Resecurity discovered a relatively recent ransomware family called Nevada Ransomware. Its creators have an affiliate program that was initially launched on the RAMP underground community, known for hosting IABs and other cybercriminal groups.

Diving into details 

The Nevada Ransomware has appealing partner conditions with an initial commission rate of 85% that could rise to 90% with further success.
  • The actors behind the ransomware have the ability to escalate their attack beyond the initial point of compromise by performing post-exploitation activities for maximum damage.
  • The researchers found both Windows and Linux/ESXi versions of the Nevada Ransomware that were constantly updated. 
  • On February 1, the developers behind the project improved the functionality of the ransomware and distributed new versions for their affiliates supporting Windows and Linux/ ESXi.

Why this matters

Nevada Ransomware operators not only develop the ransomware but also obtain unauthorized access for additional exploitation.
  • They are probably a team that specializes in post-exploitation, working to escalate the initial point of compromise into a full network intrusion.
  • In the Windows version, files are encrypted "by stripes," which the operators behind the project tout as a significant advantage that combines speed with Sales20.
  • Written in Rust, the locker can be executed through a console with pre-defined flags, including encrypting selected files and directories, self-deleting, deleting shadow copies, loading hidden drives, self-mode encryption, and finding and encrypting network shares. 

A silver lining

Resecurity gained access to the Nevada Ransomware affiliate panel hosted on TOR. Furthermore, the researchers acquired both the Windows and LInux samples and discovered that a series of implementation flaws in them rendered the encryption algorithm decryptable

The bottom line

In conclusion, Nevada Ransomware is a rapidly growing RaaS with a well-established affiliate network and is actively seeking new partners. The group is poised for growth this year, researchers surmise, due to its attractive partnership conditions and strong presence on the RAMP underground forum. Its activities, including buying compromised access and having a dedicated team for post-exploitation and network intrusions, have drawn the attention of established cybercriminals, making it a force to be reckoned with in the cyber landscape.
Cyware Publisher

Publisher

Cyware