Newly Found Nefilim Ransomware Borrows Code From Nemty 2.5 Ransomware

  • The ransomware has started to become active in the wild and threatens to release stolen data.
  • Nefilim encrypts victims’ files using a combination of AES-128 and RSA-2048 algorithms.

A new ransomware strain called Nefilim that shares its code with Nemty 2.5 ransomware has been uncovered by researchers. The ransomware has started to become active in the wild and threatens to release stolen data.

About the ransomware
As reported by BleepingComputer, the ransomware most likely spreads through exposed remote Desktop Services. The other important aspect of the ransomware is that it has removed the Ransomware-as-a-Service (RaaS) component and now relies on emails for payments rather than a Tor payment site.

How does it operate?
Once launched, Nefilim encrypts victims’ files using a combination of AES-128 and RSA-2048 algorithms. For each encrypted file, the ransomware appends the .NEFILIM extension to the file name.

When done with encryption, the ransomware drops a ransom note ‘NEFILIM-DECRYPT.txt’ that instructs the victim on how to recover their files.

The ransom note contains different contact emails to contact the developers. It also includes a line that warns victims of leaking their data if the ransom is not paid within seven days.

Bottom Line
Lately, prominent ransomware like Maze, Nemty, and DopplePaymer have adopted the new ‘Naming and Shaming’ technique to disrupt the reputation of organizations that fail to pay the ransom. With the tactic growing popular among ransomware developers, it is expected that Nefilim is most likely to join the bandwagon of notorious ransomware to shame its victims.