A new ransomware operation; was discovered. The ransomware is known as Nevada. Researchers have observed the variants evolving capabilities, such as targeting Windows and VMware ESXi systems.
"Nevada ransomware started to be promoted on the RAMP darknet forums on December 10, 2022, inviting Russian and Chinese-speaking cybercriminals to join it for an 85% cut from paid ransoms. For those affiliates who bring in a lot of victims, Nevada says they will increase their revenue share to 90%. RAMP has been previously reported as a space where Russian and Chinese hackers promote their cybercrime operations or communicate with peers." (Bleeping Computer, 2023)
Nevada ransomware; is comprised of various attributes such as; a Rust-based locker, real-time negotiation chat portal, and separate domains in the Tor network for affiliates and victims. The Nevada ransomware variant supports a collection of flags that gives operators authority over the encryption:
- file > encrypt selected file
- dir > encrypt selected directory
- sd > self delete after everything done
- sc > delete shadow copies
- lhd > load hidden drives
- nd > find and encrypt network shares
- sm > safe mode encryption
"The payload uses MPR.dll to collect information about network resources, adding shared directories in the encryption queue. Each drive, including hidden ones, is assigned a letter, and all files in them are added to the queue too. After this stage, the encryptor is installed as a service, and then the breached system reboots into Windows safe mode with an active network connection. The locker uses the Salsa20 algorithm to perform intermittent encryption on files larger than 512KB for quicker encryption. Executables, DLLs, LNKs, SCRs, URLs, and INI files in Windows system folders and the user's Program Files are excluded from encryption to avoid rendering the victim host unbootable." (Bleeping Computer, 2023)
Nevada ransomware will affix the ".NEVADA" file extension to the encrypted files. Each folder will possess a ransom note giving the victim five days to meet all requests by threat actors; otherwise, the victim's data is to; be published on Nevada's data leak website. On the other hand, the Linux/VMware ESXi uses the Salsa20 algorithm, the same algorithm used on Windows devices. The Linux encryptor only encrypts files smaller than 512KB. Additionally, the Linux locker supports the following flags:
- help > help
- daemon > creation and launch of a 'nevada' service
- file > encrypt particular file
- dir > encrypt particular folder
- esxi > disable all virtual machines
Researchers at Resecurity state that, to recover the data encrypted by Nevada ransomware, the private key "B" and public key "A"; added to the end of the file; must be known. Nevada ransomware is still developing its networks and should, be closely monitored; as it continues its growth.
Researchers have found similarities between the Nevada ransomware and the Petya ransomware. The encryption algorithms used by the two ransomware variants depend on a constant variable. Additionally, they share similar encryption implementation bugs that; make it possible to retrieve private keys, which would permit data recovery. Nevada ransomware does have its unique characteristics, such as excluding victims in Albania, Hungary, Vietnam, Malaysia, Thailand, Turkey, and Iran. However, the actors invite; both Russian and English-speaking affiliates to collaborate with initial access brokers on the dark web.
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.
Resecurity has shared IOCS associated with Nevada ransomware: