Back

Nevada Ransomware - Waiting For The Next Dark Web Jackpot

Cybercrime Intelligence

cyber threat intelligence, ransomware, nevada ransomware, windows, linix, esxi, darkweb, tor

Nevada Ransomware - Waiting For The Next Dark Web Jackpot

Resecurity® has identified a relatively new ransomware family called “Nevada Ransomware”. The actors behind this new project have an affiliate platform first introduced on the RAMP underground community, which is known for initial access brokers (IABs) and other cybercriminal actors and ransomware groups. On February 1st (2023), the operators behind the project updated and significantly improved the functionality of the locker for Windows and Linux/ESXi, and distributed new builds for their affiliates which have been analyzed by our malware intelligence team. Notably, identified were multiple updates of the locker in January - what may confirm how the project has good support and is actively developing.

Resecurity® HUNTER (the threat research & intelligence team) published exclusive screenshots and details acquired as a direct result of the Nevada Ransomware analysis. Part of this research is based on Human Intelligence (HUMINT), engagement with the actors responsible for inviting and vetting new affiliates. Notably, the operators behind the project combined ‘the best’ sides of known RaaS platforms as of today, and likely have an origin from one of the now closed projects, which is reborn under a new brand.

On December 10th, 2022 – the actor ‘nebel’ published a post describing the new project and then proceeded to invite new affiliates. The Nevada Ransomware offers very attractive and competitive conditions – 85% (to partner) with a further increase to 90% assuming further progress. Notably, the actors also acquired compromised access for further development besides being ransomware developers. Based on our current assessment, they have a team performing post exploitation to develop the initial point of compromise into full blown network intrusion to achieve maximum damage.


forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware



The post also contains a translation in English and Chinese – which may depict how the actors are interested in attracting a broader audience besides the Russian-speaking only audience. Interestingly, they contradicted themselves by stating how they don’t work with English-speaking affiliates. However, based on our assessment, the group is pretty open to doing business with vetted actors in the access brokerage niche – some of them have been identified with origins to ex-USSR, European Union, Islamic Republic of Iran and China, and previously they’ve been traced in hacked RDP and VPN suppliers for other ransomware networks.


forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware



Some of the other actors present at RAMP ironically mentioned in a response to the Nevada Ransomware representative that the exclusion of English-speaking actors is bad for business. Many credible bad actors from the non-English-speaking countries communicate in English on criminal forums.

Resecurity was able to gain access to the affiliate panel hosted on the TOR network. The access is provided to affiliates after the initial vetting procedure. Such tactics are used for security purposes to ensure the affiliate is credible and won’t create risk for the project.


forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware



After a successful encryption procedure and/or data exfiltration, the operator may create a new victim via the panel:


forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware



In the panel, the operator is required to define brief information about the victim (name, geography, revenue) along with a desirable ransom payment.

The victim will become visible in the list of companies for further tracking and communications via the available live chat. Similar chats were used by Blackhat, Lockbit, Hive and other notable ransomware projects to pressure victims into paying the ransom.


forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware



Each company which falls victim is added into the panel which then provides a dedicated work space to engage with victim.


forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware



Later, the statistics with further details will be visible on the index page – with the status of the ransom payments.


forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware



Resecurity acquired Linux-based and Windows versions of the Nevada Ransomware. During the research we became aware of 2 released updates – these were released around January 20th and February 2nd with improved functional and significant tweaks in the affiliate portal.


- Nevada Ransomware (Windows Version x64):

Nevada Ransomware is written in the Rust language. Similar to Hive Ransomware, the locker can be executed via a console with pre-defined flags. Resecurity was able to recover information about the functions of each flag:


-file  encrypt selected file
-dir  encrypt selected directory
-sd  self delete after everything done
-sc   delete shadow copies
-lhd   load hidden drives
-nd   find and encrypt network shares
-sm  safe mode encryption


Nevada Ransomware is using the following Rust libraries (crates):

https://github.com/RustCrypto/traits/cipher/

https://github.com/marshallpierce/rust-base64/

https://github.com/rust-random/rand/

https://github.com/rodrigocfd/winsafe/ (old wrapper for WinApi functions)

https://github.com/rust-lang/rustc-demangle/


forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware
Figure 1 - Strings that store information about used libraries (crates)




The encryptor is checking locales (see Figure 2), and doesn’t work with the following locales related to ex-USSR geographies, and what is more interesting - Albania, Hungary, Vietnam, Malaysia, Thailand, Turkey, Iran. 

ru-RU

0x0419

vi-VN

0x042A

se-NO

0x043B

hr-HR

0x041A

hy-AM

0x042B

yi-001

0x043D

sk-SK

0x041B

az-Latn-AZ

0x042C

ms-MY

0x043E

sq-AL

0x041C

eu-ES

0x042D

kk-KZ

0x043F

sv-SE

0x041D

hsb-DE

0x042E

ky-KG

0x0440

th-TH

0x041E

mk-MK

0x042F

sw-KE

0x0441

tr-TR

0x041F

st-ZA

0x0430

tk-TM

0x0442

ur-PK

0x0420

ts-ZA

0x0431

uz-Latn-UZ

0x0443

id-ID

0x0421

tn-ZA

0x0432

tt-RU

0x0444

uk-UA

0x0422

ve-ZA

0x0433

ru-MD

0x819

be-BY

0x0423

xh-ZA

0x0434

 

 

sl-SI

0x0424

zu-ZA

0x0435

 

 

et-EE

0x0425

af-ZA

0x0436

 

 

lv-LV

0x0426

ka-GE

0x0437

 

 

lt-LT

0x0427

fo-FO

0x0438

 

 

tg-Cyrl-TJ

0x0428

hi-IN

0x0439

 

 

fa-IR

0x0429

mt-MT

0x043A

 

 

Table 1 – Locales that the encryptor doesn’t work with


forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware
Figure 2 – Localization check




The encryptor doesn’t send requests to a server, because it doesn’t import winsock.dll or load dynamically (see Figure 3), but if it’s ran with the argument “-nd”, it collects information about network resources, because it’s using the MPR.dll (see Figure 4), which the malware often utilize for such actions. The recursive algorithm (see Figure 5) for collecting this information was implemented in the code. Then the information about shared directories will be saved in a queue for further encryption.


forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware
Figure 3 – Modules that the encryptor loads



forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware
Figure 4 – Import functions from the MPR library



forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware
Figure 5 – Collects information about network resources.


The encryptor is capable of showing all drives (including the hidden drives), if its run with tje argument “-lhd”. It takes the drives and assigns them a letter (see Figure 6). Then the information about the files on any hidden drive will be saved in a queue for further encryption. (See Figure 7)


forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware
Figure 6 - Assigns letter for drive



forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware
Figure 7 – Adds the directory to be encrypted.



The encryptor can be installed as a service (see Figure 8) when run with the argument “-sm”. After that the computer will be rebooted, and then Windows will start in the safe mode with a network connection (see Figure 9).


forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware
Figure 8 – Information about Nevada service



forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware
Figure 9 – Set safe mode with networking by default.



The encryptor is using Salsa20 encryption algorithm (see Figure 10, 11). Resecurity specialists have encrypted two identical files and noticed that the file was encrypted in parts (or “stripes” – as the actors call it at Nevada Ransomware (see Figure 12)). The original and encrypted file has the size of 56,983,552 bytes. The band size is 524,288 bytes, which is 512 KB. Files smaller than 512KB are fully encrypting.


forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware
Figure 10 – Encryption algorithm start



forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware
Figure 11 – Encryption algorithm (inside)



forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware
Figure 12 - Comparison of two encrypted files



When the encryptor uses the ‘-dir’ argument, it encrypts directories (see Figure 13), but ignores system folders (see Figure 14), and some file extensions (see Figure 15.1 and 15.2).


System folders: Extensions:
Windows exe
Program Files  ini 
Program Files (x86)  dll 
AppData  url 
Programdata  lnk 
System volume information  scr 


forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware
Figure 13 - Encrypted directories.



forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware




forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware
Figure 14 – Ignore system folders.



forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware
Figure 15.1 – Ignore file extensions.



forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware
Figure 15.2 – Ignore file extensions.




Each encrypted folder contains a new file named “readme” (see Figure 16), and the extension of the encrypted files have the extension “.NEVADA” (see figure 17).


forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware
Figure 16 – The readme file



forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware
Figure 17 – The “.NEVADA” file extension


- Nevada Ransomware (Linux Version)

The locker is written in Rust and can be executed with several flags described below. Resecurity has recovered the following details with exact functions of each flag:


-help help
-daemon creation and launch of a service nevada
-file encrypt particular file
-dir encrypt particular folder
-esxi disable all virtual machines


Similar to the Windows version, the Linux version is using Salsa20 with a constant variable “expand 32-byte k” – notably, the same approach was used in famous Petya Ransomware. Petya has been using the Salsa20 stream cipher to encrypt the Master File Table and make the compromised disk inaccessible. 


forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware



An encryption key exchange is based on x25519_dalek library - A pure-Rust implementation of x25519 elliptic curve Diffie-Hellman key exchange, with curve operations provided by curve25519-dalek (https://github.com/dalek-cryptography/x25519-dalek).


forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware



As observed in the Windows version, Nevada Ransomware is encrypting files ‘by stripes’ – which are positioned by operators behind the project as a significant advantage facilitating speed in combination with Sales20. That being said, for a successful decryption, it is required to know which area hasn’t been encrypted – which makes the process complicated. Files less than 524288 byte (512kb) – will be fully encrypted, which seems to be an exception.


forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware



Interestingly, for some reason, Nevada Ransomware (at least, for Linux) – wont encrypt files in the range of  524288 and 1310719 bytes. Those files will remain the same, but with only added extension (.NEVADA) and an additional 38 bytes on the end of the file. This small detail makes recovery process possible in practice with files having sizes between 524326 and 1310757 bytes. We also detected a locker with customized extensions provided to vetted
affiliates. These tactics are likely utilized to prevent attribution to Nevada Ransomware and thus allow affiliates to leverage it under their own brand.

If the file is less than 2048 Kbs – there will be only 1 block (stripe) encrypted. If more or equal – the blocks will be used one by one (512 Kbs after every 256 Kbs).


forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware



If after the last encrypted block there is less than 768 Kbs (512+256), it won’t be touched by the locker. In the end of the binary the key and signature “Nevada” will be added.


forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware



The Public Key is stored at the end of the file:


forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware



Possible Data Decryption


In order to recover the data encrypted by Nevada Ransomware, we need to know the private key “B” and public key “A”, which are added to the end of the file, nonce for Salsa20 and the size of the file and algorithm used for selecting ‘stripes’ to encrypt (which may potentially be measured or guessed). Below is a prototype of the decryption process in Rust with Salsa20 and x25519_dalek libraries. The example is purposely simplified for research purposes:


forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware


However, similar to Petya Ransomware it also contained a series of implementation bugs that rendered the encryption algorithm flawed, making it possible to recover data without paying the ransom.


Encryption Note


After successful encryption Nevada Ransomware will drop ‘readme.txt’ in each folder with files on the victim's machine:

forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware
The resulting Ransome Letter to the Victim



Interestingly, identified were several exceptions when analyzing the encryption process. The folders having at least 1 sub-folder named “nevada” won’t be encrypted:

- /some/dir/nevada/folder/file.dat – won’t be encrypted
- /some/dir/folder/subfolder/file.dat – will be encrypted

Files with possible extensions ".exe", ".ini", ".src", ".lnk" located in folders won’t be encrypted by default – to encrypt them the operator needs to specify a flag "-file" (when executing Nevada from a console).


forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware


forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware


forum post ramp underground dark web russian cyber criminal bad actor nevada ransomware




Indicators of Compromise (IOCs)



URL (TOR):
nevcorps5cvivjf6i2gm4uia7cxng5ploqny2rgrinctazjlnqr2yiyd[.]onion/{victim ID}

MD5:
99549bcea63af5f81b01decf427519af (Windows)

MD5:
fb5dcf0b880b57b10a2093f164f2ed27 (Windows)

MD5:
709ba88e758454f097959c3e62997000 (Windows)

MD5: 
f1f569c6e4f961007f7411fca131bbe0 (Linux)

MD5:
1396ab93e9104faaf138ac64211471ba (Linux)



Significance


Nevada Ransomware is a new and actively progressing Ransomware-as-a-Service (RaaS) with an established affiliate network. The actors are inviting both Russian- and English-speaking affiliates to collaborate with a big number of Initial Access Brokers (IABs) in Dark Web. Notably, the group behind the Nevada Ransomware is also buying compromised access by themselves, the group has a dedicated team for post-exploitation, and for conducting network intrusions into the targets of interest. Resecurity is expecting a spike in active growth from Nevada Ransomware in 2023 - both in number of victims and affiliates collaborating with the group, this is due to the attractive conditions (85/15, 90/10). The project is well presented on the RAMP underground forum and has already attracted interest from credible cybercriminals who may be joining them after the closure of other major ransomware networks.

Newsletter

Keep up to date with the latest cybersecurity news and developments.

By subscribing, I understand and agree that my personal data will be collected and processed according to the Privacy and Cookies Policy

Cloud Architecture
Cloud Architecture
445 S. Figueroa Street
Los Angeles, CA 90071
Google Maps
Contact us by filling out the form.
Try Resecurity products today with a free trial