Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label new ransomware. Show all posts

Nevada Ransomware: Another Feather in the RaaS Ecosystem

Resecurity which is known for its cybersecurity services including risk management, endpoint protection, and threat intelligence for large enterprises and government agencies worldwide has discovered a new ransomware family in its study tracked as “Nevada Ransomware”. 

The threat actors who are responsible for this new malware have an affiliate platform that was first introduced on the RAMP underground community known for initial access brokers (IABs) and other malicious actors and ransomware groups. 

Recently, on 1st February, the threat actors behind this campaign updated and significantly advanced the functionality of the locker for Windows and Linux/ESXi. Along with this, the group also distributed new builds for their affiliate platforms, and the malware intelligence team studied these new developments in its report. 

Nevada Ransomware is written in the Rust language, which is similar to Hive Ransomware. The locker can be executed via a console with pre-defined flags including encrypting selected files and directories, deleting shadow copies, self-mode encryption, self-deleting, loading hidden drives, and finding and encrypting network shares. 

Furthermore, the threat actors possess the ability to escalate their attack beyond the initial point of compromise by performing post-exploitation actions for maximum damage. As per the data from the researchers, actors are constantly updating Windows and Linux/ESXi versions of the Nevada Ransomware. 

It did not stop here, Nevada Ransomware actors not only develop the ransomware but also gain unauthorized access for future exploitation. The operators who are working behind the malware are specialized in post-exploitation. 

“The Nevada Ransomware offers very attractive and competitive conditions – 85% (to partner) with a further increase to 90% assuming further progress. Notably, the actors also acquired compromised access for further development besides being ransomware developers. Based on our current assessment, they have a team performing post-exploitation to develop the initial point of compromise into full-blown network intrusion to achieve maximum damage,” said Resecurity. 

Additionally, the post also contains a translation in English and Chinese – which is an indication that the operators are also interested in attracting a worldwide audience besides the Russian-speaking. Based on the researchers' study, the threat actors are open to doing business with ex-USSR, the Islamic Republic of Iran, the European Union, and China. Previously they have been traced in hacked RDP and VPN suppliers for other ransomware networks.