Nominatus Ransomware

The Nominatus ransomware is a new strain of file-encrypting malware that has been spotted by security researchers. The ransomware does not belong to any specific larger ransomware family.

Nominatus also does one thing very differently from the vast majority of other strains of ransomware. Once it encrypts a file, Nominatus does not change the file in any observable way. No new extension is added and the original extension is not changed. If a victim of Nominatus had a file called "picnic.jpg", once the ransomware encrypts it, the file will still appear as "picnic.jpg" to the victim, and they will only realize it has been encrypted if they try to open it.

This is a strange quirk of Nominatus, as virtually all other ransomware types change or append extensions. Another thing that sets Nominatus apart from other ransomware strains is its very short ransom note. The note is dropped in a file called "NominatusRansomware2Message.txt".

The full text of the note is as follows:

Files has been encrypted with Nominatus Ransomware 2 Contact Creator of this ransomware on discord Nominatus#1297 on discord or contact his email Bkhtyaryrwzbh at gmail dot com for more Information

The fact that the ransomware author did not set up an email account with a heavily encrypted service that can help cover his tracks better is strange. Directly giving the handle to an active Discord account for contact is also very unusual, as Discord accounts can be tracked down by law enforcement relatively easily, in case criminal activity is detected.

The ransomware appears half-baked and still in development. The ransom note makes no specific ransom demands and never mentions the amount of money the hacker expects to receive from victims. Obviously, contacting the threat actor behind the ransomware or negotiating and paying the ransom is not a great idea.

May 13, 2022