惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Tenable Blog
MyScale Blog
MyScale Blog
罗磊的独立博客
Hugging Face - Blog
Hugging Face - Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
爱范儿
爱范儿
博客园 - 司徒正美
D
Darknet – Hacking Tools, Hacker News & Cyber Security
量子位
N
News | PayPal Newsroom
S
Secure Thoughts
酷 壳 – CoolShell
酷 壳 – CoolShell
L
LINUX DO - 热门话题
有赞技术团队
有赞技术团队
V
Visual Studio Blog
T
Tailwind CSS Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Project Zero
Project Zero
B
Blog RSS Feed
J
Java Code Geeks
Google Online Security Blog
Google Online Security Blog
Last Week in AI
Last Week in AI
Cyberwarzone
Cyberwarzone
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
小众软件
小众软件
博客园 - 【当耐特】
Latest news
Latest news
T
Threat Research - Cisco Blogs
aimingoo的专栏
aimingoo的专栏
博客园_首页
博客园 - 三生石上(FineUI控件)
Engineering at Meta
Engineering at Meta
D
Docker
Forbes - Security
Forbes - Security
Help Net Security
Help Net Security
Apple Machine Learning Research
Apple Machine Learning Research
P
Proofpoint News Feed
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Simon Willison's Weblog
Simon Willison's Weblog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
V2EX - 技术
V2EX - 技术
N
Netflix TechBlog - Medium
The Last Watchdog
The Last Watchdog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
T
Threatpost
Cloudbric
Cloudbric
T
The Exploit Database - CXSecurity.com
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
博客园 - 叶小钗
Webroot Blog
Webroot Blog

Blog | Latest Ransomware News and Trends | Coveware

Patch management goes from hard, to ludicrous in the agentic AI era Mass Data Exfiltration Campaigns Lose Their Edge in Q4 2025 Obscura Ransomware: Why Some Data Can’t Be Recovered Insider Threats Loom while Ransom Payment Rates Plummet Targeted social engineering is en vogue as ransom payment sizes increase The organizational structure of ransomware groups is evolving rapidly. Will Law Enforcement success against ransomware continue in 2025? Clarity on ransom payment statistics within Australia Law enforcement doxxing raises risk profile for threat actors Ransomware actors pivot away from major brands in Q2 2024 RaaS devs hurt their credibility by cheating affiliates in Q1 2024 New Ransomware Reporting Requirements Kick in as Victims Increasingly Avoid Paying Scattered Ransomware Attribution Blurs Focus on IR Fundamentals Ransom Monetization Rates Fall to Record Low Despite Jump In Average Ransom Payments Big Game Hunting is back despite decreasing Ransom Payment Amounts Improved Security and Backups Result in Record Low Number of Ransomware Payments Uber Verdict Raises New Risks for Ransom Payments Fewer Ransomware Victims Pay, as Median Ransom Falls in Q2 2022 Coveware's testimony to the HSGAC on Mandatory Reporting Laws Ransomware Threat Actors Pivot from Big Game to Big Shame Hunting
Nitrogen Ransomware: ESXi malware has a bug!
Bill Siegel · 2026-02-03 · via Blog | Latest Ransomware News and Trends | Coveware

Nitrogen ransomware was derived from the previously leaked Conti 2 builder code, and is similar to Nitrogen ransomware, but a coding mistake in the ESXi malware causes it to encrypt all the files with the wrong public key, irrevocably corrupting them. This means that even the threat actor is incapable of decrypting them, and that victims that are without viable backups have no ability to recover their ESXi encrypted servers. Paying a ransom will not assist these victims, as the decryption key/ tool will not work.

Proper public/private key encryption progresses via the following common operations:

  1. The malware is run on a server full of files.

  2. For each file, the malware randomly generates a private Curve25519 key and its corresponding public key.

  3. The malware exchanges the private key with its master public key, producing a shared secret.

  4. The shared secret is used as a ChaCha8 key to encrypt the file contents.

  5. The malware saves the file public key to the file footer.

Proper public/private decryption progresses via the following operations:

  1. A decryption executable is run on a previously encrypted server full of files.

  2. The decryption tool contains the master private Curve25519 key that goes with the master public key that was used for encryption.

  3. For each file, the decryption tool exchanges the master private key with the file public key that was saved to the footer, which produces the same shared secret that was used for encryption.

  4. The shared secret can then be used as a ChaCha8 key to decrypt the file contents.

  5. The file is decrypted.

The Nitrogen ESXi Bug

Within the Nitrogen ESXi malware, the public key is stored as a stack variable at offset rsp+0x20 (shown below)

However, after the public key is loaded, another variable is stored at rsp+0x1c. It's a QWORD, so it takes up the 8 bytes from rsp+0x1c to rsp+0x24. That means 4 bytes of the public key are overwritten!  This is a clear mistake by the malware developer. 

This is what the public key looks like in memory before the instruction at `0x401890` is executed:

And this is what it looks like after it's executed:

Note the 4 bytes that have been replaced with 0x00s.

Because of this bug, the corrupted public key is used in the key exchange to encrypt each file. Normally, when a public-private Curve25519 keypair is generated, the private key is generated, first and then the public key derived subsequently based on the private key. The resulting corrupted public key wasn't generated based on a private key, it was generated by mistakenly overwriting a few bytes of another public key. The final outcome is that no one actually knows the private key that goes with the corrupted public key. Files that were encrypted with the corrupted public key can not be decrypted by any means, including by paying a ransomware. The threat actor themselves will be unable to decrypt the files in a test. 

Organizations impacted by Nitrogent Ransomware encryption must be extremely careful when analyzing their recovery options. Any ESXi encrypted files that are without viable backups, must be analyzed in conjunction with the corresponding malware that encrypted them to ascertain their status.