SRP Federal Credit Union, a high-profile financial institution based in South Carolina, fell victim to the Nitrogen Ransomware attack on December 5, 2024, impacting over 195,000 customers. The attack involved file encryption (appending `.NBA` extensions) and data exfiltration, with threat actors demanding ransom under the threat of publishing stolen data. The ransomware employed anti-analysis techniques (debugger/Virtual Machine detection, code obfuscation) and exploited the vulnerable driver *truesight.sys* (BYOVD attack) to bypass EDR systems and terminate security processes. System recovery was sabotaged via bcdedit.exe manipulations to disable Windows Safe Boot. The attack leveraged double extortion tactics, combining encryption with data theft, while using malicious ads and fake software downloads as initial infection vectors. The incident disrupted financial operations, exposed sensitive customer data, and posed severe reputational and operational risks to the credit union.
Source: https://cybersecuritynews.com/nitrogen-ransomware-disable-av-edr-tools/
TPRM report: https://www.rankiteo.com/company/srp-federal-credit-union
"id": "srp4975749120125",
"linkid": "srp-federal-credit-union",
"type": "Ransomware",
"date": "12/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '195,000',
'industry': 'financial services',
'location': 'South Carolina, United States',
'name': 'SRP Federal Credit Union',
'type': 'credit union'}],
'attack_vector': ['malicious advertisements (malvertising)',
'fake software downloads',
'BYOVD (Bring Your Own Vulnerable Driver)',
"exploitation of 'truesight.sys' driver"],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': True},
'date_detected': '2023-07-01',
'date_publicly_disclosed': '2024-09-01',
'description': 'A financially motivated ransomware campaign, Nitrogen '
'Ransomware, targeted SRP Federal Credit Union in South '
'Carolina on December 5, 2024, affecting over 195,000 '
'customers. The attack involved file encryption, data '
'exfiltration, and the use of a Bring Your Own Vulnerable '
'Driver (BYOVD) technique to bypass security defenses. The '
'ransomware employed anti-analysis methods, including debugger '
'and VM detection, and leveraged the legitimate but vulnerable '
"driver 'truesight.sys' from RogueKiller AntiRootkit to "
'terminate security processes. A ransom note named '
"'readme.txt' was dropped, demanding payment via qTox "
'messaging service and threatening data publication if unmet. '
'The attack vector included malicious advertisements '
'redirecting victims to fraudulent websites offering fake '
'software downloads.',
'impact': {'brand_reputation_impact': True,
'data_compromised': True,
'downtime': True,
'identity_theft_risk': True,
'operational_impact': True,
'payment_information_risk': True,
'systems_affected': True},
'initial_access_broker': {'entry_point': ['malicious advertisements '
'(malvertising)',
'fake software downloads'],
'high_value_targets': ['financial sector',
'construction',
'manufacturing',
'technology']},
'investigation_status': 'ongoing (as of latest report)',
'lessons_learned': 'Emerging ransomware strains like Nitrogen leverage '
'sophisticated techniques such as BYOVD attacks, '
'anti-analysis evasion, and double extortion tactics. '
'Proactive threat intelligence, robust endpoint '
'protection, and employee training are critical to '
'mitigating such threats. Monitoring for abuse of '
'legitimate tools (e.g., PowerShell, WMI, vulnerable '
'drivers) is essential for early detection.',
'motivation': 'financial gain',
'post_incident_analysis': {'corrective_actions': ['Patch or block vulnerable '
'drivers listed in '
'LOLDrivers',
'Enhance web filtering to '
'block malicious '
'advertisements',
'Implement stricter '
'controls on software '
'downloads',
'Deploy behavioral-based '
'detection for ransomware '
'activities',
'Improve logging and '
'monitoring for '
'kernel-level exploits'],
'root_causes': ['Exploitation of vulnerable driver '
"('truesight.sys') via BYOVD "
'technique',
'Lack of detection for malicious '
'advertisements and fake software '
'downloads',
'Insufficient monitoring of '
'PowerShell/WMI abuse',
'Potential gaps in endpoint '
'detection and response (EDR) '
'systems']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': 'Nitrogen Ransomware'},
'recommendations': ['Implement comprehensive endpoint protection solutions',
'Maintain offline backups to ensure data recovery',
'Keep systems and software updated with the latest '
'patches',
'Deploy multi-factor authentication (MFA) across all '
'critical systems',
'Provide regular security awareness training to employees',
'Monitor for suspicious use of PowerShell, WMI, and '
'legitimate drivers',
'Segment networks to limit lateral movement',
'Use adaptive behavioral WAFs and on-demand scrubbing '
'services where applicable',
'Conduct regular threat intelligence gathering to stay '
'ahead of emerging threats'],
'references': [{'source': 'ANY.RUN Malware Analysis Report'},
{'source': 'SonicWall Capture Labs Threat Research'},
{'source': 'LOLDrivers Collection (Vulnerable Driver '
'Documentation)'}],
'response': {'enhanced_monitoring': ['suspicious use of PowerShell',
'WMI',
'attempts to exploit legitimate drivers'],
'remediation_measures': ['comprehensive endpoint protection '
'solutions',
'offline backups',
'system updates',
'multi-factor authentication (MFA)',
'security awareness training']},
'threat_actor': ['Nitrogen Ransomware operators',
'potential links to Volcano Demon group (associated with '
'LukaLocker)'],
'title': 'Nitrogen Ransomware Attack on SRP Federal Credit Union',
'type': ['ransomware', 'data breach', 'double extortion'],
'vulnerability_exploited': ['LOLDrivers (Living Off The Land Drivers) - '
"'truesight.sys' from RogueKiller AntiRootkit",
'kernel-level access via vulnerable driver']}