Nitrogen

Nitrogen is a ransomware group active since 2023. The content states it began as a malware loader used to deliver BlackCat/ALPHV ransomware and evolved into an independent ransomware operator by mid-2024. Its ransomware is described as derived from leaked Conti 2 builder code, with suspected links to the ALPHV/BlackCat ecosystem, and the group conducts double-extortion attacks. The content links Nitrogen primarily to Eastern European infrastructure and separately reports that it is linked to Russian nationals, including reporting that it is believed to be run by a Russian national. The group has targeted organizations in manufacturing, construction, and technology, with victim-sector data in the content also listing manufacturing, business services, technology, consumer services, and hospitality/tourism. Country distribution in the content is led by the United States, followed by Canada, with additional victims in Portugal, Taiwan, and France. Named victims in the content include Foxconn, ENENSYS Technologies, PCCA, Coweta County School System, SRP Federal Credit Union, and Red Barrels. Nitrogen is described as prioritizing data theft and extortion pressure, including double-extortion and, in some reporting, extortion-focused operations where encryption is absent or secondary. Reported access and post-compromise techniques in the content include PowerShell, scheduled tasks, LSASS memory credential dumping, RDP, SMB/Windows Admin Shares, automated collection, automated exfiltration, and exfiltration over C2 channels. Additional reporting in the content says Nitrogen commonly gains entry through compromised VPNs, remote desktop access, or phishing targeting IT administrators, and that it impersonates real companies to purchase official licenses for EDR and other security products through lightly vetted resellers. The content repeatedly associates Nitrogen with attacks on Foxconn’s North American operations, where the group claimed to have stolen about 8 TB of data and more than 11 million files and posted the company on its leak site. The allegedly stolen material was described as including confidential instructions, project documentation, drawings, schematics, and related files tied to major technology companies including Apple, Intel, Google, Nvidia, Dell, and AMD. A notable characteristic directly mentioned in the content is that Nitrogen’s VMware ESXi ransomware contains a coding flaw that corrupts the encryption public key, making decryption impossible even for the attackers. Multiple reports cited in the content state that victims may be unable to recover encrypted data even after paying. The content also notes ransom note filenames READ_ME_.TXT and readme.txt, and references an ESXi-targeting variant affecting hypervisors. No additional aliases or sub-groups are directly supported in the provided content.