For more information, please see the entry on Nokoyawa and Nokoyawa 2.0.
Nevada appears to be another iteration of the Nokoyawa ransomware family and is also known as Nokoyawa 2.1. It is the second variant to use Rust and varies from the other Rust-based variant, Nokoyawa 2.0, in a few ways. For clarity, it is believed the Nokoyawa creators authored two families in parallel. One that was coded in C/C++, and the other in Rust. Nokoyawa and Nokoyawa 1.1 were written in C/C++, and Nokoyawa 2.0 and Nevada (Nokoyawa 2.1) were written in Rust. Both families share similar behaviors. One way in which they differ is that the Rust variants used Salsa20 encryption coupled with the X25519 curve of Elliptic Curve Cryptography (ECC-X25519). However, Nevada was observed operating a Ransomware-as-a-Service (RaaS) on a dark web forum named RAMP. They advertise an 85/15 model, which could move to 90/10 if the users were trustworthy. 85/15 means that the user who purchased the ransomware service would keep 85% of all of their earnings, and 15% would go to the creators - Nevada. Similarly, 90/10 would mean the users keep 90%.
When Nevada was first observed in the wild, it came at a time when ESXiArgs performed an automated ransomware attack on any organizations with public-facing ESXi servers with the CVE-2021-21974 vulnerability. This vulnerability is from VMWare ESXi's OpenSLP service. However, WatchGuard Threat Labs believe that, since Nevada ransomware also targets ESXi machines, some researchers incorrectly attributed Nevada Group to the ESXiArgs attack. ESXiArgs is a completely different ransomware than Nevada.
