Windows, VMware ESXi systems targeted by Nevada ransomware

BleepingComputer reports that Windows and VMware ESXi systems are being targeted by the novel Nevada ransomware operation, which first emerged in December and has been seeking Russian and Chinese cybercriminals to join its fold for an 85% cut of the paid ransoms. Aside from having a Rust-based locker, Nevada ransomware also features a real-time negotiation panel and separate affiliate and victim Tor domains, with the Windows variant being executed through the console, a Resecurity report showed. Nevada ransomware also leverages MPR.dll to facilitate network resource information collection, as well as the inclusion of shared directories in the encryption queue. Intermittent encryption through the Salsa20 algorithm is being conducted by the malware for files larger than 512KB but executables, SCRs, URLs, DLLs, LNKs, and INI files are excluded. Meanwhile, the VMware ESXi/Linux version of the ransomware strain used the same encryption method but all files from 512KB to 1.25MB are skipped. "In order to recover the data encrypted by Nevada Ransomware, we need to know the private key "B" and public key "A," which are added to the end of the file, nonce for Salsa20 and the size of the file and algorithm used for selecting 'stripes' to encrypt (which may potentially be measured or guessed)," said Resecurity.