Emerging Threat Actor: Nitrogen Ransomware

Nitrogen ransomware, which first emerged in mid-2023, was added to our database on September 30th 2024 following a series of rapid ransomware deployments. Within a week, the group had claimed responsibility for 10 attacks.  

‍

Nitrogen’s operation is distinct in its use of malvertising, leveraging pay-per-click ads on platforms like Google and Bing to direct victims to compromised websites hosting trojanized software downloads.  

‍

These websites mimic legitimate software providers, tricking victims into downloading compromised versions of tools such as AnyDesk and Cisco AnyConnect.

‍

Once the trojanized software is executed, NitrogenStager is installed, establishing a connection to command-and-control (C2) servers, which facilitates the deployment of additional payloads, including ALPHV/BlackCat ransomware.  

‍

Nitrogen has also been observed leveraging DLL hijacking, specifically targeting IP Scanner software to load malicious DLLs and execute code, as well as deploying Sliver or Cobalt Strike backdoors to further entrench itself within the victim's network.

‍

Recent Attacks:

• Red Barrels, a Canadian gaming company known for its work on the video game Outlast, was breached by Nitrogen in October 2024. The group exfiltrated 1.8 terabytes of data, including game source codes, significantly disrupting Red Barrels' production timeline for its upcoming project The Outlast Trials.

• Spectrum Industries, a manufacturer of furniture solutions, was also compromised by Nitrogen, with 1.1GB of sensitive technical documentation leaked. This incident further illustrates Nitrogen’s capabilities in targeting key industries

• Other Recent Ransomware Attacks by Nitrogen

Halcyon.ai eliminates the business impact of ransomware, drastically reduces downtime, prevents data exfiltration, and enables organizations to quickly and easily recover from attacks without paying ransoms or relying on backups – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.