Description
Researchers at Resecurity have identified a relatively new ransomware-as-a-service (RaaS) family called Nevada ransomware.
Summary
This new ransomware was introduced on the dark web through the threat actors platform in the RAMP underground community, where initial access brokers (IABs) and other cybercriminal actors and ransomware groups communicate with each other. The ransomware was first introduced on December 10th, 2022, and recently on the 1st of February 2023, the operators would have updated and significantly improve the overall functionality of the ransomware, for both the Windows and Linux/ESXi0 version. Researchers have found that the threat actors behind Nevada are trying to broaden their audience of users. The ransomware also advertised very enticing conditions where it promises from 85 to 90 percent of the revenue gained to the operators of the ransomware.
How it works
Once a part of the vetting procedure, you are given access to the ransomwares affiliate panel hosted on the TOR network. The panel requires you to provide brief information on the victim that you would like to target such as the name, geography and revenue along with the desired ransom payment. This information is then listed in a Companies category on the platform panel for further tracking and communication via a live chat feature. Victims of the ransomware are added into a dedicated workspace panel that provides details such as the status of the payment and allows engagement with the victim through live chat (See this image for an example of the panel and the live chat to engage with the victim).
The Nevada ransomware is available in two versions, a Windows x64 version and Linux version. Both are written in the Rust language and are executed via console through pre-defined flags. The flags for the Windows version are:
-file |
encrypt selected file |
-dir |
encrypt selected directory |
-sd |
self delete after everything done |
-sc |
delete shadow copies |
-lhd |
load hidden drives |
-nd |
find and encrypt network shares |
-sm |
safe mode encryption |
The flags for the Linux version are:
-help |
help |
-daemon |
creation and launch of a service nevada |
-file |
encrypt particular file |
-dir |
encrypt particular folder |
-esxi |
disable all virtual machines |
Nevada uses the Salsa20 encryption algorithm to encrypt files. The researchers have noticed that files are encrypted in parts or stripes if the file size is larger than 512KB. It was also found that the ransomware runs a check on the locales of the victims as the ransomware does not work on locales related to ex-USSR and countries like Albania, Hungary, Vietnam, Malaysia, Thailand, Turkey and Iran.
Indicators of Compromise
The TOR URL and hash files associated with the Nevada ransomware are:
URL (TOR):
nevcorps5cvivjf6i2gm4uia7cxng5ploqny2rgrinctazjlnqr2yiyd[.]onion/{victim ID}
MD5:
99549bcea63af5f81b01decf427519af (Windows)
fb5dcf0b880b57b10a2093f164f2ed27 (Windows)
709ba88e758454f097959c3e62997000 (Windows)
f1f569c6e4f961007f7411fca131bbe0 (Linux)
1396ab93e9104faaf138ac64211471ba (Linux)
Remediation
To protect yourself against ransomware attacks like Nevada, it is recommended to have proper cyber security hygiene when navigating the internet. Here are some tips to consider:
Because most ransomware attacks are delivered through phishing and scams, it is necessary that users know how to spot phishing and scam emails.
Be wary of files downloaded from the internet. Any file should be downloaded by verified sources and scanned.
Be on the lookout for websites that may be compromised and attempt a drive-by download.
Maintain regular backups of critical systems and data in the case of a ransomware attack.
Restrict administrative and system access to users who do not require those privileges.
Maintain and update all security software including anti-virus, anti-malware, firewalls and endpoint protections.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: New ransomware advertised on the Dark Web.pdf
References
Toulas, B (2023, February 1). New Nevada Ransomware targets Windows and VMware ESXi systems. Retrieved from the BleepingComputer. https://www.bleepingcomputer.com/news/security/new-nevada-ransomware-targets-windows-and-vmware-esxi-systems/
Resecurity Hunter. (2023, January 30). Nevada Ransomware – Waiting For The Next Dark Web Jackpot. Retrieved from Resecurity Blog. https://resecurity.com/blog/article/nevada-ransomware-waiting-for-the-next-dark-web-jackpot