A new financially motivated threat, Nitrogen Ransomware, has rapidly emerged targeting the financial sector and beyond.
While traces of this financially motivated ransomware date back to July 2023, security experts primarily track its organized campaigns from September 2024.
Nitrogen primarily targets organizations in construction, financial services, manufacturing, and technology sectors across the United States, Canada, and the United Kingdom.
.png
)
One confirmed high-profile victim was SRP Federal Credit Union in South Carolina, which fell prey to the operation on December 5, 2024, affecting over 195,000 customers.
The attack vector typically involves malicious advertisements on search engines that redirect victims to fraudulent websites offering fake software downloads.
Once executed, the ransomware begins its encryption routine while employing sophisticated anti-analysis methods, including debugger detection, virtual machine detection, and code obfuscation techniques.
Nitrogen Ransomware: File Encryption & Data Leak
According to ANY.RUN report, the ransomware creates a unique mutex identified as “nvxkjcv7yxctvgsdfjhv6esdvsx” to ensure only one instance runs at a time. After infection, Nitrogen encrypts files and appends them with the “.NBA” extension.
A ransom note named “readme.txt” is dropped on the desktop, demanding payment and threatening to publish stolen data unless victims contact the attackers through the qTox messaging service.
Collect threat intelligence with TI Lookup to improve your company’s security - Get 50 free requests
Security researchers identified a malicious executable with the SHA-256 hash “55f3725ebe01ea19ca14ab14d747a6975f9a6064ca71345219a14c47c18c88be” associated with this operation.
Nitrogen exploits the legitimate driver “truesight.sys” from RogueKiller AntiRootkit to terminate security processes and bypass endpoint detection and response (EDR) systems.
It employs a sophisticated approach to leveraging the truesight.sys vulnerability through what’s known as a Bring Your Own Vulnerable Driver (BYOVD) attack.
The driver is cataloged in the LOLDrivers (Living Off The Land Drivers) collection, which documents known vulnerable drivers that can be exploited. These drivers are particularly valuable to attackers because:
- They are legitimately signed and therefore trusted by the operating system
- They don’t trigger standard security defenses as they aren’t inherently malicious
- They provide kernel-level access, allowing attackers to bypass security restrictions
The ransomware also executes system manipulations using bcdedit.exe to disable Windows Safe Boot with commands like:
These commands prevent system recovery after infection.
Researchers have noted similarities between Nitrogen and another ransomware strain called LukaLocker based on TTPs, including identical file extensions (.NBA) for encrypted files and similar ransom note templates.
Both use advanced double extortion tactics, not only encrypting files but also exfiltrating sensitive data and threatening to publish it if ransom demands are not met.
The SonicWall Capture Labs threats research team confirmed that the “Volcano Demon” group distributes the LukaLocker variant and kills numerous processes before beginning encryption.
Security experts recommend that organizations implement comprehensive endpoint protection solutions, maintain offline backups, keep systems updated, deploy multi-factor authentication, and provide regular security awareness training to employees.
Organizations should also monitor for suspicious use of PowerShell, WMI, and attempts to exploit legitimate drivers.
As financial sector cyberattacks continue to evolve with greater sophistication, proactive threat intelligence and robust security measures remain critical to protecting sensitive financial data and operations from emerging threats like Nitrogen ransomware.
Try ANY.RUN With Interactive Malware Sandbox Helps Your Security Teams to Detect and Analyse The Cyber Threats Live