Fake PayPal App Site Infects Victims with Nemty Ransomware

Last updated June 23, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

As reported by BleepingComputer, security researcher “nao_sec” discovered a malicious website that is distributing samples of a new variant of the Nemty ransomware. The actors are using the PayPal app as bait, luring unsuspecting victims to download it from their channel and win up to 5% of what they spend in returns. The website was made to look exactly like the official PayPal portal, so visitors who won’t notice the URL will be tricked into thinking that they have landed on a legitimate channel of software distribution.

The malicious file that is offered for download is named “cashback.exe”, and most browsers will warn the user that the file they’re trying to download looks nasty. If the user answers that they trust the source in the prompt, they will get a copy of the Nemty ransomware on their system. According to VirusTotal data, the malicious executable is missed by 32 out of the 68 antivirus engines tested, so the chances of Nemty nesting in the host system and encrypting all files is just below 50% if the victim is using an AV solution in the first place.

The Nemty variant that is used in this campaign is version number 1.4, and the amount of money that is demanded by the actors is the equivalent of $1000 in Bitcoin. This is the standard amount that we have seen criminals who use Nemty ask, while the payment period that is given to the victims is 48 hours, also a standard one. The countries that are excluded from the infection activity are Belarus, Russia, Kazakhstan, Ukraine, and Tajikistan. If you live in one of those countries, or your system language is set to the corresponding languages, you’re safe from this campaign but don’t expect a 5% return on your spending nonetheless.

nemty countries exclusion check

Source: Vitali Kremez | Twitter

If you were infected by a Nemty variant, you would notice that all your files got the “.nemty” extension. If that is the case, don’t pay the actors as you won’t have any guarantee that you will get your files back. SpyHunter 5, Malwarebytes, and Reimage are all capable of removing all traces of Nemty from your system, so make sure to wipe it before you start restoring from backups. Nemty is very persistent, and if you don't remove all of its components your files will get re-encrypted. If you are looking to get the official PayPal app, you can only find it on “paypal.com” or on the official app stores of your platform.

Are you using the PayPal app, or do you just head to the website for everything? Let us know in the comments down below, or on our socials, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: