Insights, news, education and announcements from PolySwarm

Nitrogen Ransomware Targets Financial Vertical

Written by The Hivemind | May 27, 2025 4:16:27 PM

Verticals Targeted: Finance, Construction, Manufacturing, Technology
Regions Targeted: US, UK, Canada
Related Families: Cobalt Strike, Meterpreter

Executive Summary

Nitrogen ransomware, first identified in September 2024, poses a significant threat to organizations, particularly in the financial sector, across the United States, United Kingdom, and Canada. Its sophisticated attack chain, leveraging malvertising and advanced persistence mechanisms, underscores the need for robust threat intelligence and proactive defenses. 

Key Takeaways

  • Nitrogen ransomware targets finance, construction, manufacturing, and technology sectors in the US, UK, and Canada, with notable attacks on SRP Federal Credit Union and Red Barrels.
  • The ransomware employs malvertising campaigns on search engines like Google and Bing to initiate infections, followed by Cobalt Strike and Meterpreter for network persistence.
  • Nitrogen modifies registry keys in the Windows Registry and schedules tasks to maintain system access, even after reboots, enhancing its destructive potential.
  • PolySwarm analysts consider Nitrogen to be an emerging threat. 

What is Nitrogen?

Nitrogen ransomware, first observed in September 2024, has emerged as a formidable threat, particularly targeting the financial sector, with additional focus on construction, manufacturing, and technology industries across the United States, United Kingdom, and Canada. Its rapid rise in prominence stems from a sophisticated attack chain that begins with malvertising campaigns on popular search engines such as Google and Bing. These campaigns deliver initial payloads, enabling attackers to deploy tools like Cobalt Strike and Meterpreter shells, which facilitate persistence and lateral movement within compromised networks. Broadcom reported on Nitrogen ransomware in January, and HackRead featured Nitrogen in a recent post due to an increase in activity.

The ransomware’s operational tactics are notably advanced. Once deployed, Nitrogen conducts thorough system reconnaissance to identify high-value assets, ensuring maximum disruption. It modifies registry keys within the Windows Registry and schedules tasks to maintain persistence, allowing the malware to remain active even after system reboots. To evade detection, Nitrogen leverages a legitimate but exploitable driver, truesight.sys, to disable antivirus and endpoint detection tools, further complicating mitigation efforts.

Notable incidents highlight Nitrogen’s impact. In December 2024, SRP Federal Credit Union in the United States suffered a breach, exposing vulnerabilities in the financial sector. Similarly, Red Barrels, a Canadian video game developer, had 1.8 terabytes of sensitive data, including game source code, exfiltrated. Control Panels USA, a manufacturing firm, was listed on Nitrogen’s dark web leak site in September 2024, indicating successful data exfiltration. These attacks underscore the ransomware’s ability to target diverse verticals with precision.

Nitrogen’s reliance on Cobalt Strike and Meterpreter aligns it with other sophisticated ransomware campaigns, emphasizing the importance of monitoring for these tools in enterprise environments. As Nitrogen continues to evolve, its focus on high-value sectors like finance demands proactive defenses to mitigate its devastating potential. PolySwarm analysts consider Nitrogen to be an emerging threat. 

IOCs

PolySwarm has a sample of Nitrogen.

 

55f3725ebe01ea19ca14ab14d747a6975f9a6064ca71345219a14c47c18c88be

 

You can use the following CLI command to search for all Nitrogen samples in our portal:

$ polyswarm link list -f Nitrogen

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 
View full post