New ransomware spotted with a 'coding mistake' that means even the hackers can't decrypt the files

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Email

Share this article

0

Join the conversation

Follow us

Add us as a preferred source on Google

Newsletter

Get the PC Gamer Newsletter

Keep up to date with the most important stories and the best deals, as picked by the PC Gamer team.

Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors

---

By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

You are now subscribed

Your newsletter sign-up was successful

---

Want to add more newsletters?

Every Friday

GamesRadar+

Your weekly update on everything you could ever want to know about the games you already love, games we know you're going to love in the near future, and tales from the communities that surround them.

Signup +

Every Thursday

GTA 6 O'clock

Our special GTA 6 newsletter, with breaking news, insider info, and rumor analysis from the award-winning GTA 6 O'clock experts.

Signup +

Every Friday

Knowledge

From the creators of Edge: A weekly videogame industry newsletter with analysis from expert writers, guidance from professionals, and insight into what's on the horizon.

Signup +

Every Thursday

The Setup

Hardware nerds unite, sign up to our free tech newsletter for a weekly digest of the hottest new tech, the latest gadgets on the test bench, and much more.

Signup +

Every Wednesday

Switch 2 Spotlight

Sign up to our new Switch 2 newsletter, where we bring you the latest talking points on Nintendo's new console each week, bring you up to date on the news, and recommend what games to play.

Signup +

Every Saturday

The Watchlist

Subscribe for a weekly digest of the movie and TV news that matters, direct to your inbox. From first-look trailers, interviews, reviews and explainers, we've got you covered.

Signup +

Once a month

SFX

Get sneak previews, exclusive competitions and details of special events each month!

Signup +

---

An account already exists for this email address, please log in.

Subscribe to our newsletter

Ransomware is a nasty bit of malware. Effectively, it locks down your device, and the only way of potentially getting access back is by paying hackers to get it removed. At least, that's what ransomware is supposed to be. Recently, a new one has been spotted that couldn't be removed even if the hackers wanted to.

Nitrogen's ESXi ransomware, as spotted by Coveware (via The Register), has a "coding mistake in the ESXi malware [that] causes it to encrypt all the files with the wrong public key, irrevocably corrupting them."

Effectively, once ransomware gets into your device (often via suspicious links or PC vulnerabilities), it then encrypts your valuable files and stores a randomly generated key that only it knows. That key can then be used to decrypt files. It's like someone who spots you removing your lock from a locker and putting theirs on instead. Thus, affected users are forced to fork out cash to bad actors on the chance they can actually get the files back.

Coveware points out that when the public key is accessed, the ransomware mistakenly overwrites the first four bytes of the key, which means "no one actually knows the private key that goes with the corrupted public key." Modern-day encryption relies on having a public key and secret private key, both required to unlock a device. Without both parts, the data cannot be accessed. There's no point guessing, either, as the whole point is it would take a computer an impossible amount of time to brute force unlock the data.

Essentially, even if you pay the ransom, the hackers are incapable of getting back into your files. Though even if Nitrogen can't get your files back, that likely won't stop them from asking for payment if they get into your device.

This ransomware is reportedly a coding offshoot of the Conti 2 builder code. Conti is a type of Malware from the hacking group 'Wizard Spider' that was created in 2019. In 2022, a splintering of the group formed due to political differences over the Russian invasion of Ukraine and a leak of the builder code happened as a result.

There's no word yet on how widespread this specific offshoot of the builder code is, but its target is VMware ESXi hypervisors. Being software that runs and manages virtual machines, it could mean a virus gains access to not just a device but a mass of devices. That being said, it's a lot more niche than a more traditional virus.

Naturally, there's no way of guaranteeing a hacker will obey the contract you've made with them, even if they're capable of getting into files. And, as a result, the best way to prevent ransomware from destroying your files is to try not download any weird gunk on the internet to begin with.

Best gaming rigs 2026

1. Best gaming laptop: Razer Blade 16

2. Best gaming PC: HP Omen 35L

3. Best handheld gaming PC: Lenovo Legion Go S SteamOS ed.

4. Best mini PC: Minisforum AtomMan G7 PT

5. Best VR headset: Meta Quest 3

👉Check out our list of guides👈