When you experience a breach, time is crucial. Our 24/7 Security Operations Center responds immediately with precision to eliminate the threat and restore operations.
ShadowSpear® is an unparalleled resource that defends your organizations against advanced cyber threats and attacks 24/7/365.
Your organization has cybersecurity weaknesses and vulnerabilities you don’t yet even know about. They need to be found and found immediately. If you don’t someone else will.
Nevada, a relatively new ransomware operation, is rapidly expanding its capabilities, as security researchers discovered improved capability for the locker targeting Windows and VMware systems. On December 10, 2022, Nevada ransomware began to be pushed on the RAMP darknet forums, asking Russian and Chinese-speaking cybercriminals to join the group for an 85% cut of paid ransoms. Nevada said it will increase its revenue share to 90% for affiliates that bring in numerous victims. RAMP has previously been identified as a location where Russian and Chinese threat operators promote their cybercrime operations or chat with colleagues. Nevada ransomware includes a Rust-based locker, a real-time negotiation chat portal, and separate Tor network domains for affiliates and victims. Security researchers investigated the new malware and published their findings in a report. According to the report, Nevada ransomware explicitly prohibits English-speaking affiliates; however, the operators are willing to work with approved access brokers from anywhere.
Nevada ransomware, which targets Windows machines, is operated using a console and includes a series of flags that let its operators to manage the encryption:
The set of system regions that Nevada ransomware spares from the encryption process is an intriguing feature. Ransomware groups don’t usually target victims in Russia and the Commonwealth of Independent States. Albania, Hungary, Vietnam, Malaysia, Thailand, Turkey, and Iran are among the countries affected by this malware. MPR.dll is used by the payload to collect information about network resources, including shared directories in the encryption queue. The encryptor is installed as a service, and the compromised system reboots into Windows safe mode with an active network connection. For faster encryption, the locker employs the Salsa20 algorithm to execute intermittent encryption on files larger than 512KB. To prevent rendering victims’ hosts unbootable, executables, DLLs, LNKs, SCRs, URLs, and INI files in Windows system folders and users’ Program Files are excluded from encryption. The “.NEVADA” file extension is added to encrypted files and each folder contains a ransom note in which victims are given five days to pay the threat actor’s demands, or their stolen data will be published on Nevada’s data leak website.
Nevada ransomware for Linux/VMware ESXi uses the same encryption algorithm (Salsa20) as the Windows variant. It uses a constant variable, as previously seen in Petya ransomware. A similar intermittent encryption system is used by the Linux encryptor and only files smaller than 512KB are fully encrypted. Researchers discovered that the Nevada ransomware will likely bypass any files ranging between 512KB and 1.25 MB due to a bug in the Linux version. The following arguments are supported by the Linux locker:
The public key is saved as additional 38 bytes at the end of the encrypted file on Linux systems. The similarities with Petya ransomware extend to encryption implementation vulnerabilities that can allow retrieval of private keys, which can allow data recovery without paying the ransom. To recover data encrypted by Nevada Ransomware, security researchers will need to know the private key “b” and public key “A”, which are appended to the end of the file, the nonce for Salsa20, the file size, and the algorithm used to select ‘stripes’ to encrypt (which can potentially be measured or guessed). Nevada ransomware is currently building its network of affiliates and initial access brokers and looking for skilled threat operators. According to security researchers, Nevada ransomware operators purchased access to compromised endpoints and engaged a dedicated post-exploitation team to carry out the intrusion. Security researchers are closely monitoring the ransomware group and the threat appears to be growing.
With new ransomware groups emerging into the threat landscape to target systems, including Windows and VMware ESXi systems, it’s important for companies to remain ahead of the current landscape and regularly update their networks’ security infrastructure. At SpearTip, our certified engineers are working continuously in an investigative cycle at our 24/7/365 Security Operations Center monitoring companies’ data network for ransomware threats, including Nevada, and ready to respond to incidents at a moment’s notice. Our remediation team works to restore companies’ operations, reclaim their networks by isolating malware, and recover business-critical assets. Our ShadowSpear Platform, an integrable managed detection and response tool, utilizes comprehensive insights using unparalleled data normalization and visualizations to detect unknown and advanced ransomware threats.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.
Identify, neutralize, and counter cyberattacks - provide confidence in your security posture
24/7 Breach Response: US/CAN: 833.997.7327
Main Office: 800.236.6550
1714 Deer Tracks Trail, Suite 150
St. Louis, MO 63131
©2024 SpearTip, LLC. All rights reserved.