Ransomware - Nevada

Nevada
Aliases
Nokoyawa 2.1
Decryptor Available
No
Description

For more information, please see the entry on Nokoyawa and Nokoyawa 2.0.

Nevada appears to be another iteration of the Nokoyawa ransomware family and is also known as Nokoyawa 2.1. It is the second variant to use Rust and varies from the other Rust-based variant, Nokoyawa 2.0, in a few ways. For clarity, it is believed the Nokoyawa creators authored two families in parallel. One that was coded in C/C++, and the other in Rust. Nokoyawa and Nokoyawa 1.1 were written in C/C++, and Nokoyawa 2.0 and Nevada (Nokoyawa 2.1) were written in Rust. Both families share similar behaviors. One way in which they differ is that the Rust variants used Salsa20 encryption coupled with the X25519 curve of Elliptic Curve Cryptography (ECC-X25519). However, Nevada was observed operating a Ransomware-as-a-Service (RaaS) on a dark web forum named RAMP. They advertise an 85/15 model, which could move to 90/10 if the users were trustworthy. 85/15 means that the user who purchased the ransomware service would keep 85% of all of their earnings, and 15% would go to the creators - Nevada. Similarly, 90/10 would mean the users keep 90%.

When Nevada was first observed in the wild, it came at a time when ESXiArgs performed an automated ransomware attack on any organizations with public-facing ESXi servers with the CVE-2021-21974 vulnerability. This vulnerability is from VMWare ESXi's OpenSLP service. However, WatchGuard Threat Labs believe that, since Nevada ransomware also targets ESXi machines, some researchers incorrectly attributed Nevada Group to the ESXiArgs attack. ESXiArgs is a completely different ransomware than Nevada.

Ransomware Type
Crypto-Ransomware
RaaS
First Seen
Last Seen
Lineage
Threat Actors
Type
Actor
Cybergroup
Nevada Group
Extortion Types
Direct Extortion
Double Extortion
Communication
Medium
Identifier
Tox
Encryption
Type
Hybrid
Files
Salsa20
Key
ECC-X25519
File Extension
<file name>.NEVADA
Ransom Note Name
readme.txt
Ransom Note Image
Samples (SHA-256)
855f411bd0667b650c4f2fd3c9fbb4fa9209cf40b0d655fa9304dcdd956e0808
acc31048e00d1a0f4cd5569d5d4db539da8f506cc7a6a171942d015ecc817d43