Anyone who's been on the receiving side of a ransomware attack can tell you they didn't have a good day. But what if that day was terrible for not just the victim, but also the attacker? Thanks to a coding bug, that's precisely the case with a variant of ransomware from the Nitrogen group that encrypts target data and literally tosses away the key, rendering the data completely unrecoverable.
The exact ransomware in question is Nitrogen's VMware ESXi variant, which targets hypervisors (virtual machine host servers) and presumably encrypts the virtual machines residing therein. Hypervisor attacks aren't new, and existing analysis shows that while sysadmins are generally good at deploying endpoint protection on hosted operating systems, they sometimes have lax policies regarding hypervisors.
What this ultimately means for victims hit by this particular strain is that they need not pay the ransom the group demands, as no one will be able to decrypt the data. The only course of action available is to fetch the latest backups. Should those not exist, the only option left is probably grief counseling.
At a technical level, what happens is that at the start of the data encryption step, part of the encryption public key is overwritten with zeros (8 bytes, or 64 bits). Since public and private keys are always specific pairs, this means no one has any idea what private key would match the now-mangled public key, assuming one can even computationally exist. Veeam's technical deep dive on the issue gives the impression that the bug was a common off-by-one mistake.
Veeam's report doesn't mention victims hit by this ESXi-specific strain, but the Nitrogen campaign has been in business since 2023. It has targeted North American financial institutions, mechanical and industrial firms, and even the developer of the Outlast series, Red Barrel.
Going for a ransom isn't much good if you can't collect on it. Thanks to what was probably some fat-fingering on the part of a developer, the world got a clear illustration of unintentional mutually assured destruction.
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.