Due to a breach believed to be in the form of Nitro ransomware,
we would like to confirm the situation and provide a warning as follows.

Nitro ransomware

The ransomware in question is called Nitro and appears to be changing all files with filename.extension.givemenitro.

How it works

file version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in window properties]

Ransomware operation characteristics

• It is a C# .NET-based ransomware that prevents duplication by checking process names. Before proceeding with encryption, copy the executable file to the Temp location and register it in the startup program to run it again when Windows starts if encryption is not completed. User information is sent to the server using a webhook by combining UserName / ComputerName / ip of PC Windows and uuid using wmic. Attack targets are limited to the desktop / My Documents / My Photos.

  
  [Figure 3 Register the copied ransomware executable file in the startup program before encryption]

  
  [Figure 4 Multiple commands through cmd]

Infection results

The information file is automatically printed after encryption is completed, and each file that has been encrypted has <file name.extension. It changes to givemenitro>.

[Figure 5 Infection results]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 6 Block message]

Watch Nitro blocking video