Nitrogen: same players play again!

Code reuse across different versions of malware is nothing new. The correlation may appear through technical elements.
Whether through source code purchases/resales/leaks or dramas between members of attacking groups, technical similarities are visible and identifiable.

A few weeks ago we were contacted by Valery Rieß-Marchive, editor-in-chief of LeMagIT, to ask whether we had seen any technical similarities between different ransomware families, notably between Nitrogen (a recent strain from late March 2025), LukaLocker and Cactus.

Curious about this report, we collected various strains of the LukaLocker and Cactus families to create datasets. We then compared the Nitrogen samples with these datasets using our Deep Engine. Without hesitation, it shows us that there are indeed similar functions between Nitrogen and LukaLocker and Cactus.

First of all, with LukaLocker …

… but also with Cactus.

We then set about analyzing them to identify similar elements.

To begin with, we used our GLIMPS Audit tool, which showed us the similarities between the functions of the various binaries. The redder the heatmap, the closer the functions, in this case between Nitrogen, LukaLocker and Cactus. We can see that the distribution of matching functions is similarly distributed in the address space of the binary files.

Using a disassembler, we can then check which function types match. The manual comparison is based on the following representative files:

Each artefact can be placed on a timeline showing their compilation dates from November 2023 to March 2025.

Given the large number of correlated functions, we set out to find the most representative ones.

The illustrations below show just how close the main functions of the samples are. What’s more, they share exactly the same mutex fjhv6esdvsx.

Main LukaLocker 4e5862 loop

Main nitrogen c94b70 ransomware loop

Main nitrogen e6a498 ransomware loop

In the example below, we can see that the files implement the same mechanisms for calling import functions.
In particular, imports, kernel32 or calls to FindFirstFile and FindNextFile functions, characteristic of a file iteration loop, are obfuscated with different mechanisms based on base64 encoding.

Illustration of the correlation between import obfuscation methods and function names for LukaLocker and Nitrogen:

In this case, the variables 0x6C6C642Eu and 0x32336C656E72656Bi64 are decoded as lld. and 23lenrek. We therefore recognize kernel32.dll.

Many other functions, identified by our correlation engine, are also extremely similar ; from the encryption loop to the folder and file iteration method.

Analysis of the files reveals strong correlations between the Nitrogen, LukaLocker and Cactus families.
These similarities lead us to believe that these ransomware families are administered by the same people, or that the files were developed using a common framework.

The modus operandi of these ransomware, notably the direct calling of victims, leads us to the most likely hypothesis that the same people are operating these 3 ransomware.