The following is a summary of the NemeS1S ransomware-as-a-service (RaaS) malware, including information on mitigation. A 'deep dive' investigative write-up by Cylance Senior Security Researcher Jim Walter can be found here.
Home: / C2: h x x p:/ / nemesiqoaxtca4ve[dot]onion/
Summary: NemeS1S is a ransomware-as-a-service (RaaS) offering. The generated code/ binaries are 100% derived from the PadCrypt 3.0 source. Therefore, all of the decryption services and ransom messages reference PadCrypt 3.0 rather than the parent service (NemeS1S).
- AES-256 file-based encryption
- Unique host keys (RSA 1024)
- Encrypts all files, regardless of extension
- Deletes VSS (Volume Shadow Copies)
- Live interactive chat (Introduced as a PadCrypt feature)
- .NET-based malware binaries
- DGA based on existing PadCrypt mechanisms, generating up to 72 domains per day
RaaS Specific Features:
- Full message-based support with admins (SLA 24-48 hours)
- NemeS1S admins get a 35% commission on each successful and confirmed BTC payment
- Multiple campaign support
- Ability to generate multiple malware binaries per day (system currently allows new binaries to be generated approximately every 20 minutes).
- Full host/ infection management via client portal site (home URL shown above)
Figure 1: NemeS1S Basic Dashboard
If you use our endpoint protection product CylancePROTECT®, you are already protected from this attack. CylancePROTECT fully prevents execution on binaries generated by the NemeS1S service. If you don't have CylancePROTECT, contact us to learn how our AI-driven solution can predict and prevent unknown and emerging threats.
Figure 2: CylancePROTECT Client Notifications
Figure 3: CylancePROTECT Console
Indicators of Compromise (IOCs)