Nitrogen ransomware: From staged loader to full-scale extortion

The Nitrogen group is a sophisticated and financially motivated threat group that was first observed as a malware developer and operator in 2023. Since discovery, Nitrogen has transformed itself into a full end-to-end, double extortion ransomware operation. The location of the group, the identities/lineage of its members and relationships with other threat actors are not well documented.

Before we get into the full profile, here’s a quick look at the group:

What’s in a name?

Group names and logos aren’t always significant, but sometimes the branding will offer clues to the group’s intentions, locations and member identities. Nitrogen doesn’t give us much to work with here.

It’s hard to say why the group chose the name Nitrogen. There doesn’t seem to be anything fun or interesting behind this name. It may be meant to project an image of being invisible and everywhere, or cold and methodical, or something else. Maybe it doesn’t mean anything.

The minimalist logo looks like a stock image with some design elements, and we can speculate on what this means. Other groups we’ve profiled have crazy brand designs with bugs and mythical creatures and cool retro fun. Lockbit paid people to tattoo its logo onto themselves (gross). Nitrogen doesn’t seem to care about things like that, which could mean the group doesn’t prioritize long-term brand recognition. Maybe the group has a planned exit strategy, or it recognizes that ransomware brands do not last long. Rebranding and changing domains is easier with a simple logo image because you don’t have a bunch of style elements to clean up and/or put on a new server.

A simple design could also be an intentional statement that the group isn’t into marketing. It wants to operate quietly and not be bothered with showing off its brand. If the group is operating as a RaaS, why aren’t they trying to get attention? 

As a reminder, this is all speculation.

Location and identities

There’s no public, authoritative attribution of Nitrogen to a specific country or region. Open-source reporting links Nitrogen activity to the broader Eastern-European area, but researchers could not confirm a location. Most Nitrogen ransomware command-and-control servers are in Bulgaria and the Netherlands, but the group could be decentralized and attacking from different locations.

There is also no direct evidence linking Nitrogen to specific individuals, though researchers suspect the current group may include former Blackcat operators.

Origin story

Malware developer and loader operator

Nitrogen malware activity was first detected by researchers in the summer of 2023. The malware was designed to access a system and establish persistence so that a threat actor could carry out a stealthy attack. The Nitrogen group developed and sold the malware, and sometimes helped manage the malvertising campaigns for buyers.

Nitrogen loader malware is a small piece of code that was bundled with application installers for utilities like Advanced IP Scanner, Slack, WinSCP, AnyDesk, Cisco AnyConnect, PuTTY, and other applications. These applications were selected because they are more likely to be downloaded by IT teams and other technical users. 

When users start installing the compromised download, the Nitrogen code begins to sideload a malicious dynamic link library, or dll. Microsoft Windows applications use dll files to provide code and data on demand. Sideloading a dll is an attack technique that causes an application to load a malicious dll instead of the legitimate system file.

The Nitrogen malware is a ‘staged loader,’ which means it unpacks, decrypts and downloads the rest of the attack in multiple steps. Here’s how Nitrogen maps to the most common stages found in these loaders:

Stage 0: Lure / Delivery: Nitrogen delivers its malware by using malvertising to trick victims into downloading and installing a compromised/trojanized application.

Stage 1: Dropper / Installer on-disk: The victim runs the application installer and creates the malicious dll.

Stage 2: Loader / DLL sideload: The malicious dll is loaded by the trojanized application as it installs. This dll prepares the environment and unpacks or retrieves the next stage.

Stage 3: In-memory staging & beaconing: The stager unpacks or downloads the next piece of the attack, which is usually a Python script and command-and-control (C2) beacons like Cobalt Strike or Sliver. These beacons establish communications almost immediately.

Stage 4: Actions on objective: The system is compromised, and operators now begin the rest of attack operations. This frequently led to Blackcat ransomware infections.

To be clear, Nitrogen was not an initial access broker (IAB) and was never involved in selling access. Its function was to develop malware to facilitate initial access for others.

Evolution to ransomware group

It’s not clear when Nitrogen began its extortion operations, but September 2024 is the commonly accepted date. This is when Nitrogen publicly claimed its first victims. 

In late 2023, researchers observed Nitrogen loader campaigns leading to the deployment of Blackcat ransomware. This established Nitrogen's role as an initial-access facilitator for the Blackcat ransomware-as-a-service (RaaS) operation. What’s not clear is if or when Nitrogen became a ransomware operator as a Blackcat RaaS affiliate. However, we do know that Nitrogen was a fully independent ransomware operator with its own ransomware strain by mid-2024. At some point in this transition, Nitrogen stopped selling its popular loader malware to others.

Attack Chain

Nitrogen continues to use its own loader malware for initial access, so we can keep the first two steps short:

Initial Access: The attack begins when users click on malicious ads that redirect them to fake software download sites.​

Malware Delivery and Execution: The installer begins dll sideloading and establishes a connection to the C2 server.

Persistence and Lateral Movement: The malware creates persistence mechanisms, such as registry run keys or scheduled tasks, to ensure it runs at system startup or periodically.​ This system is the ‘launch pad’ for the next steps.

Command and Control (C2) and Payload Delivery: The persistent component executes NitrogenStager, which communicates with the threat actor's Command and Control (C2) servers and deploys additional tools to facilitate lateral movement, data exfiltration or a ransomware attack.

Post-Exploitation and Ransomware Deployment: Before encrypting files, Nitrogen operators exfiltrate sensitive data to their own infrastructure, which is usually the group’s servers in Bulgaria. When this process is finished, the ransomware binary will execute and begin encryption. The encryption process appends the extension ‘.nba’ to the affected files. A ransom note, usually named “readme.txt” is left on the desktop and in every folder where files have been encrypted.

Evasion and Obfuscation: Nitrogen actors may clear system event logs and use other cloaking techniques to remove forensic artifacts that may help researchers and law enforcement.

Ransom and negotiations

The Nitrogen ransom note is like most others. It has an introduction that explains what happened:

There is much more in the ransom note, but nothing of substance. You can see the whole thing here.

Conclusion

Nitrogen attacks almost always begin with malvertising and a malicious download. The group’s mastery of malvertising, stealth techniques and comprehensive attack capabilities makes it a persistent and growing threat to companies around the world.

BarracudaONE

Maximize your protection and cyber resilience with the BarracudaONE AI-powered cybersecurity platform. The platform protects your email, data, applications, and networks, and is strengthened by a 24/7 managed XDR service, unifying your security defenses and providing deep, intelligent threat detection and response. Manage your organization’s security posture with confidence, leveraging advanced protection, real-time analytics and proactive response capabilities. Robust reporting tools provide clear, actionable insights, helping you monitor risks, measure ROI and demonstrate operational impact. Don’t miss the opportunity to get a demo of the platform from our cybersecurity experts.