Nefilim ransomware, first discovered in March 2020, shares much of its code with NEMTY 2.5 REVENGE ransomware. Earlier this month, the Nefilim ransomware group claimed to infiltrate the networks of the SPIE group, a European multi-technical service provider, and release around 11.5GB of company data.
Since April 2020, the group has been targeting organizations across various regions, including South Asia, North America, South America, Western Europe, and Oceania.
- The most targeted sectors based on the count of publicly disclosed attacks include manufacturing (Mas Holdings, Fisher & Paykel, Stadler Rail, Aban Offshore Limited, etc.), and IT (SPIE Group, Citrix).
- Other sectors targeted by Nefilim include communication (Orange S.A.) and transportation (Toll Group, Arteris SA).
- So far, Nefilim has not targeted any organization in the healthcare and education sector.
The ransomware is specifically developed to target Windows systems.
- The group actively exploits Remote Desktop Protocol (RDP) or Citrix vulnerability as its primary attack vector to target organizations.
- The ransomware uses Mimikatz to harvest credentials, PSexec to move laterally across a network, and CobaltStrike to control the environment.
- Nefilim uses a combination of two different algorithms AES-128 and RSA-2048 to encrypt the victims’ files.
- Like other prominent groups, Nefilim operators also threaten its victims to release data on its leaking site if the ransom amount is not paid or a party denies entering a ransom negotiation.
- The threat actors leak sample data on its site called Corporate Leaks.
Although it is a relatively new ransomware, Nefilim is maturing fast, probably with the help of active development support. Since the ransomware mostly abuses unsecured RDP ports, researchers advise security teams to be cautious of exposed ports and close any unused port. Furthermore, experts recommend configuring settings to limit login attempts for RDP network admin access.