""Normally, when a public-private Curve25519 keypair is generated, the private key is generated first, and then the public key is derived subsequently based on the private key," Coveware said."
""The resulting corrupted public key wasn't generated based on a private key, it was generated by mistakenly overwriting a few bytes of another public key. The final outcome is that no one actually knows the private key that goes with the corrupted public key.""
""Because the malware loads the public key at offset rsp+0x20 and the 8-byte QWORD at rsp+0x1c, it overwrites the first four bytes of the public key, meaning that an attacker-supplied decryptor would fail.""
""According to Coveware, which peered under the hood of Nitrogen's ransomware program, a programming error prevents the gang's decryptor from recovering victims' files, so paying up is futile.""
A programming error in Nitrogen's VMware ESXi-targeting ransomware corrupts the public key used for encryption, making decryption impossible even if victims pay. The malware erroneously loads an 8-byte QWORD at rsp+0x1c while the public key is loaded at rsp+0x20, overwriting the first four bytes of the public key. The corrupted public key was not derived from a matching private key, so no private key exists to enable decryption. Nitrogen emerged in 2023 from Conti 2 code offshoots, evolved from access facilitation to direct extortion around September 2024, and remains a capable but not dominant ransomware group.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]