- \n
- Both implementations are largely based on the CONTI ransomware source code leaked in March 2022.<\/li>\n<\/ul>\n\n
- \n
- The functionality of Nitrogen ransomware has barely evolved, suggesting a lack of expertise in ransomware implementation.<\/li>\n<\/ul>\n\n
<\/p>\n\n
Introduction<\/h2>\n\n
This section explains some basic facts about the CONTI ransomware source code leak and the Nitrogen and LukaLocker ransomware variants.<\/p>\n\n
Background: CONTI source code leak<\/h3>\n\n
On March 20, 2022, the source code for the CONTI ransomware variant was published via Twitter by a Ukrainian developer of the group after the operators of the CONTI Ransomware-as-a-Service (RaaS) announced via their leak blog that they were supporting the Russian invasion of Ukraine (see Figure 1).<\/p>\n\n
![\"\"](\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/nitrogen-conti.webp\")
Figure 1: CONTI announcement on the Russian invasion of Ukraine (Source: BleepingComputer<\/a>)<\/figcaption><\/figure>\n\n Following the publication of this source code, several existing and new ransomware gangs adapted the CONTI implementation for their own malware variants. Examples include LockBit Green, Monti, Royal, Akira and BlackSuit. <\/p>\n\n
Nitrogen and LukaLocker<\/h3>\n\n
Previous publications<\/h4>\n\n
The first publication on LukaLocker ransomware was published by Halcyon in July 2024<\/a>. The ransomware operator or threat actor behind LukaLocker was referenced there with the code name “Volcano Demon”. It was also reported that, in addition to leaving ransom notes on the computers of affected companies, the threat actor also makes threatening phone calls. This tactic has rarely been used by ransomware gangs in the past, as call center agents usually have to be hired for this. For example, there are recordings of calls from Suncrypt<\/a> or CONTI<\/a>. <\/p>\n\n
LukaLocker was previously examined by Jonny Johnson and Alden Schmidt (Huntress) in the presentation “Unraveling LukaLocker Ransomware”<\/a>.<\/p>\n\n
Nitrogen Ransomware should not be confused with the malware “Nitrogen Loader”. Although these malware variants have similar names, we were unable to establish any connection between them. A description of Nitrogen Loader was published by eSentire<\/a>. <\/p>\n\n
Malware samples and victimology<\/h4>\n\n
At the time of writing this article, the targets of the threat actors behind Nitrogen and LukaLocker ransomware were mainly localized in North America (USA and Canada) and primarily active in the industrial and construction sectors. Occasionally, companies from other sectors were also attacked, which suggests an opportunistic selection of potential targets. A temporal correlation between the ransomware samples found and the extortion of affected companies is only possible in isolated cases, as new data breaches are listed on the blog with a large time lag. Figure 2 shows a timeline on which both the analyzed malware samples and published blackmail targets are plotted. As the publications on the leak blog are not dated, it is sometimes not possible to determine the exact time of posting. For this purpose, the posts of the threat actor on X (formerly Twitter) under the username @nitrogenSupp<\/a> were consulted. <\/p>\n\n
![\"\"](\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/timeline-submission-target-1600x522.png\")
Figure 2: Observed samples ordered by the date they were first submitted to VirusTotal and targeted companies announced on the TA’s X\/Twitter account<\/figcaption><\/figure>\n\n A total of five current samples of the Nitrogen ransomware variant were identified by threat hunting with YARA. Four of these samples are directly attributed to Nitrogen. Another sample is assigned to the LukaLocker ransomware variant. As shown in the second section of this article, the implementations of Nitrogen and LukaLocker ransomware are almost identical. Further correlations suggesting that the threat actor behind Nitrogen ransomware also operates under the name LukaLocker can be drawn from an examination of the published ransomware data breaches. As can be seen in Figure 3, the ransomware sample used in two instances could be linked to the affected companies. The company attacked with the LukaLocker variant was also listed on the Nitrogen Ransomware Leak Blog. Shortly afterwards, however, this post was removed from the leak page and the X (Twitter) profile. It was not possible to determine to what extent this was related to a successful\/failed extortion or whether a connection between Nitrogen and LukaLocker was subsequently concealed. <\/p>\n\n
![\"\"](\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/target-relation.png\")
Figure 3: Victim identities that can be derived from sample information; the LukaLocker victim was listed in the Nitrogen blog<\/figcaption><\/figure>\n\n Infrastructure<\/h4>\n\n
Nitrogen operates a leak blog as a TOR hidden service, in line with common “double extortion” tactics. The site follows a static structure with few dynamic elements and therefore offers little attack surface for potential deanonymization. <\/p>\n\n
Data publications<\/h4>\n\n
Nitrogen Ransomware publishes a list of compromised companies on the leak blog described above. The data stolen by the attackers is not published in full, but only with vague evidence. The operators of Nitrogen are trying to sell the data on to other cybercriminals. <\/p>\n\n
![\"\"](\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nitrogen-leak-blog-1600x1160.png\")
Figure 4: Screenshot of the Nitrogen ransomware leak blog “NitroBlog”<\/figcaption><\/figure>\n\n Contact us<\/h4>\n\n
As previously mentioned, Nitrogen Ransomware operates an X \/ Twitter account under the username @NitrogenSupp. In addition, the threat actor uses Tox Instant Messenger, which is generally very popular among cybercriminals. In every ransom note that Nitrogen Ransomware leaves with a compromised company, a unique Tox username is noted in order to distinguish between the victims. <\/p>\n\n
As the Nitrogen ransomware leak blog has not been updated since December 2024, we contacted the Tox ID listed on the leak blog as a test and received a reply shortly afterwards. The threat actor therefore appears to still be using the communication channel, possibly to sell the data records from the previous data breaches. <\/p>\n\n
Analysis<\/h2>\n\n
The objective of our analysis was to gain an insight into the functionalities of Nitrogen ransomware. We also wanted to confirm the extent to which there is a connection between LukaLocker and Nitrogen, which was previously presented in the threat intelligence analysis. <\/p>\n\n
Similarities with CONTI<\/h3>\n\n
Our analysis showed clear similarities between the source code of CONTI Ransomware and the decompiled Nitrogen Ransomware binaries. Some of the clearest indications are discussed in this subsection. <\/p>\n\n
Parameters<\/h4>\n\n
The malware supports the following parameters, which the user can specify on the command line:<\/p>\n\n
![\"\"](\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nitrogen-help-1600x350.png\")
Figure 5: Optional command line parameters of Nitrogen Ransomware<\/figcaption><\/figure>\n\n -p File path to be encrypted
Mutex<\/h4>\n\n
Nitrogen uses a mutex to prevent the malware from being executed multiple times. In the analyzed sample, the malware created a mutex with the name “nvxkjcv7yxctvgsdfjhvv6esdvsx”. This logic was taken from the CONTI source code, only the mutex name was changed. <\/p>\n\n
![\"\"](\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nitrogen-conti-mutex-1600x1000.png\")
Figure 6: Comparison of the Mutex implementation between Nitrogen and CONTI<\/figcaption><\/figure>\n\n Multithreading<\/h4>\n\n
The malware uses the same multithreading logic as CONTI. By calling the GetNativeSystemInfo<\/em> function, Nitrogen Ransomware determines the number of available CPU cores on the system. Two threads are then created for the thread pool for each logical processor in order to parallelize the encryption. <\/p>\n\n
![\"\"](\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nitrogen-conti-threadpool-1600x759.png\")
Figure 7: Routine for creating execution threads (Nitrogen vs. CONTI)<\/figcaption><\/figure>\n\n Deviations from the CONTI implementation<\/h3>\n\n
Software development environment<\/h4>\n\n
The original CONTI source code leak used Visual Studio 2015 as the build environment. It is assumed that the investigated Nitrogen samples used MinGW GCC version 13.3.0. In addition, the malware was optimized using SIMD instructions. <\/p>\n\n
![\"\"](\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/nitrogen-die.png\")
Figure 8: Detect it Easy – Information on the development environment of Nitrogen Ransomware<\/figcaption><\/figure>\n\n File encryption<\/h4>\n\n
Nitrogen Ransomware generates a ChaCha8 context with a random nonce and a random key for each file and protects this key with the Curve25519 ECC. The developer has replaced RSA, which is used by Conti, with ECC. ECC is being used more and more frequently in ransomware because, unlike RSA, it uses smaller key sizes and consumes less computing power than RSA. <\/p>\n\n
![\"\"](\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nitrogen-conti-genkey-1600x749.png\")
Figure 9: Comparison of the key generation between Nitrogen and CONTI Ransomware<\/figcaption><\/figure>\n\n Partial encryption modes:<\/p>\n\n
- \n
- VM files (e.g. Vmdk, vmx, vmem) are 20% encrypted.<\/li>\n\n\n\n
- Databases are completely encrypted.<\/li>\n\n\n\n
- Files less than or equal to 1 MiB are completely encrypted.<\/li>\n\n\n\n
- Files less than or equal to 1 GiB are encrypted at 50%.<\/li>\n\n\n\n
- Larger files are only 10% encrypted.<\/li>\n<\/ul>\n\n
![\"\"](\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nitrogen-encryption-percentage-1600x1096.png\")
Figure 10: Differentiation of the partial encryption of nitrogen ransomware<\/figcaption><\/figure>\n\n Service and process scheduling<\/h4>\n\n
If the -s (or –service-stop) parameter was set when the ransomware was executed, Nitrogen terminates processes that match those from a list of 827 entries.<\/p>\n\n
![\"\"](\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nitrogen-taskkill-list-1600x1394.png\")
Figure 11: List of processes that Nitrogen Ransomware attempts to shut down<\/figcaption><\/figure>\n\n In addition, a separate list is used to search for active services from anti-virus and endpoint detection and response solutions. If there are any hits, these are also switched off. <\/p>\n\n
![\"\"](\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nitrogen-service-kill-1600x1475.png\")
Figure 12: Screenshot of the services that Nitrogen is trying to shut down<\/figcaption><\/figure>\n\n The implementation for terminating processes and services is shown in Figure 13. Nitrogen Ransomware runs through both lists and terminates all instances found. <\/p>\n\n
![\"\"](\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nitrogen-cmd-prockill-1600x1373.png\")
Figure 13: Routine for scheduling processes and services<\/figcaption><\/figure>\n\n Volume shadow copies<\/h4>\n\n
The mechanism for deleting the volume shadow copies, which was implemented by CONTI, is completely omitted by the Nitrogen developers. As long as this is not done manually after the ransomware has been executed, partial data recovery may be possible. <\/p>\n\n
![\"\"](\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/conti-vss-1600x330.png\")
Figure 14: CONTI implementation for deleting volume shadow copies<\/figcaption><\/figure>\n\n Encryption types of Nitrogen<\/h4>\n\n
Nitrogen supports three different encryption modes. The encryption modes ALL_ENCRYPT, LOCAL_ENCRYPT and PATH_ENCRYPT were copied from the Conti source and the NETWORK_ENCRYPT from Conti was omitted. <\/p>\n\n
![\"\"](\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nitrogen-conti-encryptmode-1-1600x1358.png\")
Figure 15: Comparison of encryption modes between Nitrogen and CONTI Ransomware<\/figcaption><\/figure>\n\n Deactivation of safe mode<\/h4>\n\n
After the encryption process, Nitrogen checks whether the shutdown flag was set by the user when the ransomware was started, if so, Safeboot is shut down using the command line with the command “bcdedit \/deletevalue {default} safeboot” and the system is then shut down.<\/p>\n\n
![\"\"](\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nitrogen-safeboot-1600x415.png\")
Figure 16: Deactivating safe mode and forcing a restart<\/figcaption><\/figure>\n\n Encryption of the blackmail letter<\/h4>\n\n
In the CONTI implementation, the blackmail letter is delivered in plain text in the executable file. LukaLocker has adopted this mechanism in this form. As can be seen in Figure 10, some of the examined Nitrogen ransomware samples use a simple byte-wise XOR with alternating keys (e.g. 0xFD or 0xFF) to make it more difficult to extract the ransom note from the malware. In more recent variants of the ransomware, a rolling XOR algorithm with similar functionality was found. <\/p>\n\n
![\"\"](\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nitrogen-ransomnote-decryption-1600x592.png\")
Figure 17: Routine for decrypting the blackmail letter after file encryption has been completed<\/figcaption><\/figure>\n\n Conclusion<\/h2>\n\n
We note that LukaLocker and Nitrogen ransomware are largely based on the CONTI source code. The changes made by the author suggest that his malware development capabilities are severely limited. <\/p>\n\n
An overlap of entries on the Nitrogen leak page suggests that both variants are used by these actors.<\/p>\n\n
Indicators of Compromise (IoC)<\/h2>\n\n
File hash sums<\/h4>\n\n
Nitrogen<\/p>\n\n
\n- \n
- c94b70dff50e69639b0ef1e828621c5fddcf144fea93e27520f48264ddd33273<\/li>\n\n\n\n
- ce8788e6ed0042010dd27a4fd79b9962d11385008b88485b8368fd666e5d38ec<\/li>\n\n\n\n
- 55f3725ebe01ea19ca14ab14d747a6975f9a6064ca71345219a14c47c18c88be<\/li>\n\n\n\n
- f30198a8a62e189653bfbeaa7a2f303549b8042ddd84c980f132a4e889f9cb60<\/li>\n<\/ul>\n<\/div>\n\n
LukaLocker<\/p>\n\n
- \n
- 4e58629158a6c46ad420f729330030f5e0b0ef374e9bb24cd203c89ec3262669<\/li>\n<\/ul>\n\n
Host-based features<\/h4>\n\n
Extortion letter: readme.txt<\/p>\n\n
Log protocol: NBA_LOG.txt<\/p>\n\n
Applicable detection rules<\/h2>\n\n
YARA<\/h3>\n\n\n\n
rule SI_MAL_RNSM_Nitrogen_Lukalocker_Feb25 {<\/code><\/p>\n\n\nmeta:<\/code><\/p>\n\n\nversion = \"1.0\"<\/code><\/p>\n\n\ndate = \"2025-02-04\"<\/code><\/p>\n\n\nmodified = \"2025-03-20\"<\/code><\/p>\n\n\nstatus = \"RELEASED\"<\/code><\/p>\n\n\nsharing = \"TLP:CLEAR\"<\/code><\/p>\n\n\nsource = \"SECUINFRA Falcon Team\"<\/code><\/p>\n\n\ndescription = \"Detects Nitrogen \/ LukaLocker Ransomware based on leaked CONTI source code.\"<\/code><\/p>\n\n\ncategory = \"malware\"<\/code><\/p>\n\n\nmitre_att = \"T1486\"<\/code><\/p>\n\n\nhash = \"8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383\"<\/code><\/p>\n\n\nminimum_yara = \"3.2.0\"<\/code><\/p>\n\n\nbest_before = \"2026-02-04\"<\/code><\/p>\n\n\nstrings:<\/code><\/p>\n\n\n$str1 = \"Directories scanned: %d\" ascii<\/code><\/p>\n\n\n$str2 = \"Files finded: %d\" ascii<\/code><\/p>\n\n\n$str3 = \"Files crypted: %d\" ascii<\/code><\/p>\n\n\n$str4 = \"File %s is already open by another program.\" wide<\/code><\/p>\n\n\n$str5 = \".kexi\" wide<\/code><\/p>\n\n\n$str6 = \"cmd \/c taskkill \/im krbcc32s.exe \/f\" ascii<\/code><\/p>\n\n\ncondition:<\/code><\/p>\n\n\nuint16(0) == 0x5A4D<\/code><\/p>\n\n\nand filesize < 3MB<\/code><\/p>\n\n\nand all of them<\/code><\/p>\n\n\n}<\/code><\/p>\n\n\n\nSIGMA<\/h3>\n\n
1. potential Conti Ransomware Activity<\/p>\n\n
https:\/\/github.com\/SigmaHQ\/sigma\/blob\/master\/rules-emerging-threats\/2021\/Malware\/Conti\/proc_creation_win_malware_conti_ransomware_commands.yml<\/a><\/p>\n\n
2. process terminated via taskkill<\/p>\n\n
https:\/\/github.com\/SigmaHQ\/sigma\/blob\/master\/rules-threat-hunting\/windows\/process_creation\/proc_creation_win_taskkill_execution.yml<\/a><\/p>\n\n
3. potential ransomware or unauthorized MBR tampering via bcdedit.exe<\/p>\n\n
- 4e58629158a6c46ad420f729330030f5e0b0ef374e9bb24cd203c89ec3262669<\/li>\n<\/ul>\n\n
- The functionality of Nitrogen ransomware has barely evolved, suggesting a lack of expertise in ransomware implementation.<\/li>\n<\/ul>\n\n