Nitrogen ransomware has a major flaw that prevents even the criminals from decrypting victim files. According to cybersecurity firm Coveware, the group’s malware, which primarily targets VMware ESXi systems, contains a programming error. This error causes the program to encrypt files using the wrong public key, rendering any attempts to recover data through payment completely useless. The issue arises from the way the malware handles keys in memory. It mistakenly loads a new variable that overlaps with the public key, corrupting it. Specifically, the malware loads a 64-bit QWORD into memory in such a way that it overwrites part of the public key. As a result, the private key corresponding to the corrupted public key cannot be determined, leaving victims without any means to recover their data. Nitrogen has been active since 2023 and is linked to the Conti ransomware codebase. Initially, the group focused on developing malware for initial access, but by around September 2024, it shifted to extorting organizations directly. While not among the most notorious ransomware groups, this latest error highlights the risks of relying on such criminals for data recovery, as both parties end up with nothing.