Fake PayPal Site Spreads Nemty Ransomware

BleepingComputer has published a blog analysing a new version of the Nemty ransomware being spread through a fake PayPal website. The Nemty ransomware has been seen testing various distribution methods, such as via exploit kits, but this article discusses a new vector. In this case, the attacker used content from a legitimate PayPal website to host a fake copy on a homograph domain name.

If a user downloads the falsely-advertised cash back app, a malicious executable is retrieved instead. Upon execution, this payload, which has been identified as the Nemty ransomware version 1.4, checks whether the host is in Russia, Belarus, Kazakhstan, Tajikistan, or Ukraine. If it is, execution stops. Otherwise, the ransomware proceeds with the encryption process.

The ransom note demands 0.09981 BTC (about 1,000 USD) be paid via a Tor payment portal in exchange for the decryption key.

Further details – https://www.bleepingcomputer.com/news/security/fake-paypal-site-spreads-nemty-ransomware/

Check of website pp-back.info on VirusTotal shows as malicious.

Indicators of Compromise


  • http://pp-back.info/Cashback.exe


  • xn--ayal-f6dc.com


  • ed431f3209eb43d80fc3dbea1e994c9a

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: