Discovered in the month of March this year, a ransomware called Nefilim shares much of its code with NEMTY 2.5 REVENGE ransomware. Last month, its operators claimed to have infiltrated the networks of the SPIE group, a European multi-technical service provider, and release around 11.5GB of company data.
Since April this year, the group has been targeting organizations across various regions, including South Asia, North America, South America, Western Europe, and Oceania.
Top Targets
Based on the count of publicly disclosed attacks the most targeted sectors include manufacturing (Mas Holdings, Fisher & Paykel, Stadler Rail, Aban Offshore Limited, etc.) and IT (SPIE Group, Citrix). Other sectors that were targeted include communications and transportation. There have not been any attacks executed in the healthcare and education sector.
The Ransomware MO
The ransomware is designed especially to target windows based systems
- Features like the Remote Desktop Protocol or the Citrix vulnerability are actively exploited by the group and the method is used as their primary attack vector against organizations.
- The ransomware uses CobaltStrike to control the environment, PSexec to move laterally across a network, and Mimikatz to harvest credentials.
- A combination of two different algorithms is used to encrypt the victim’s files, these algorithms are namely AES-128 and RSA-2048.
- Nefilim operators also threaten its victims to release data on its leaking site if the ransom amount is not paid or a party denies entering a ransom negotiation, like other prominent APT’s.
- Sample data has been leaked by threat actors on its site called Corporate Leaks.
Nefilim is maturing fast despite it being a relatively new ransomware on the threat landscape. And it does so probably with the help of active development support. Since the ransomware mostly abuses unsecured RDP ports, researchers advise security teams to be cautious of exposed ports and close any unused port. Our experts recommend configuring settings to limit login attempts for RDP network admin access.
To read more, please check eScan Blog
