Nevada Ransomware Report

A ransomware operation, known as ‘Nevada’, has been detected targeting Windows and VMware ESXi systems, and is distributed via infected email attachments (macros), torrent websites and malicious advertisements. The associated ransomware group was reported on the RAMP darknet forums, dating back to 10th December 2022. The group operates within the context of a Ransomware-as-a-Service (RaaS) model distribution and has invited Russian and Chinese threat actors to collaborate with their attack efforts, for a ransom cut of 85%. RaaS is a particularly dangerous model as it provides threat actors that lack sufficient tooling and infrastructure with the ability to carry out sophisticated attacks, thereby making the ransomware more widespread.

Nevada ransomware group operates within the confines of a ‘Rust-based locker’ feature, containing a real-time interactive messaging portal and the implementation of separate domains within the Tor network with regards to the affiliates and victims. Additional ransomware variants that are known to have adopted the Rust feature in recent months include BlackCat, Hive, Luna, Nokoyawa, RansomExx, and Agenda.

The ransomware group appears to have explicitly excluded English-speaking threat actor affiliates. However, they remain open to conducting business with brokers from any location. One unique feature of the Nevada ransomware group pertains to the list of target locations that they exclude from their encryption process. An emerging trend amongst ransomware groups, in general, is that they tend to avoid targeting potential victims inside Russia or the Commonwealth of Independent States(CIS) member list. However, the Nevada ransomware group has extended that list to the following nation states: Albania, Hungary, Vietnam, Malaysia, Thailand, Turkey and Iran.

Two variants of the Nevada ransomware strain currently exist. One directly affects Windows operating systems, whereas the other applies to Linux/VMware ESXi systems. Both variants support a set of flags that provides the operators with control over the target system.

Cyber security researchers from Resecurity have identified similarities between this form of the Nevada ransomware variant and that of Petya ransomware1. The significance being that both of these ransomware variants possess a potential weakness that could allow the private key to be recovered, thus allowing the data to be retrieved without handing over the demanded ransom payment.

The Nevada ransomware group applies a double extortion technique, meaning that not only does the group encrypt the private data of the victim and demand a ransom for the keys, but they also threaten the victim with the publication of the data on their own dark webpage. This is likely designed to increase pressure on the victim and increase the chances of payment.

Download Quorum Cyber’s analysis of Nevada Ransomware.

This document provides a summary of our findings, our full analysis will be available later this week. Download now.