ASEC researchers detected Nevada ransomware distribution, noting its Rust-based implementation and the use of the .NEVADA extension for encrypted files. The malware supports command-line options to tailor encryption, creates README.txt ransom notes with a Tor payment link, and can operate in Safe Mode while attempting to disable security tooling. #NevadaRansomware #AhnLab #ASEC #Tor
Keypoints
- Nevada ransomware is Rust-based and appends the .NEVADA extension to encrypted files, with README.txt ransom notes containing a Tor payment link.
- It offers command-line options to control execution, including -file, -dir (and exclusions for Nevada-encrypted directories).
- Self-deletion is supported via the -sd option, exemplified by a command that deletes the ransomware executable after encryption.
- Volume Shadow Copy deletion is performed using DeviceIoControl to shrink VSS storage, a less common method to hinder recovery.
- It can load hidden drives (-lhd) and encrypt hidden partitions, expanding its targeting beyond visible volumes.
- Encryption of shared network folders (-nd) shows capability to propagate across network resources within a system.
- Safe Mode operation (-sm) includes service installation and registry changes to run after boot, plus disabling WinDefender.
- Locale-based infection exclusion targets CIS countries, and there are explicit file/folder and extension exclusions from encryption (e.g., Windows/system folders and exe, dll, ini, etc.).
MITRE Techniques
- [T1486] Data Encrypted for Impact β Encrypts designated files and directories; βencrypting on designated directory. All subdirectories are also encryptedβ and can target specific files via -file and directories via -dir.
- [T1059.003] Windows Command Shell β Uses command-line actions to control behavior, including self-deletion commands such as βcmd.exe /c β¦β.
- [T1543.003] Create or Modify System Process β Registers the ransomware as a service to run in Safe Mode, enabling persistence across boots.
- [T1562.001] Impair Defenses β Removes WinDefender from the auto-run service list after reboot into Safe Mode.
- [T1490] Inhibit System Recovery β Uses DeviceIoControl to resize the volume shadow copy storage to a very small size, interfering with recovery.
- [T1112] Modify Registry β Registry changes to enable operation in Safe Mode (e.g., registration for automatic startup); example: βServiceβ registration and related registry changes.
Indicators of Compromise
- [File Hash] b673d92b77489d12779dc1fb5e8f6fdd β MD5 hash of the Nevada sample mentioned in the article.
- [File Name] README.txt β Ransom notes created in each directory after encryption.
- [File Extension] .NEVADA β Extension added to encrypted files.
- [URL] Tor browser link β Ransom payments requested via a Tor link in the ransom notes.
- [File Path] C:pathtomalwareransom.exe β Self-deletion command references this path.
Read more: https://asec.ahnlab.com/en/50063/