
A new ransomware variant has appeared on various underground forums. The CYFIRMA Research and Advisory team has reported on Nnice Ransomware, which employs advanced encryption techniques and sophisticated methods for evasion and persistence.
CYFIRMA warns that the new ransomware variant, first observed on January 17th, poses ‘significant risks to data security’ and highlights ‘the urgent need for proactive defenses.’
The new ransomware targets Windows systems. The report doesn’t detail how the operators gain initial access to systems. However, once inside, the ransomware encrypts files appending the “.xdddd” extension to the original filenames.
According to the report, the malware is capable of boot-level persistence through bootkit implementation alongside rootkit functionality, making it difficult to detect and remove.
The sample had comprehensive attack capabilities such as credential and web session cookie theft, email collection, and security software discovery. It’s capable of evading sandboxes, impairing defenses, elevating privileges, masquerading, injecting processes, side-loading DLLs, and much more.
Once the ransomware is done, it leaves a ransom note titled “Readme.txt,” containing instructions for file recovery, it also changes the wallpaper with a note saying that “all your important files have been encrypted,” and a special decryptor is needed to decrypt them.
The threat actor behind NNice seems to prefer communicating by email.
CYFIRMA recommends protecting cloud and local environments by implementing competent security protocols and encryption, authentication, or access credentials configurations to access critical systems.
“Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises,” the security firm warns.
Your email address will not be published. Required fields are markedmarked