New Delhi, NFAPost: Windows and VMware ESXi systems are being targeted by the Nevada ransomware, which first emerged in December 20222 and has been seeking Russian and Chinese cybercriminals to join its fold for an 85% cut of the paid ransoms.
Nevada ransomware also features a real-time negotiation panel and separate affiliate and victim Tor domains, with the Windows variant being executed through the console.
Nevada ransomware also leverages MPR.dll to facilitate network resource information collection, as well as the inclusion of shared directories in the encryption queue. Intermittent encryption through the Salsa20 algorithm is being conducted by the malware for files larger than 512KB but executables, SCRs, URLs, DLLs, LNKs, and INI files are excluded.
Meanwhile, the VMware ESXi/Linux version of the ransomware strain used the same encryption method but all files from 512KB to 1.25MB are skipped.
As per a Resecurity report, “In order to recover the data encrypted by Nevada Ransomware, we need to know the private key “B” and public key “A,” which are added to the end of the file, nonce for Salsa20 and the size of the file and algorithm used for selecting ‘stripes’ to encrypt (which may potentially be measured or guessed).”