Resecurity, California-based cybersecurity company protecting Fortune 500 globally, has identified a new version of Nevada Ransomware which recently emerged on the Dark Web right before the start of 2023. The actors behind this new project have an affiliate platform first introduced on the RAMP underground community, which is known for initial access brokers (IABs) and other cybercriminal actors and ransomware groups.
Around February 1, 2023 – the group distributed an updated locker written in Rust for their affiliates supporting Windows, Linux and ESXi – this programming language has become a trend for ransomware developers these days (Blackcat, RansomExx2, Hive, Luna, Agenda). These updates have since provided improved functionality and significant tweaks to improve the affiliate panel. Another significant update has been identified around January 20th – which may confirm how the project is actively developing. The Nevada Ransomware offers very attractive and competitive conditions – 85% (to partner) with a further increase to 90% assuming further progress. On December 10th, 2022 – the actor ‘nebel’ published a post on the Dark Web describing the new project and then proceeded to invite new affiliates.
Notably, the actors also acquire compromised access for further development – it’s more than likely… besides being ransomware developers, they’re also a team performing post exploitation developing point of compromise into full blown network intrusion to achieve maximum damage. Resecurity® HUNTER (the threat research & intelligence team) published exclusive screenshots and details acquired as a direct result of the Nevada Ransomware affiliate network analysis. Part of this research is based on Human Intelligence (HUMINT) engagement with the actors responsible for inviting and vetting new affiliates.
Researchers found certain similarities with Petya Ransomware – notably Nevada Ransomware is also leveraging the Salsa20 encryption algorithm as well as a similar structure of the locker. According to experts, similar to early versions of Petya Ransomware, the code has some ‘flaws’ allowing some encrypted files to be decrypted. Researchers have shared their findings and described a possible concept that may be used for decryption.
Resecurity was able to gain access to the Nevada Ransomware affiliate panel hosted on the TOR network. In the report we can see the inner workings of the ransomware, the bad actors workspace provides a plethora of options, for example, communication with the victim, statistics, ransom balance and much more.
Resecurity acquired Linux-based and Windows versions of the Nevada Ransomware then published a reverse engineering report and indicators of compromise (IOCs). The experts expect an active development of the group in 2023 – by victims and by new affiliates who will join the project.
Additional technical details about the new variant are available here:
https://resecurity.com/blog/article/nevada-ransomware-waiting-for-the-next-dark-web-jackpot
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Nevada Ransomware)