#privacy: Fake PayPal site distributing Nemty Ransomware

A malicious website using the PayPal app as bait has been found spreading samples of a new variant of the Nemty ransomware. 

Security researcher nao_sec discovered that the threat actors are luring victims into downloading the app from the malicious site, with the promises of a return of 3-5% from purchases made through the payment system. 

The threat actors have created the page to look exactly like the official PayPal page so visitors will think it is legitimate, unless they notice the URL. 

The malicious file which is offered for download is named “cashback.exe”. The majority of browsers will warn users that the file looks suspicious, but if a users answers that they trust the source, then the Nemty ransomware is downloaded into the system. 

The majority of popular antivirus products can detect the malicious executable. A scan on VirusTotal discovered that it detected 36 out of 68 antivirus engines tested.

In a post by, security researcher nao_sec explained to BleepingComputer that the web page looks legitimate due to threat actors using visuals and the structure that is presented on the true page. 

“To add to the deception, the cybercriminals also use what is known as homograph domain name spoofing for links to various sections of the site (Help & Contact, Fees, Security, Apps, and Shop).

“The crooks achieved this by using in the domain name Unicode characters from different alphabets. To distinguish between them, browsers automatically translate them into Punycode. In this case, what in Unicode looks like paypal.com translates to ‘xn--ayal-f6dc.com’ in Punycode.”

Security researcher Vitali Kremez analysed the variant and noted that the Nemty ransomware is now at version 1.4.

“One thing the researcher observed is that the “isRU” check, which verifies if the infected computer is in Russia, Belarus, Kazakhstan, Tajikistan, or Ukraine, has been modified. In the latest version, if the result of the check is positive, the malware does not move with the file-encrypting function, the researcher told BleepingComputer.”

Additionally, BleepingComputer tests showed that the ransom demanded by the actors equates to $1,000 in Bitcoin, and the payment portal is hosted on the Tor network. 

If a user has been infected by the Nemty variant, then they would notice that their files have the “.nemty” extension. If so it is advised not to pay the threat actors, as there is not guarantee that they will get their files back.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.