Cybersecurity experts usually advise victims against paying ransomware crooks, but that advice goes double for those who have been targeted by the Nitrogen group. There's no way to get your data back from them!
According to Coveware, which peered under the hood of Nitrogen's ransomware program, a programming error prevents the gang's decryptor from recovering victims' files, so paying up is futile.
The finding specifically concerns the group's malware that targetsVMware ESXi. Coveware said that the program encrypts files with the wrong public key, making it impossible for the criminals to decrypt them, even if the victim pays for a decryption tool.
Nitrogen's malware makes the error of loading a new variable, a QWORD, into memory so that it overlaps with the public key.
Because the malware loads the public key at offset rsp+0x20 and the 8-byte QWORD at rsp+0x1c, it overwrites the first four bytes of the public key, meaning that an attacker-supplied decryptor would fail.
"Normally, when a public-private Curve25519 keypair is generated, the private key is generated first, and then the public key is derived subsequently based on the private key," Covewaresaid.
- CISA updated ransomware intel on 59 bugs last year without telling defenders
- Ransomware crims forced to take off-RAMP as FBI seizes forum
- Everest ransomware gang said to be sitting on mountain of Under Armour data
- Broker who sold malware to the FBI set for sentencing
"The resulting corrupted public key wasn't generated based on a private key, it was generated by mistakenly overwriting a few bytes of another public key. The final outcome is that no one actually knows the private key that goes with the corrupted public key."
Nitrogen has been around since 2023. According to Coveware, it began as one of the various offshoots that borrowed code from theleaked Conti 2 builder.
Barracuda Networks previouslyreported that it evolved into a ransomware group slowly over time. It first developed malware to facilitate initial access for others, although its operators didn't work as initial access brokers, but began extorting organizations in or around September 2024.
While it is not one of the most prolific groups in operation, it is also not to be underestimated.
Even with this latest finding, which will go down alongside other epicown goals by ransomware gangs, it's hard to see the funny side with this one.
The coding error takes this financially-motivated ransomware gang into the realm of pure destruction, where both parties walk away losers. ®
Biting the hand that feeds IT
