The Problem
Nitrogen ransomware's ESXi variant has a fatal flaw: a programming error makes encrypted files unrecoverable, even for the attackers. Coveware's analysis found the malware overwrites four bytes of its own public key during encryption, corrupting the key pair. No private key exists that can decrypt files locked this way.
The technical issue: the malware loads an 8-byte QWORD at memory offset rsp+0x1c, overlapping the public key stored at rsp+0x20. Standard Curve25519 encryption requires the public key to derive from the private key. Nitrogen's code breaks this relationship. The result isn't encryption with a misplaced key - it's encryption with a key that never had a matching private key to begin with.
What This Means
For Nitrogen's victims: paying the ransom is pointless. The gang literally cannot provide working decryption tools. For the gang: they've accidentally converted from financially-motivated criminals to destructive actors. For the industry: another example of ransomware groups using leaked code they don't fully understand.
Nitrogen started in 2023 as an initial access operation, selling compromised networks to other groups like Blackcat. By mid-2024, they'd pivoted to their own double-extortion operation using Conti 2's leaked code. The group still manages effective initial access via DLL sideloading and Cobalt Strike, but copied Conti's encryption implementation without proper testing.
Recovery Options
Victims with Volume Shadow Copies enabled have a path forward - Nitrogen's malware doesn't delete them, unlike Conti's original code. Organizations hit by the ESXi variant should focus on backups and shadow copy recovery rather than negotiation. There's no decryption key to buy because no valid decryption key exists.
Barracuda Networks noted Nitrogen's operators show sophistication in network compromise but amateur-level code quality. This latest finding confirms it. The group joins a hall of shame that includes Lorenz, which accidentally leaked its own victim database in 2023.
The coding error affects specifically the ESXi hypervisor variant. Windows versions may use different encryption implementations, though Nitrogen's general reliance on poorly-understood leaked code suggests similar risks across their toolkit.