While traces of this financially motivated ransomware date back to July 2023, security experts primarily track its organized campaigns from September 2024.
Nitrogen primarily targets organizations in construction, financial services, manufacturing, and technology sectors across the United States, Canada, and the United Kingdom.
One confirmed high-profile victim was SRP Federal Credit Union in South Carolina, which fell prey to the operation on December 5, 2024, affecting over 195,000 customers.
The attack vector typically involves malicious advertisements on search engines that redirect victims to fraudulent websites offering fake software downloads.
Once executed, the ransomware begins its encryption routine while employing sophisticated anti-analysis methods, including debugger detection, virtual machine detection, and code obfuscation techniques.
According to ANY.RUN report, the ransomware creates a unique mutex identified as “nvxkjcv7yxctvgsdfjhv6esdvsx” to ensure only one instance runs at a time. After infection, Nitrogen encrypts files and appends them with the “.NBA” extension.
A ransom note named “readme.txt” is dropped on the desktop, demanding payment and threatening to publish stolen data unless victims contact the attackers through the qTox messaging service.
Collect threat intelligence with TI Lookup to improve your company’s security - Get 50 free requests
Security researchers identified a malicious executable with the SHA-256 hash “55f3725ebe01ea19ca14ab14d747a6975f9a6064ca71345219a14c47c18c88be” associated with this operation.
Nitrogen exploits the legitimate driver “truesight.sys” from RogueKiller AntiRootkit to terminate security processes and bypass endpoint detection and response (EDR) systems.
It employs a sophisticated approach to leveraging the truesight.sys vulnerability through what’s known as a Bring Your Own Vulnerable Driver (BYOVD) attack.
The driver is cataloged in the LOLDrivers (Living Off The Land Drivers) collection, which documents known vulnerable drivers that can be exploited. These drivers are particularly valuable to attackers because:
The ransomware also executes system manipulations using bcdedit.exe to disable Windows Safe Boot with commands like:
These commands prevent system recovery after infection.
Researchers have noted similarities between Nitrogen and another ransomware strain called LukaLocker based on TTPs, including identical file extensions (.NBA) for encrypted files and similar ransom note templates.
Both use advanced double extortion tactics, not only encrypting files but also exfiltrating sensitive data and threatening to publish it if ransom demands are not met.
The SonicWall Capture Labs threats research team confirmed that the “Volcano Demon” group distributes the LukaLocker variant and kills numerous processes before beginning encryption.
Security experts recommend that organizations implement comprehensive endpoint protection solutions, maintain offline backups, keep systems updated, deploy multi-factor authentication, and provide regular security awareness training to employees.
Organizations should also monitor for suspicious use of PowerShell, WMI, and attempts to exploit legitimate drivers.
As financial sector cyberattacks continue to evolve with greater sophistication, proactive threat intelligence and robust security measures remain critical to protecting sensitive financial data and operations from emerging threats like Nitrogen ransomware.
Try ANY.RUN With Interactive Malware Sandbox Helps Your Security Teams to Detect and Analyse The Cyber Threats Live
The post Nitrogen Ransomware Exploits Antirootkit Driver File to Disable AV & EDR Tools appeared first on Cyber Security News.
Fresh footage from HBO's upcoming Harry Potter TV series has revealed Game of Thrones star…
Fresh footage from HBO's upcoming Harry Potter TV series has revealed Game of Thrones star…
As the friendly rivalry between Destiny and Warframe players comes to an end, both communities…
Strauss Zelnick, the boss of Rockstar Games parent company Take-Two, has pushed back at the…
James Bond will meet social media influencer Khaby Lame in 007 First Light, developer IO…
KarmaHQ.xyz – Namecheap customer – (United States) Innovators use .xyz domains to build solutions that…
This website uses cookies.