Nevada Ransomware Targets Windows and VMware ESXi systems

Nevada, a relatively new ransomware operation, is rapidly expanding its capabilities, as security researchers discovered improved capability for the locker targeting Windows and VMware systems. On December 10, 2022, Nevada ransomware began to be pushed on the RAMP darknet forums, asking Russian and Chinese-speaking cybercriminals to join the group for an 85% cut of paid ransoms. Nevada said it will increase its revenue share to 90% for affiliates that bring in numerous victims. RAMP has previously been identified as a location where Russian and Chinese threat operators promote their cybercrime operations or chat with colleagues. Nevada ransomware includes a Rust-based locker, a real-time negotiation chat portal, and separate Tor network domains for affiliates and victims. Security researchers investigated the new malware and published their findings in a report. According to the report, Nevada ransomware explicitly prohibits English-speaking affiliates; however, the operators are willing to work with approved access brokers from anywhere.

Nevada ransomware, which targets Windows machines, is operated using a console and includes a series of flags that let its operators to manage the encryption:

• -file > encrypt selected file
• -dir > encrypt selected directory
• -sd > self-delete after everything done
• -sc > delete shadow copies
• -lhd > load hidden devices
• -nd > find and encrypt network shares
• -sm > safe mode encryption

Nevada Ransomware Encryption Process

The set of system regions that Nevada ransomware spares from the encryption process is an intriguing feature. Ransomware groups don’t usually target victims in Russia and the Commonwealth of Independent States. Albania, Hungary, Vietnam, Malaysia, Thailand, Turkey, and Iran are among the countries affected by this malware. MPR.dll is used by the payload to collect information about network resources, including shared directories in the encryption queue. The encryptor is installed as a service, and the compromised system reboots into Windows safe mode with an active network connection. For faster encryption, the locker employs the Salsa20 algorithm to execute intermittent encryption on files larger than 512KB. To prevent rendering victims’ hosts unbootable, executables, DLLs, LNKs, SCRs, URLs, and INI files in Windows system folders and users’ Program Files are excluded from encryption. The “.NEVADA” file extension is added to encrypted files and each folder contains a ransom note in which victims are given five days to pay the threat actor’s demands, or their stolen data will be published on Nevada’s data leak website.

Nevada ransomware for Linux/VMware ESXi uses the same encryption algorithm (Salsa20) as the Windows variant. It uses a constant variable, as previously seen in Petya ransomware. A similar intermittent encryption system is used by the Linux encryptor and only files smaller than 512KB are fully encrypted. Researchers discovered that the Nevada ransomware will likely bypass any files ranging between 512KB and 1.25 MB due to a bug in the Linux version. The following arguments are supported by the Linux locker:

• -help > help
• -daemon > creation and launch of a ‘nevada’ service
• -file > encrypt particular file
• -dir > encrypt particular folder
• -esxi > disable all virtual machines

The public key is saved as additional 38 bytes at the end of the encrypted file on Linux systems. The similarities with Petya ransomware extend to encryption implementation vulnerabilities that can allow retrieval of private keys, which can allow data recovery without paying the ransom. To recover data encrypted by Nevada Ransomware, security researchers will need to know the private key “b” and public key “A”, which are appended to the end of the file, the nonce for Salsa20, the file size, and the algorithm used to select ‘stripes’ to encrypt (which can potentially be measured or guessed). Nevada ransomware is currently building its network of affiliates and initial access brokers and looking for skilled threat operators. According to security researchers, Nevada ransomware operators purchased access to compromised endpoints and engaged a dedicated post-exploitation team to carry out the intrusion. Security researchers are closely monitoring the ransomware group and the threat appears to be growing.

With new ransomware groups emerging into the threat landscape to target systems, including Windows and VMware ESXi systems, it’s important for companies to remain ahead of the current landscape and regularly update their networks’ security infrastructure. At SpearTip, our certified engineers are working continuously in an investigative cycle at our 24/7/365 Security Operations Center monitoring companies’ data network for ransomware threats, including Nevada, and ready to respond to incidents at a moment’s notice. Our remediation team works to restore companies’ operations, reclaim their networks by isolating malware, and recover business-critical assets. Our ShadowSpear Platform, an integrable managed detection and response tool, utilizes comprehensive insights using unparalleled data normalization and visualizations to detect unknown and advanced ransomware threats.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.