Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
You are now subscribed
Your newsletter sign-up was successful
An account already exists for this email address, please log in.
Subscribe to our newsletter
Anyone who's been on the receiving side of a ransomware attack can tell you they didn't have a good day. But what if that day was terrible for not just the victim, but also the attacker? Thanks to a coding bug, that's precisely the case with a variant of ransomware from the Nitrogen group that encrypts target data and literally tosses away the key, rendering the data completely unrecoverable.
The exact ransomware in question is Nitrogen's VMware ESXi variant, which targets hypervisors (virtual machine host servers) and presumably encrypts the virtual machines residing therein. Hypervisor attacks aren't new, and existing analysis shows that while sysadmins are generally good at deploying endpoint protection on hosted operating systems, they sometimes have lax policies regarding hypervisors.
What this ultimately means for victims hit by this particular strain is that they need not pay the ransom the group demands, as no one will be able to decrypt the data. The only course of action available is to fetch the latest backups. Should those not exist, the only option left is probably grief counseling.
Article continues below
At a technical level, what happens is that at the start of the data encryption step, part of the encryption public key is overwritten with zeros (8 bytes, or 64 bits). Since public and private keys are always specific pairs, this means no one has any idea what private key would match the now-mangled public key, assuming one can even computationally exist. Veeam's technical deep dive on the issue gives the impression that the bug was a common off-by-one mistake.
Veeam's report doesn't mention victims hit by this ESXi-specific strain, but the Nitrogen campaign has been in business since 2023. It has targeted North American financial institutions, mechanical and industrial firms, and even the developer of the Outlast series, Red Barrel.
Going for a ransom isn't much good if you can't collect on it. Thanks to what was probably some fat-fingering on the part of a developer, the world got a clear illustration of unintentional mutually assured destruction.
Bruno Ferreira is a contributing writer for Tom's Hardware. He has decades of experience with PC hardware and assorted sundries, alongside a career as a developer. He's obsessed with detail and has a tendency to ramble on the topics he loves. When not doing that, he's usually playing games, or at live music shows and festivals.
