A relatively new ransomware operation known as Nevada seems to be growing its capabilities quickly; security researchers have reported improved functionality for the locker targeting Windows and VMware ESXi systems.
Nevada ransomware started to be promoted on the RAMP darknet forums on December 10, 2022, inviting Russian and Chinese-speaking cybercriminals to join it for an 85% cut from paid ransoms. For those affiliates who bring in a lot of victims, Nevada says they will increase their revenue share to 90%. RAMP has been previously reported as a space where Russian and Chinese hackers promote their cybercrime operations or to communicate with peers. Nevada ransomware features a Rust-based locker, real-time negotiation chat portal, separate domains in the Tor network for affiliates and victims.
Security researchers analyzed the new malware and published a report on their findings. They claim that while Nevada ransomware is explicit about excluding English-speaking affiliates, the operators are open to doing business with vetted access brokers from anywhere. Nevada ransomware is still building its network of affiliates and initial access brokers, looking for skillful hackers. Resecurity observed Nevada ransomware operators buying access to compromised endpoints and engaging a dedicated post-exploitation team to perform the intrusion. The researchers note that this threat seems to continue its growth and should be closely monitored.