Nymaim Ransomware

Posted: July 10, 2013

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	31,173

First Seen:	July 10, 2013
Last Seen:	January 20, 2021
OS(es) Affected:	Windows

The Nymaim Ransomware is a Police ransomware Trojan that's distributed via drive-by-download attacks from the Blackhole Exploit Kit, which is loaded by legitimate (but compromised) websites that have been hacked and forced to include malicious Web code. Because the Nymaim Ransomware contacts a remote server to transfer basic information about your PC and receive an appropriate warning message, the Nymaim Ransomware's ransom alerts may be tailored to be specific to your region, and can include mentions of local law enforcement agencies or references to specific laws that your PC supposedly has been used to break. The Nymaim Ransomware will claim that the Nymaim Ransomware has the lawful authority to deny you access to any other programs until you pay its three hundred USD fine, but SpywareRemove.com malware experts recommend using advanced anti-malware tools to remove the Nymaim Ransomware freely – since the Nymaim Ransomware is not a lawful program and, in fact, is distributed alongside some of the most notorious malware to date.

Why the Nymaim Ransomware's Ransom Isn't Your Worst Problem

In many respects, Nymaim Ransomware is a typical example of a fake Police Trojan: by displaying a pop-up warning that accuses you of using your PC for crimes such as viewing or distributing child pornography, the Nymaim Ransomware attempts to make you pay a fake legal fine in the triple digits. While doing so, the Nymaim Ransomware blocks you from using most other Windows programs – although related PC threats still can be active in the background.

It's this last detail that's most worrisome to SpywareRemove.com malware research team, which has found the Nymaim Ransomware infections usually to be corresponding to the presence of other high-level PC threats. Two confirmed types of malicious software often linked to the Nymaim Ransomware attacks include the ZeroAccess rootkit and the Pony loader (a backdoor Trojan related to the Pony botnet).

By now, the major security vulnerabilities that result in the Nymaim Ransomware infections have been thoroughly identified. The story begins with compromised but legitimate sites – with the manner of the initial compromise still under investigation – that are forced to include an iFrame redirector known as Darkleech or Chapro. The iFrame redirect forces your browser to load additional content from a second site that turns out to be a variant of the Blackhole Exploit Kit. BEK then uses a standard drive-by-download attack to install the Nymaim Ransomware, along with the two other pieces of malware.

In a stark difference from Nymaim Ransomware, the Pony loader and ZeroAccess don't show any obvious symptoms of their attacks, but are designed with the intention of compromising your PC's security, enabling criminals to have control over your computer and stealing highly confidential information. Accordingly, SpywareRemove.com malware experts recommend that you respond to any Nymaim Ransomware infection with the highest degree of urgency possible.

Shredding the Ransom Request that Has No Right to Be There

With a variety of pop-up warnings at its disposal, the Nymaim Ransomware may claim to be sent by the FBI, the Royal Canadian Mounted Police or various other law-enforcing agencies around the world, but the Nymaim Ransomware issues its attacks without any regard for whether or not your computer is guilty of being used for the crimes the Nymaim Ransomware claims have taken place. Paying Nymaim Ransomware's ransom is completely unnecessary for restoring your computer. Since Nymaim Ransomware uses a memory injection attack to help prevent its own detection or removal, you will need to use particularly extensive security strategies for disinfecting your PC – and that's without considering the complications of related PC threats like the Pony loader and ZeroAccess/Sirefef.

In similar scenarios of an infection by such complex malware, SpywareRemove.com malware researchers recommend booting your computer safely through a removable hard drive, such as a USB flash drive. This will let you launch the OS of your choice without the Nymaim Ransomware, ZeroAccess or the Pony loader compromising it. With all three of the trio disabled, powerful anti-malware software can be used to remove Nymaim Ransomware and its fellows harmlessly.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%APPDATA%\buoyancy-10\buoyancy-07.exe

File name: buoyancy-07.exe
Size: 792.06 KB (792064 bytes)
MD5: 70aef4e3f87dd8500e7823d1959a0713
Detection count: 178
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\buoyancy-10
Group: Malware file
Last Updated: October 28, 2017

%APPDATA%\servo-10\servo-80.exe

File name: servo-80.exe
Size: 711.68 KB (711680 bytes)
MD5: 57ee304e6e5d6c8e457fa7261b678c86
Detection count: 176
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\servo-10
Group: Malware file
Last Updated: October 28, 2017

%APPDATA%\cathode-4\cathode-2.exe

File name: cathode-2.exe
Size: 758.78 KB (758784 bytes)
MD5: 8cb39720072609f794b3761e1a042ff6
Detection count: 155
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\cathode-4
Group: Malware file
Last Updated: October 28, 2017

%APPDATA%\bending-0\bending-4.exe

File name: bending-4.exe
Size: 840.19 KB (840192 bytes)
MD5: bbfa12669ce2c99136c8374f868ad1a2
Detection count: 108
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\bending-0
Group: Malware file
Last Updated: October 28, 2017

%APPDATA%\snubber-30\snubber-66.exe

File name: snubber-66.exe
Size: 893.44 KB (893440 bytes)
MD5: 13fd1f234fee09cd5c283176de051d3c
Detection count: 103
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\snubber-30
Group: Malware file
Last Updated: October 28, 2017

%APPDATA%\buoyancy-1\buoyancy-4.exe

File name: buoyancy-4.exe
Size: 792.06 KB (792064 bytes)
MD5: 8759644768bc2ff359600b97841b687f
Detection count: 101
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\buoyancy-1
Group: Malware file
Last Updated: October 28, 2017

%APPDATA%\powercap-7\powercap-6.exe

File name: powercap-6.exe
Size: 690.68 KB (690688 bytes)
MD5: 53904459f78d8d876df32be4e0390a54
Detection count: 66
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\powercap-7
Group: Malware file
Last Updated: October 28, 2017

%APPDATA%\alkene-98\alkene-87.exe

File name: alkene-87.exe
Size: 756.22 KB (756224 bytes)
MD5: 3dec30d4903313cf7938fb8f3e6c2e80
Detection count: 66
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\alkene-98
Group: Malware file
Last Updated: October 28, 2017

%APPDATA%\analogue-35\analogue-09.exe

File name: analogue-09.exe
Size: 705.64 KB (705640 bytes)
MD5: 3a75a3f9325e5a0cf9eb17d952713cb4
Detection count: 63
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\analogue-35
Group: Malware file
Last Updated: October 28, 2017

%APPDATA%\adhesion-98\adhesion-14.exe

File name: adhesion-14.exe
Size: 674.93 KB (674936 bytes)
MD5: 8ee739c01a70923f83975a77dcd34948
Detection count: 50
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\adhesion-98
Group: Malware file
Last Updated: October 28, 2017

%APPDATA%\shutdown-82\shutdown-14.exe

File name: shutdown-14.exe
Size: 626.68 KB (626688 bytes)
MD5: 9ee1a90155fa1dbeea72f02760d95e9c
Detection count: 42
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\shutdown-82
Group: Malware file
Last Updated: October 28, 2017

%APPDATA%\molality-52\molality-08.exe

File name: molality-08.exe
Size: 792.57 KB (792576 bytes)
MD5: e5c2c69349456d0f79f7c85e393fa6ae
Detection count: 30
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\molality-52
Group: Malware file
Last Updated: October 28, 2017

%APPDATA%\gamma-3\gamma-3.exe

File name: gamma-3.exe
Size: 546.81 KB (546816 bytes)
MD5: 62f97b6201785aff480f2681f196cdce
Detection count: 26
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\gamma-3
Group: Malware file
Last Updated: October 28, 2017

%APPDATA%\ascii-5\ascii-8.exe

File name: ascii-8.exe
Size: 811 KB (811008 bytes)
MD5: 0b8b12b971ccc8a02cc5927a4b0e6d89
Detection count: 23
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\ascii-5
Group: Malware file
Last Updated: October 28, 2017

%APPDATA%\transfer-91\transfer-09.exe

File name: transfer-09.exe
Size: 603.64 KB (603648 bytes)
MD5: b8bce5789a340f3230a58972db4642f4
Detection count: 21
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\transfer-91
Group: Malware file
Last Updated: October 28, 2017

%APPDATA%\debounce-18\debounce-28.exe

File name: debounce-28.exe
Size: 831.48 KB (831488 bytes)
MD5: fbba9e2bad1eced5dbba660dea9711be
Detection count: 20
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\debounce-18
Group: Malware file
Last Updated: October 28, 2017

%APPDATA%\brownout-7\brownout-7.exe

File name: brownout-7.exe
Size: 774.65 KB (774656 bytes)
MD5: 511b8484bd3511e8bb9568024302bbf8
Detection count: 16
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\brownout-7
Group: Malware file
Last Updated: October 28, 2017

%APPDATA%\buoyancy-92\buoyancy-21.exe

File name: buoyancy-21.exe
Size: 792.06 KB (792064 bytes)
MD5: 7fb91e998ac89c3924eb6f51c5250285
Detection count: 13
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\buoyancy-92
Group: Malware file
Last Updated: October 28, 2017

%APPDATA%\anion-0\anion-7.exe

File name: anion-7.exe
Size: 913.4 KB (913408 bytes)
MD5: f1537003f5eadbdf8378e75640803c08
Detection count: 12
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\anion-0
Group: Malware file
Last Updated: October 28, 2017

%APPDATA%\adhesion-75\adhesion-20.exe

File name: adhesion-20.exe
Size: 674.93 KB (674936 bytes)
MD5: ceca56fcbe490494b143e68c8230a3e2
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\adhesion-75
Group: Malware file
Last Updated: October 28, 2017

%APPDATA%\analogue-46\analogue-64.exe

File name: analogue-64.exe
Size: 705.64 KB (705640 bytes)
MD5: 23d4c23532d3c120b92fa95a8a381021
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\analogue-46
Group: Malware file
Last Updated: October 28, 2017

%APPDATA%\switcher-04\switcher-20.exe

File name: switcher-20.exe
Size: 822.27 KB (822272 bytes)
MD5: 7c4852864eab562d42113f7decb78a7e
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\switcher-04
Group: Malware file
Last Updated: October 28, 2017

%APPDATA%\receiver-80\receiver-60.exe

File name: receiver-60.exe
Size: 577.53 KB (577536 bytes)
MD5: 7533db37818a89576b64073a9b3beab2
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\receiver-80
Group: Malware file
Last Updated: October 28, 2017

%APPDATA%\molecule-84\molecule-94.exe

File name: molecule-94.exe
Size: 572.41 KB (572416 bytes)
MD5: 09753373ef1391898c60a8b29c728d44
Detection count: 3
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\molecule-84
Group: Malware file
Last Updated: October 28, 2017

More files

Registry Modifications

The following newly produced Registry Values are:

Regexp file mask%APPDATA%\[RANDOM CHARACTERS]32.ocx