Nitrogen ransomware is so broken even the crooks can't unlock your files
(2026/02/04)
- Reference: 1770213049
- News link: https://www.theregister.co.uk/2026/02/04/nitrogen_ransomware_broken_decryptor/
- Source link:
Cybersecurity experts usually advise victims against paying ransomware crooks, but that advice goes double for those who have been targeted by the Nitrogen group. There's no way to get your data back from them!
According to Coveware, which peered under the hood of Nitrogen's ransomware program, a programming error prevents the gang's decryptor from recovering victims' files, so paying up is futile.
The finding specifically concerns the group's malware that targets [1]VMware ESXi . Coveware said that the program encrypts files with the wrong public key, making it impossible for the criminals to decrypt them, even if the victim pays for a decryption tool.
[2]
Nitrogen's malware makes the error of loading a new variable, a QWORD, into memory so that it overlaps with the public key.
[3]
[4]
Because the malware loads the public key at offset rsp+0x20 and the 8-byte QWORD at rsp+0x1c, it overwrites the first four bytes of the public key, meaning that an attacker-supplied decryptor would fail.
"Normally, when a public-private Curve25519 keypair is generated, the private key is generated first, and then the public key is derived subsequently based on the private key," Coveware [5]said .
[6]CISA updated ransomware intel on 59 bugs last year without telling defenders
[7]Ransomware crims forced to take off-RAMP as FBI seizes forum
[8]Everest ransomware gang said to be sitting on mountain of Under Armour data
[9]Broker who sold malware to the FBI set for sentencing
"The resulting corrupted public key wasn't generated based on a private key, it was generated by mistakenly overwriting a few bytes of another public key. The final outcome is that no one actually knows the private key that goes with the corrupted public key."
Nitrogen has been around since 2023. According to Coveware, it began as one of the various offshoots that borrowed code from the [10]leaked Conti 2 builder .
[11]
Barracuda Networks previously [12]reported that it evolved into a ransomware group slowly over time. It first developed malware to facilitate initial access for others, although its operators didn't work as initial access brokers, but began extorting organizations in or around September 2024.
While it is not one of the most prolific groups in operation, it is also not to be underestimated.
Even with this latest finding, which will go down alongside other epic [13]own goals by ransomware gangs, it's hard to see the funny side with this one.
[14]
The coding error takes this financially-motivated ransomware gang into the realm of pure destruction, where both parties walk away losers. ®
Get our [15]Tech Resources
[1] https://www.theregister.com/2025/12/09/hypervisor_ransomware_attacks_increasing/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aYN7NxdzBnmiQlgA9oKkxwAAAcQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aYN7NxdzBnmiQlgA9oKkxwAAAcQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aYN7NxdzBnmiQlgA9oKkxwAAAcQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.coveware.com/blog/2026/2/2/nitrogen-ransomware-esxi-malware-has-a-bug
[6] https://www.theregister.com/2026/02/03/greynoise_cisa_ransomware_gripe/
[7] https://www.theregister.com/2026/01/28/fbi_seizes_ramp_forum/
[8] https://www.theregister.com/2026/01/21/under_armour_everest/
[9] https://www.theregister.com/2026/01/19/iab_sentencing/
[10] https://www.theregister.com/2022/03/11/conti_leaks_code/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aYN7NxdzBnmiQlgA9oKkxwAAAcQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://blog.barracuda.com/2025/11/07/nitrogen-ransomware--from-staged-loader-to-full-scale-extortion
[13] https://www.theregister.com/2023/10/05/lorenz_ransomware_group_leaks_details/
[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aYN7NxdzBnmiQlgA9oKkxwAAAcQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[15] https://whitepapers.theregister.com/
According to Coveware, which peered under the hood of Nitrogen's ransomware program, a programming error prevents the gang's decryptor from recovering victims' files, so paying up is futile.
The finding specifically concerns the group's malware that targets [1]VMware ESXi . Coveware said that the program encrypts files with the wrong public key, making it impossible for the criminals to decrypt them, even if the victim pays for a decryption tool.
[2]
Nitrogen's malware makes the error of loading a new variable, a QWORD, into memory so that it overlaps with the public key.
[3]
[4]
Because the malware loads the public key at offset rsp+0x20 and the 8-byte QWORD at rsp+0x1c, it overwrites the first four bytes of the public key, meaning that an attacker-supplied decryptor would fail.
"Normally, when a public-private Curve25519 keypair is generated, the private key is generated first, and then the public key is derived subsequently based on the private key," Coveware [5]said .
[6]CISA updated ransomware intel on 59 bugs last year without telling defenders
[7]Ransomware crims forced to take off-RAMP as FBI seizes forum
[8]Everest ransomware gang said to be sitting on mountain of Under Armour data
[9]Broker who sold malware to the FBI set for sentencing
"The resulting corrupted public key wasn't generated based on a private key, it was generated by mistakenly overwriting a few bytes of another public key. The final outcome is that no one actually knows the private key that goes with the corrupted public key."
Nitrogen has been around since 2023. According to Coveware, it began as one of the various offshoots that borrowed code from the [10]leaked Conti 2 builder .
[11]
Barracuda Networks previously [12]reported that it evolved into a ransomware group slowly over time. It first developed malware to facilitate initial access for others, although its operators didn't work as initial access brokers, but began extorting organizations in or around September 2024.
While it is not one of the most prolific groups in operation, it is also not to be underestimated.
Even with this latest finding, which will go down alongside other epic [13]own goals by ransomware gangs, it's hard to see the funny side with this one.
[14]
The coding error takes this financially-motivated ransomware gang into the realm of pure destruction, where both parties walk away losers. ®
Get our [15]Tech Resources
[1] https://www.theregister.com/2025/12/09/hypervisor_ransomware_attacks_increasing/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aYN7NxdzBnmiQlgA9oKkxwAAAcQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aYN7NxdzBnmiQlgA9oKkxwAAAcQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aYN7NxdzBnmiQlgA9oKkxwAAAcQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.coveware.com/blog/2026/2/2/nitrogen-ransomware-esxi-malware-has-a-bug
[6] https://www.theregister.com/2026/02/03/greynoise_cisa_ransomware_gripe/
[7] https://www.theregister.com/2026/01/28/fbi_seizes_ramp_forum/
[8] https://www.theregister.com/2026/01/21/under_armour_everest/
[9] https://www.theregister.com/2026/01/19/iab_sentencing/
[10] https://www.theregister.com/2022/03/11/conti_leaks_code/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aYN7NxdzBnmiQlgA9oKkxwAAAcQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://blog.barracuda.com/2025/11/07/nitrogen-ransomware--from-staged-loader-to-full-scale-extortion
[13] https://www.theregister.com/2023/10/05/lorenz_ransomware_group_leaks_details/
[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aYN7NxdzBnmiQlgA9oKkxwAAAcQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[15] https://whitepapers.theregister.com/
Re: Criminalize paying ransom
elsergiovolador
Reminds me of one outfit where security would do things like drop a thumb drive in the office that would lock employee's device if plugged in with a notice they got fired.
Seems like nobody is doing these things any more.
I doubt that will worry them.
BartyFartsLast
All they care about is getting the ransom, why would they give a toss if you get your data back or not?
Re: I doubt that will worry them.
Chloe Cresswell
Because if you know, say, due to this article, that you still won't get your files, why pay?
Quality control?
Eclectic Man
According to a retired bomb disposal officer, the IRA had a pretty good build standard for their 'official' explosive devices. Now admittedly the IRA bombing campaign on the UK mainland was mostly to scare rather than kill people, so they wanted the UK authorities to know that their bombs would cause damage if they were not defused in time, but also that they could be defused in time if their warnings were heeded. They also did not want to blow up their own people.
Criminals using ransomware to obtain funds really do need to check the quality of their code and to test it properly first. I'm not expecting ISO certified quality here, just common sense*.
*If you are expecting any from this poster, you are going to be seriously disappointed.
Regulation
zuul
It's clearly high time this industry was properly regulated. It's like the wild west out there!
Criminalize paying ransom
It should be a crime to pay ransom anyway.
The ONLY way ransomware is going to stop is if a few CEOs go to jail for paying.