Nitrogen ransomware developers have suffered a self-inflicted blow due to a critical coding error that permanently locks victims' data, even from themselves. This bug in their VMware ESXi-targeting malware corrupts the public key during encryption, rendering decryption impossible despite payments. Cybersecurity firm Coveware's analysis highlights how the group's overconfidence backfired spectacularly.
The flaw stems from a memory management error in Nitrogen's ransomware, derived from leaked Conti 2 source code. During the encryption process, loading a new 64-bit variable (QWORD) overlaps and overwrites the first four bytes of the public key with zeros. This corrupted key lacks a matching private key, making file recovery mathematically unfeasible for attackers too. Victims face total data loss without backups, amplifying the irony of the group's double-extortion tactics.
Nitrogen, active since 2023, employs sophisticated multi-stage loaders delivered via malvertising and trojanized apps like WinSCP. Initial access leads to DLL sideloading, stagers unpacking Python scripts, and C2 beacons such as Cobalt Strike for persistence and lateral movement. The operation exfiltrates data to Bulgarian servers before encrypting files with a ".nba" extension and dropping "readme.txt" ransom notes. Targets span finance, manufacturing, and healthcare, including recent hits on Durashiloh and LumioDental.
This attack exemplifies the danger posed by the development of ransomware, where attackers reuse poorly written code without sufficient testing. Coveware points out that the ESXi strain of this ransomware has the potential to make hypervisors unrecoverable, causing attackers to lose interest in their targets following failed negotiation attempts. This supports the strategy of not paying the ransom, as there is no real cost involved in this situation. Immutable backups and network segmentation are essential in countering such threats.
The attack also demonstrates the ever-changing nature of the world of cybersecurity, where the haste of attackers provides an opportunity for exploitation. The Nitrogen leak site, “NitroBlog,” has begun to leverage the unrecoverable victims, although experts recommend ignoring such threats. Although more careful code analysis could have avoided this self-defeating behavior in the future, the fast development of malware remains a problem.
