New Nitrogen Ransomware Targets Financial Firms in the US, UK and Canada
Summary:
The Nitrogen ransomware strain has rapidly gained notoriety and represents a major and rapidly evolving ransomware landscape. The ransomware has been targeting the financial sector since its emergence in September 2024. This ransomware employs a sophisticated attack chain, initiating with malvertising campaigns on prominent search engines to trick users and distribute trojanized installers disguised as legitimate software. Upon infiltration, Nitrogen leverages tools like Cobalt Strike and Meterpreter for persistence, lateral movement, and payload execution. Notably, it modifies registry keys and schedules tasks for sustained activity, conducts thorough reconnaissance to identify high-value targets to maximize impact, and employs advanced evasion techniques, including the exploitation of the legitimate truesight.sys driver to disable EDR tools. Victimology spans finance, construction, manufacturing, and technology sectors primarily in the United States, Canada, and the United Kingdom, with notable incidents affecting SRP Federal Credit Union, Red Barrels, Control Panels USA, and Kilgore Industries. Not much is yet known about Nitrogen's modus operandi due to limited public data. The main publicly available source of information is the report by StreamScan. However, these insights are light on details. ANY[.]RUN used dynamic analysis and threat intelligence enrichment to offer deeper insights on Nitrogen operations.
Security Officer Comments:
The Nitrogen ransomware presents a compelling case study in the increasing volume of new ransomware groups. The reliance on malvertising for initial access, coupled with the strategic use of dual-use tools like Cobalt Strike and the exploitation of a signed, legitimate driver (truesight.sys) for defense evasion, highlights the attackers' focus on stealth and persistence. Uncoincidentally, WithSecure has recently released a report on a trojanized version of KeePass to deploy Cobalt Strike beacons, which is being propagated through Malvertising on Bing and DuckDuckGo, eerily similar to the trojanized installers used in this activity. Interestingly, when analyzing this intrusion, they uncovered much of the attacker’s infrastructure, leading them to ascertain that this trojanized KeePass incident is part of a broader operation perpetrated by a prolific ransomware affiliate turned initial access broker. Within the infrastructure related to the trojanized KeePass, there was another attack chain that delivers Nitrogen Loader through Malvertising to eventually deploy an unretrievable ransomware sample. Based on analysis of the TTPs and attacker infrastructure, these incidents are likely part of an interconnected campaign. The limited publicly available information necessitates a greater reliance on dynamic analysis platforms like ANY.RUN to uncover critical indicators of compromise and understand the nuances of its behavior. The discovery of a unique mutex and the ability to leverage it for threat intelligence lookups, along with the identification of tactics such as disabling Safe Boot via bcdedit.exe and the development of YARA rules to detect such behavior, are crucial steps in developing effective detection and mitigation strategies. By integrating these IOCs into SIEM or EDR systems, organizations can detect and block attempts to modify Windows boot settings before encryption begins, stopping Nitrogen proactively. Further research focusing on the evolution of Nitrogen's evasion techniques and its potential for data exfiltration is warranted to stay ahead of this emerging threat.
Suggested Corrections:
IOCs are available here.
To defend against threats like Nitrogen, Hackread recommends that security teams:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails.
Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.
Link(s):
https://hackread.com/nitrogen-ransomware-targets-financial-firms-us-uk-canada/
https://streamscan.ai/en/ressources/analyse-du-rancongiciel-nitrogen/
The Nitrogen ransomware strain has rapidly gained notoriety and represents a major and rapidly evolving ransomware landscape. The ransomware has been targeting the financial sector since its emergence in September 2024. This ransomware employs a sophisticated attack chain, initiating with malvertising campaigns on prominent search engines to trick users and distribute trojanized installers disguised as legitimate software. Upon infiltration, Nitrogen leverages tools like Cobalt Strike and Meterpreter for persistence, lateral movement, and payload execution. Notably, it modifies registry keys and schedules tasks for sustained activity, conducts thorough reconnaissance to identify high-value targets to maximize impact, and employs advanced evasion techniques, including the exploitation of the legitimate truesight.sys driver to disable EDR tools. Victimology spans finance, construction, manufacturing, and technology sectors primarily in the United States, Canada, and the United Kingdom, with notable incidents affecting SRP Federal Credit Union, Red Barrels, Control Panels USA, and Kilgore Industries. Not much is yet known about Nitrogen's modus operandi due to limited public data. The main publicly available source of information is the report by StreamScan. However, these insights are light on details. ANY[.]RUN used dynamic analysis and threat intelligence enrichment to offer deeper insights on Nitrogen operations.
Security Officer Comments:
The Nitrogen ransomware presents a compelling case study in the increasing volume of new ransomware groups. The reliance on malvertising for initial access, coupled with the strategic use of dual-use tools like Cobalt Strike and the exploitation of a signed, legitimate driver (truesight.sys) for defense evasion, highlights the attackers' focus on stealth and persistence. Uncoincidentally, WithSecure has recently released a report on a trojanized version of KeePass to deploy Cobalt Strike beacons, which is being propagated through Malvertising on Bing and DuckDuckGo, eerily similar to the trojanized installers used in this activity. Interestingly, when analyzing this intrusion, they uncovered much of the attacker’s infrastructure, leading them to ascertain that this trojanized KeePass incident is part of a broader operation perpetrated by a prolific ransomware affiliate turned initial access broker. Within the infrastructure related to the trojanized KeePass, there was another attack chain that delivers Nitrogen Loader through Malvertising to eventually deploy an unretrievable ransomware sample. Based on analysis of the TTPs and attacker infrastructure, these incidents are likely part of an interconnected campaign. The limited publicly available information necessitates a greater reliance on dynamic analysis platforms like ANY.RUN to uncover critical indicators of compromise and understand the nuances of its behavior. The discovery of a unique mutex and the ability to leverage it for threat intelligence lookups, along with the identification of tactics such as disabling Safe Boot via bcdedit.exe and the development of YARA rules to detect such behavior, are crucial steps in developing effective detection and mitigation strategies. By integrating these IOCs into SIEM or EDR systems, organizations can detect and block attempts to modify Windows boot settings before encryption begins, stopping Nitrogen proactively. Further research focusing on the evolution of Nitrogen's evasion techniques and its potential for data exfiltration is warranted to stay ahead of this emerging threat.
Suggested Corrections:
IOCs are available here.
To defend against threats like Nitrogen, Hackread recommends that security teams:
- Block known malicious infrastructure and domains.
- Monitor for unusual use of PowerShell, WMI, and DLL sideloading.
- Educate employees about phishing and social engineering tactics.
- Use threat intelligence services to proactively hunt for related IOCs and TTPs.
- Use DMARC, DKIM, and SPF to prevent email spoofing, a tactic often used to deliver Nitrogen’s malicious payloads.
- Regularly update software and apply patches to close vulnerabilities exploited by Nitrogen.
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails.
Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.
Link(s):
https://hackread.com/nitrogen-ransomware-targets-financial-firms-us-uk-canada/
https://streamscan.ai/en/ressources/analyse-du-rancongiciel-nitrogen/