On February 13th, Tencent Yumi Threat Intelligence Center issued a document stating that the latest variant of Nemty ransomware relies on the Phorpiex botnet delivery to become active again. Cooperation with botnets has made the virus more capable of spreading, and files encrypted by Nemty ransomware cannot be decrypted for the time being. At the same time, because the Phorpiex botnet has the ability to monitor the clipboard to hijack virtual currency transactions, the victim will be robbed by Phorpiex when the ransom is paid. As a result, the transaction ransom cannot be paid to the address provided by the Nemty operating group, which will double the loss of the victim. Enterprises must be vigilant.