Nnice Ransomware Attacking Windows Systems With Advanced Encryption Techniques

Summary:
CYFIRMA’s Research and Advisory team uncovered a new ransomware strain while monitoring various underground forums. Dubbed “Nnice,” the strain is designed to target Windows systems and comes with advanced encryption techniques. According to researchers, Nnice, employs a hybrid encryption approach, combining Salsa20 and RSA-2048 algorithms to ensure rapid and secure file encryption. This method takes advantage of Salsa20’s fast symmetric encryption for bulk data processing, while RSA-2048, an asymmetric encryption algorithm, is employed for secure key management. Notably, the strain uses a three-step encryption process:
  • It encrypts a randomly generated RSA key with a built-in RSA key.
  • It then encrypts a randomly generated RC4 key using the first RSA key.
  • Finally, it encrypts the victim's files with the RC4 key.

This multi-layered encryption makes decryption very difficult without the attacker's private key.

Nnice also uses different encryption modes: Full, Partial, and Smart. The Smart mode enhances the encryption speed by selectively encrypting portions of files or data, making the process faster while still rendering the files inaccessible.

Security Officer Comments:
The initial access vector employed by Nnice ransomware actors is currently unclear. However, this could be via phishing or through the exploitation of vulnerabilities that have been left unpatched.

Files encrypted by Nnice are typically appended with the .xdddd extension. This is followed by the deployment of a ransom note called “Readme.txt,” which includes instructions on how the victim can contact the actors and negotiate ransom payments to recover their data.

In addition to the employment of advanced encryption techniques, which allows Nnice to encrypt files in a matter of seconds while maintaining security, the strain is also capable of terminating services and processes such as antivirus solutions, which helps ease the encryption process and evade defenses. Nnice will also mimic legitimate system processes as a means to blend in with normal operations and go undetected for longer periods of time.

Suggested Corrections:
IOCs:

https://www.cyfirma.com/research/nnice-ransomware/

Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.

Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.

Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.

Train employees:
Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.

Link(s):
https://cybersecuritynews.com/nnice-ransomware-attacking-windows-systems/