A new ransomware operation, known as “Nevada”, has been observed by security researchers that its functionality for the locker targeting Windows and VMware ESXi systems has improved. 

On December 10, 2022, Nevada ransomware began to be advertised on the RAMP darknet forums, urging Chinese- and Russian-speaking threat actors to join it in exchange for an 85% split of paid ransoms. Furthermore, For those affiliates who bring in a lot of victims, Nevada says they will increase their revenue share to 90%.

_____________________________

A. Nature of the Attack

The Nevada ransomware that targets Windows host machines is executed through the console. Also, it supports the following flags that give its operations some control over the encryption:

1. -file = encrypt selected file

2. -dir = encrypt selected directory

3. -sd = self delete after everything done

4. -sc = delete shadow copies

5. -lhd = load hidden drives

6. -nd = find and encrypt network shares

7. -sm = safe mode encryption

The payload uses MPR.dll, a dynamic link library that includes important functions that may be needed by other basic Windows tools, to collect information about network resources, adding shared directories in the encryption queue. Thereafter, the encryptor is installed as a service, and then the victim’s system reboots into Windows safe mode with an active network connection. 

The encrypted files would then have the “.NEVADA” file extension and each folder hosts a ransom note that gives victims five days to meet the cybercriminal’s demands, else their stolen data would be published on Nevada’s data leak website.

As for the targeted VMWare ESXi systems, the Linux/VMware ESXi version of Nevada ransomware uses the same encryption algorithm (Salsa20) as the Windows variant. 

The Linux locker supports the following flags:

1. -help = help

2. -daemon = creation and launch of a ‘nevada’ service

3. -file = encrypt particular file

4. -dir = encrypt particular folder

5. -esxi = disable all virtual machines

On Linux systems, the public key is stored at the end of the encrypted file in the form of an additional 38 bytes. 

Resecurity, a cybersecurity company, says that similarities shared with Petya ransomware extend to encryption implementation bugs that might make it possible to retrieve the private key too, which would allow recovering the data without paying the ransom.

_____________________________

B. Actions to be Taken

CERT-PH recommends the following actions be taken:

  • For the prevention of ransomware incidents, use a backup system that enables multiple saving of backups in case one of the backup copies contains files that are encrypted or infected. Test backups frequently to verify data integrity and functionality.
  • Make sure that all systems and firmware are patched.
  • Proactively monitor and secure identified systems and devices for any suspicious/malicious activities.
  • Use an anti-virus software and/or host-based detection tool running with the latest version to protect your data and devices.
  • In addition, providing and capacitating employees with cybersecurity knowledge and information to minimize the attack surface.
  • For additional information, kindly refer to the official report,
    • https://www.bleepingcomputer.com/news/security/new-nevada-ransomware-targets-windows-and-vmware-esxi-systems/