A relatively new ransomware operation known as Nevada seems to be growing its capabilities quickly; security researchers have reported improved functionality for the locker targeting Windows and VMware ESXi systems.
Nevada ransomware started to be promoted on the RAMP darknet forums on December 10, 2022, inviting Russian and Chinese-speaking cybercriminals to join it for an 85% cut from paid ransoms. For those affiliates who bring in a lot of victims, Nevada says they will increase their revenue share to 90%. RAMP has been previously reported as a space where Russian and Chinese hackers promote their cybercrime operations or to communicate with peers. Nevada ransomware features a Rust-based locker, real-time negotiation chat portal, separate domains in the Tor network for affiliates and victims.
Security researchers analyzed the new malware and published a report on their findings. They claim that while Nevada ransomware is explicit about excluding English-speaking affiliates, the operators are open to doing business with vetted access brokers from anywhere. Nevada ransomware is still building its network of affiliates and initial access brokers, looking for skillful hackers. Resecurity observed Nevada ransomware operators buying access to compromised endpoints and engaging a dedicated post-exploitation team to perform the intrusion. The researchers note that this threat seems to continue its growth and should be closely monitored.
To protect against ransomware attacks, organizations should:
• Regularly back up data, air gap, and password protect backup copies offline.
• Ensure copies of critical data are not accessible for modification or deletion
• Implement network segmentation.
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location
• Install updates/patch operating systems, software, and firmware as soon as possible
• Implement monitoring of security events on employee workstations and servers, with a 24/7 Security Operations Center to detect and respond to threats
• Use multifactor authentication where possible.
• Use strong passwords and regularly change passwords to network systems
• Avoid reusing passwords for multiple accounts.
• Focus on cyber security awareness and training.
• Regularly provide users with training on information security