Nitro22 Ransomware Uses Double Extortion in Ransom Note

Nitro22 is the name of a newly discovered strain of file-encrypting malware. The ransomware is named after the extension it adds to encrypted files.

The Nitro22 ransomware works as expected - encrypting files on the system it gets deployed on. The encryption process will affect documents, media files, archives and databases. Once encrypted the files will become unreadable and receive the ".nitro" extension appended after their old one.

This will make a file formerly called "document.txt" turn into "document.txt.nitro" once it has been encrypted.

The ransomware deposits its random demands inside a plain text file with the name "#Decryption#.txt". The desktop wallpaper will also be changed to an image listing the contact emails used by the malware operators.

The full ransom note threatens to sell stolen sensitive information if the victim does not contact the ransomware operators within 48 hours. The ransom note in full goes as follows:

Hello!

Unfortunately for you, a major IT security weakness left you open to attack, your files have been encrypted

If you want to restore them, write

SKYPE: 

Nitro22 

E-MAIL :

nitro22 at onionmail dot org 

nitro22 at msgsafe dot io

Attention!

Do not rename encrypted files.

Do not try to decrypt your data using third party software, it may cause permanent data loss.

We are always ready to cooperate and find the best way to solve your problem.

The faster you write, the more favorable the conditions will be for you.

Our company values its reputation.  We give all guarantees of your files decryption

IF WE DONT SEE MESSAGES FROM YOU IN 48 HOURS - WE WILL SELL YOUR DATABASES AND IMPORTANT INFORMATION TO YOUR COMPETITORS,AFTER YOU WILL SEE IT AT OPEN SOURCE AND DARKNET

Start messaging with an incident ID and 2-3 test files up to 1mb 

your unique ID

[alphanumeric string]

July 28, 2022