New ransomware spotted with a 'coding mistake' that means even the hackers can't decrypt the files

Ransomware is a nasty bit of malware. Effectively, it locks down your device, and the only way of potentially getting access back is by paying hackers to get it removed. At least, that's what ransomware is supposed to be. Recently, a new one has been spotted that couldn't be removed even if the hackers wanted to.

Nitrogen's ESXi ransomware, as spotted by Coveware (via The Register), has a "coding mistake in the ESXi malware [that] causes it to encrypt all the files with the wrong public key, irrevocably corrupting them."

Effectively, once ransomware gets into your device (often via suspicious links or PC vulnerabilities), it then encrypts your valuable files and stores a randomly generated key that only it knows. That key can then be used to decrypt files. It's like someone who spots you removing your lock from a locker and putting theirs on instead. Thus, affected users are forced to fork out cash to bad actors on the chance they can actually get the files back.

Coveware points out that when the public key is accessed, the ransomware mistakenly overwrites the first four bytes of the key, which means "no one actually knows the private key that goes with the corrupted public key." Modern-day encryption relies on having a public key and secret private key, both required to unlock a device. Without both parts, the data cannot be accessed. There's no point guessing, either, as the whole point is it would take a computer an impossible amount of time to brute force unlock the data.

Essentially, even if you pay the ransom, the hackers are incapable of getting back into your files. Though even if Nitrogen can't get your files back, that likely won't stop them from asking for payment if they get into your device.

This ransomware is reportedly a coding offshoot of the Conti 2 builder code. Conti is a type of Malware from the hacking group 'Wizard Spider' that was created in 2019. In 2022, a splintering of the group formed due to political differences over the Russian invasion of Ukraine and a leak of the builder code happened as a result.

There's no word yet on how widespread this specific offshoot of the builder code is, but its target is VMware ESXi hypervisors. Being software that runs and manages virtual machines, it could mean a virus gains access to not just a device but a mass of devices. That being said, it's a lot more niche than a more traditional virus.

Naturally, there's no way of guaranteeing a hacker will obey the contract you've made with them, even if they're capable of getting into files. And, as a result, the best way to prevent ransomware from destroying your files is to try not download any weird gunk on the internet to begin with.