Incident responders at Coveware reported a critical implementation flaw in the Nitrogen ransomware variant targeting VMware ESXi: the malware encrypts victim files using a corrupted Curve25519 public key, meaning the corresponding private key does not exist and even the threat actor cannot decrypt affected data. As a result, victims without viable backups are unlikely to recover encrypted ESXi systems, and paying a ransom will not yield a working decryptor.
Technical analysis attributes the failure to a stack-variable overlap in the ESXi encryptor: the public key is placed at rsp+0x20, but a subsequent QWORD write at rsp+0x1c overwrites the first four bytes of that key, breaking the public/private key relationship required to derive the shared secret used for file encryption (Curve25519 key exchange feeding a ChaCha8 key). Reporting also notes Nitrogen has operated since 2023 and is assessed to be derived from the leaked Conti 2 builder code, consistent with multiple Conti-based ransomware offshoots.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Veeam published a technical analysis of the Nitrogen ESXi ransomware flaw, describing it as consistent with a common off-by-one programming error. The write-up reinforced that the key corruption makes practical decryption infeasible and leaves backup restoration as the main recovery option.
Coveware published analysis showing Nitrogen's ESXi encryptor contains a critical implementation flaw that corrupts the Curve25519 public key during encryption. The bug means affected ESXi files cannot be decrypted even by the attackers, making ransom payment ineffective for those victims.
Coveware assessed that Nitrogen transitioned into active ransomware extortion around September 2024. This marked its evolution from earlier malware and access-related activity into a full extortion operation.
Nitrogen began operating in 2023 as a ransomware threat actor. Reporting describes it as an offshoot with code lineage tied to the leaked Conti 2 builder.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
tomshardware.com
Open sourcedatabreaches.net
Open sourcescworld.com
Open sourcego.theregister.com
Open sourcecoveware.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.