We would like to thank our security research intern Leon for the malware reverse engineering and collaboration on this article.
Key Findings:
- The ransomware variants “Nitrogen” and “LukaLocker” were likely created and deployed by the same threat actor.
- Both implementations are largely based on the CONTI ransomware source code leaked in March 2022.
- The functionality of Nitrogen ransomware has barely evolved, suggesting a lack of expertise in ransomware implementation.
Introduction
This section explains some basic facts about the CONTI ransomware source code leak and the Nitrogen and LukaLocker ransomware variants.
Background: CONTI source code leak
On March 20, 2022, the source code for the CONTI ransomware variant was published via Twitter by a Ukrainian developer of the group after the operators of the CONTI Ransomware-as-a-Service (RaaS) announced via their leak blog that they were supporting the Russian invasion of Ukraine (see Figure 1).
Following the publication of this source code, several existing and new ransomware gangs adapted the CONTI implementation for their own malware variants. Examples include LockBit Green, Monti, Royal, Akira and BlackSuit.
Nitrogen and LukaLocker
Previous publications
The first publication on LukaLocker ransomware was published by Halcyon in July 2024. The ransomware operator or threat actor behind LukaLocker was referenced there with the code name “Volcano Demon”. It was also reported that, in addition to leaving ransom notes on the computers of affected companies, the threat actor also makes threatening phone calls. This tactic has rarely been used by ransomware gangs in the past, as call center agents usually have to be hired for this. For example, there are recordings of calls from Suncrypt or CONTI.
LukaLocker was previously examined by Jonny Johnson and Alden Schmidt (Huntress) in the presentation “Unraveling LukaLocker Ransomware”.
Nitrogen Ransomware should not be confused with the malware “Nitrogen Loader”. Although these malware variants have similar names, we were unable to establish any connection between them. A description of Nitrogen Loader was published by eSentire.
Malware samples and victimology
At the time of writing this article, the targets of the threat actors behind Nitrogen and LukaLocker ransomware were mainly localized in North America (USA and Canada) and primarily active in the industrial and construction sectors. Occasionally, companies from other sectors were also attacked, which suggests an opportunistic selection of potential targets. A temporal correlation between the ransomware samples found and the extortion of affected companies is only possible in isolated cases, as new data breaches are listed on the blog with a large time lag. Figure 2 shows a timeline on which both the analyzed malware samples and published blackmail targets are plotted. As the publications on the leak blog are not dated, it is sometimes not possible to determine the exact time of posting. For this purpose, the posts of the threat actor on X (formerly Twitter) under the username @nitrogenSupp were consulted.
A total of five current samples of the Nitrogen ransomware variant were identified by threat hunting with YARA. Four of these samples are directly attributed to Nitrogen. Another sample is assigned to the LukaLocker ransomware variant. As shown in the second section of this article, the implementations of Nitrogen and LukaLocker ransomware are almost identical. Further correlations suggesting that the threat actor behind Nitrogen ransomware also operates under the name LukaLocker can be drawn from an examination of the published ransomware data breaches. As can be seen in Figure 3, the ransomware sample used in two instances could be linked to the affected companies. The company attacked with the LukaLocker variant was also listed on the Nitrogen Ransomware Leak Blog. Shortly afterwards, however, this post was removed from the leak page and the X (Twitter) profile. It was not possible to determine to what extent this was related to a successful/failed extortion or whether a connection between Nitrogen and LukaLocker was subsequently concealed.
Infrastructure
Nitrogen operates a leak blog as a TOR hidden service, in line with common “double extortion” tactics. The site follows a static structure with few dynamic elements and therefore offers little attack surface for potential deanonymization.
Data publications
Nitrogen Ransomware publishes a list of compromised companies on the leak blog described above. The data stolen by the attackers is not published in full, but only with vague evidence. The operators of Nitrogen are trying to sell the data on to other cybercriminals.
Contact us
As previously mentioned, Nitrogen Ransomware operates an X / Twitter account under the username @NitrogenSupp. In addition, the threat actor uses Tox Instant Messenger, which is generally very popular among cybercriminals. In every ransom note that Nitrogen Ransomware leaves with a compromised company, a unique Tox username is noted in order to distinguish between the victims.
As the Nitrogen ransomware leak blog has not been updated since December 2024, we contacted the Tox ID listed on the leak blog as a test and received a reply shortly afterwards. The threat actor therefore appears to still be using the communication channel, possibly to sell the data records from the previous data breaches.
Analysis
The objective of our analysis was to gain an insight into the functionalities of Nitrogen ransomware. We also wanted to confirm the extent to which there is a connection between LukaLocker and Nitrogen, which was previously presented in the threat intelligence analysis.
Similarities with CONTI
Our analysis showed clear similarities between the source code of CONTI Ransomware and the decompiled Nitrogen Ransomware binaries. Some of the clearest indications are discussed in this subsection.
Parameters
The malware supports the following parameters, which the user can specify on the command line:
-p File path to be encrypted
-l Path to log file
-nm No creation of a mutex
-s Scheduling of services and processes in the service and process list
-b Switch off safeboot and force restart
-v Increased level of detail of log information
Mutex
Nitrogen uses a mutex to prevent the malware from being executed multiple times. In the analyzed sample, the malware created a mutex with the name “nvxkjcv7yxctvgsdfjhvv6esdvsx”. This logic was taken from the CONTI source code, only the mutex name was changed.
Multithreading
The malware uses the same multithreading logic as CONTI. By calling the GetNativeSystemInfo function, Nitrogen Ransomware determines the number of available CPU cores on the system. Two threads are then created for the thread pool for each logical processor in order to parallelize the encryption.
Deviations from the CONTI implementation
Software development environment
The original CONTI source code leak used Visual Studio 2015 as the build environment. It is assumed that the investigated Nitrogen samples used MinGW GCC version 13.3.0. In addition, the malware was optimized using SIMD instructions.
File encryption
Nitrogen Ransomware generates a ChaCha8 context with a random nonce and a random key for each file and protects this key with the Curve25519 ECC. The developer has replaced RSA, which is used by Conti, with ECC. ECC is being used more and more frequently in ransomware because, unlike RSA, it uses smaller key sizes and consumes less computing power than RSA.
Partial encryption modes:
- VM files (e.g. Vmdk, vmx, vmem) are 20% encrypted.
- Databases are completely encrypted.
- Files less than or equal to 1 MiB are completely encrypted.
- Files less than or equal to 1 GiB are encrypted at 50%.
- Larger files are only 10% encrypted.
Service and process scheduling
If the -s (or –service-stop) parameter was set when the ransomware was executed, Nitrogen terminates processes that match those from a list of 827 entries.
In addition, a separate list is used to search for active services from anti-virus and endpoint detection and response solutions. If there are any hits, these are also switched off.
The implementation for terminating processes and services is shown in Figure 13. Nitrogen Ransomware runs through both lists and terminates all instances found.
Volume shadow copies
The mechanism for deleting the volume shadow copies, which was implemented by CONTI, is completely omitted by the Nitrogen developers. As long as this is not done manually after the ransomware has been executed, partial data recovery may be possible.
Encryption types of Nitrogen
Nitrogen supports three different encryption modes. The encryption modes ALL_ENCRYPT, LOCAL_ENCRYPT and PATH_ENCRYPT were copied from the Conti source and the NETWORK_ENCRYPT from Conti was omitted.
Deactivation of safe mode
After the encryption process, Nitrogen checks whether the shutdown flag was set by the user when the ransomware was started, if so, Safeboot is shut down using the command line with the command “bcdedit /deletevalue {default} safeboot” and the system is then shut down.
Encryption of the blackmail letter
In the CONTI implementation, the blackmail letter is delivered in plain text in the executable file. LukaLocker has adopted this mechanism in this form. As can be seen in Figure 10, some of the examined Nitrogen ransomware samples use a simple byte-wise XOR with alternating keys (e.g. 0xFD or 0xFF) to make it more difficult to extract the ransom note from the malware. In more recent variants of the ransomware, a rolling XOR algorithm with similar functionality was found.
Conclusion
We note that LukaLocker and Nitrogen ransomware are largely based on the CONTI source code. The changes made by the author suggest that his malware development capabilities are severely limited.
An overlap of entries on the Nitrogen leak page suggests that both variants are used by these actors.
Indicators of Compromise (IoC)
File hash sums
Nitrogen
- c94b70dff50e69639b0ef1e828621c5fddcf144fea93e27520f48264ddd33273
- ce8788e6ed0042010dd27a4fd79b9962d11385008b88485b8368fd666e5d38ec
- 55f3725ebe01ea19ca14ab14d747a6975f9a6064ca71345219a14c47c18c88be
- f30198a8a62e189653bfbeaa7a2f303549b8042ddd84c980f132a4e889f9cb60
LukaLocker
- 4e58629158a6c46ad420f729330030f5e0b0ef374e9bb24cd203c89ec3262669
Host-based features
Extortion letter: readme.txt
Log protocol: NBA_LOG.txt
Applicable detection rules
YARA
rule SI_MAL_RNSM_Nitrogen_Lukalocker_Feb25 {
meta:
version = "1.0"
date = "2025-02-04"
modified = "2025-03-20"
status = "RELEASED"
sharing = "TLP:CLEAR"
source = "SECUINFRA Falcon Team"
description = "Detects Nitrogen / LukaLocker Ransomware based on leaked CONTI source code."
category = "malware"
mitre_att = "T1486"
hash = "8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383"
minimum_yara = "3.2.0"
best_before = "2026-02-04"
strings:
$str1 = "Directories scanned: %d" ascii
$str2 = "Files finded: %d" ascii
$str3 = "Files crypted: %d" ascii
$str4 = "File %s is already open by another program." wide
$str5 = ".kexi" wide
$str6 = "cmd /c taskkill /im krbcc32s.exe /f" ascii
condition:
uint16(0) == 0x5A4D
and filesize < 3MB
and all of them
}
SIGMA
1. potential Conti Ransomware Activity
2. process terminated via taskkill
3. potential ransomware or unauthorized MBR tampering via bcdedit.exe
4 Suspicious Execution of Shutdown
