Operators behind Nefilim Ransomware threaten to release stolen data

Operators behind a new piece of ransomware dubbed Nefilim have started threatening victims to release stolen data like other cybercrime gangs.

A new ransomware dubbed Nefilim appeared in the threat landscape at the end of February, it borrows its code from other malware, the Nemty ransomware.

The main difference between the two threats is that Nefilim doesn’t include the Ransomware-as-a-Service (RaaS) component and doesn’t use Tor for the payment process.

The operators behind the Nefilim following a scaring trend have started threatening their victims to release stolen data.

At the time of writing it is still unclear which is the attack vector exploited by Nefilim operators, experts believe the malware was mainly deployed via RDP.

“Head of SentinelLabs Vitali Krimez and ID Ransomware’s Michael Gillespie both told BleepingComputer that Nefilim and Nemty 2.5 share much of the same code.” reported BleepingComputer.

Experts speculate the malware could be a fork of the ransomware from the original operators or another cybercrime gang had access to the source code of the Nemty ransomware and has developed its own version.

Nefilim operators threaten victims to release stolen data if they don’t pay the ransom in seven days. This tactic was already adopted by other ransomware gangs, including the Maze Group, Nemty gang, DoppelPaymer, and Sodinokibi crews.

Nefilim will encrypt a file using AES-128 encryption, then the AES encryption key is encrypted using an RSA-2048 public key that is embedded in the ransomware executable.

The encrypted AES key will be included in the contents of each encrypted file. Nefilim appends the .NEFILIM extension to the file name, it also adds the “NEFILIM” string as a file marker to all encrypted files.

Once the encryption process is completed, the malware drops a ransom note named NEFILIM-DECRYPT.txt on the infected system.

The ransom note contains emails to contacts for the payment, it also includes the threat of leaking files if the ransom is not paid within seven days.

Additional technical details are included in the report published by BleepingComputer.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – NEFILIM ransomware, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.