course, no one can guarantee that after paying the ransom, the victim will be able to decrypt the encrypted files. Security experts do not recommend paying a ransom, as this pushes criminals to create a new ransomware.
Fortunately for all victims of NEMTY virus, there is a free decryptor. It allows each victim to decrypt files encrypted with NEMTY ransomware.
To decrypt .NEMTY files, use free NEMTY decryption tool
- Download NEMTY decryptor from the following link.
https://www.nomoreransom.org/en/decryption-tools.html#Nemty - Click the DOWNLOAD button and save the NemtyDecryptor.exe file to your desktop.
- Run NemtyDecryptor.exe, read and accept End-User License agreement.
- Read the usage information and follow the instructions.
Restore .NEMTY files
If NemtyDecryptor did not help you, then there is no need to panic! There are several other alternative ways that may allow you to restore the contents of encrypted files. However, if you have not tried the free decryptor, then try it first by following step 2 of this instruction, and then return here.
Alternative methods of file recovery do not use decryption, so there is no need for a key and decryptor. Before you begin, you must be 100% sure that the computer does not have active ransomware. Therefore, if you have not yet checked your computer for ransomware, do it right now, use free malware removal tools or return to step 1 above.
Use ShadowExplorer to restore .NEMTY files
A free tool named ShadowExplorer is a simple solution to use the ‘Previous Versions’ feature of Windows 10 (8, 7 , Vista). You can recover .NEMTY files encrypted by the ransomware virus from Shadow Copies for free.
ShadowExplorer can be downloaded from the following link. Save it to your Desktop so that you can access the file easily.
438085 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once the downloading process is finished, extract the downloaded file to a directory on your personal computer. This will create the necessary files as displayed below.
Launch the ShadowExplorerPortable program. Now select the date (2) that you want to recover from and the drive (1) you wish to restore files (folders) from as shown on the image below.
On right panel navigate to the file (folder) you want to recover. Right-click to the file or folder and press the Export button as shown below.
And finally, specify a directory (your Desktop) to save the shadow copy of encrypted file and press ‘OK’ button.
Recover .NEMTY files with PhotoRec
Another alternative way to recover encrypted files is to use data recovery software. This method requires a lot of time, but in most cases it allows you to recover part, and sometimes all, encrypted files. To recover .NEMTY files, use a free tool called PhotoRec. It has a simple interface and does not require installation.
Download PhotoRec from the link below. Save it on your Microsoft Windows desktop or in any other place.
Once downloading is done, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as on the image below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It’ll show a screen as shown in the following example.
Choose a drive to recover like below.
You will see a list of available partitions. Choose a partition that holds encrypted documents, photos and music as shown on the screen below.
Press File Formats button and specify file types to recover. You can to enable or disable the recovery of certain file types. When this is finished, click OK button.
Next, press Browse button to select where restored personal files should be written, then click Search.
Count of recovered files is updated in real time. All restored photos, documents and music are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the restore is done, click on Quit button. Next, open the directory where restored photos, documents and music are stored. You will see a contents as displayed in the following example.
All restored photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your computer from NEMTY crypto virus
Most antivirus programs already have built-in protection system against the crypto virus. Therefore, if your PC system does not have an antivirus application, make sure you install it. As an extra protection, use the HitmanPro.Alert. HitmanPro.Alert is a small security tool. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Installing the HitmanPro.Alert is simple. First you’ll need to download HitmanPro.Alert by clicking on the link below.
Once the downloading process is finished, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. Once the tool is started, you will be shown a window where you can select a level of protection, as displayed below.
Now click the Install button to activate the protection.
To sum up
This guide was created to help all victims of NEMTY ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .NEMTY files; how to recover files, if NEMTYdecryptor does not help. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with NEMTY related issues, go to here.