Resecurity identifies Nevada Ransomware as a relatively new ransomware family with an active affiliate platform on the RAMP underground. It operates a Windows and Linux/ESXi locker, supports post-exploitation workflows, and uses a TOR-based affiliate portal to manage victims and pressure ransom payments. hashtags: #NevadaRansomware #RAMPUnderground #IABs
Keypoints
- Nevada Ransomware is a Rust-based locker with an affiliate model introduced via the RAMP underground community, appealing to initial access brokers and other actors.
- Updates in January–February 2023 show active development and improved functionality for Windows and Linux/ESXi versions, including an affiliate portal.
- The operators reportedly run a post-exploitation team to turn initial access into broader network intrusions and damage.
- Affiliates access a TOR-hosted panel to manage victims, track ransom status, and pressure payments via live chats similar to other major ransomware projects.
- Nevada encrypts files in stripes using Salsa20, with Windows and Linux variants, and supports many flags to control encryption behavior.
- The malware can install as a Windows service and boot into Safe Mode with networking, enabling persistence and reach in locked-down environments.
- The campaign excludes certain locales and system folders/extensions, uses a .NEVADA extension, and drops a readme.txt in encrypted folders.
MITRE Techniques
- [T1133] External Remote Services – The actors have previously used hacked RDP and VPN suppliers for access to other ransomware networks. ‘…hacked RDP and VPN suppliers for other ransomware networks…’
- [T1059.003] Windows Command Shell – The locker can be executed via a console with pre-defined flags (e.g., -file, -dir) to control actions. ‘The encryptor can be executed via a console with pre-defined flags.’
- [T1543.003] Windows Service – The encryptor can be installed as a service and then run, enabling persistence. ‘The encryptor can be installed as a service (see Figure 8) when run with the argument “-sm”’
- [T1547.001] Boot or Logon Autostart: Safe Mode – The malware can set safe mode with networking by default to facilitate operation. ‘Set safe mode with networking by default.’
- [T1070.004] File Deletion – It may delete artifacts as part of cleanup, e.g., self-delete after encryption. ‘self delete after everything done’
- [T1135] Network Share Discovery – It finds and encrypts network shares to maximize impact. ‘find and encrypt network shares’
- [T1486] Data Encrypted for Impact – It encrypts files (by stripes) using Salsa20, and changes extensions (e.g., .NEVADA) after encryption. ‘encrypt selected file’ and ‘The files… have the extension “.NEVADA”’
Indicators of Compromise
- [URL] TOR-based affiliate portal – URL (TOR): nevcorps5cvivjf6i2gm4uia7cxng5ploqny2rgrinctazjlnqr2yiyd[.]onion/{victim ID}
- [MD5] Windows – 99549bcea63af5f81b01decf427519af, fb5dcf0b880b57b10a2093f164f2ed27, and 1 more hash
- [MD5] Linux – f1f569c6e4f961007f7411fca131bbe0, 1396ab93e9104faaf138ac64211471ba
- [Filename] Readme and extensions – readme.txt in each folder, and files with the .NEVADA extension
Read more: https://resecurity.com/blog/article/nevada-ransomware-waiting-for-the-next-dark-web-jackpot