Nefilim Ransomware Group's New Tactic: Exfiltrate, Leak, and Shame
The Nephilim ransomware group has been making waves with a new tactic: exfiltrating sensitive data before encryption and leaking it on the dark web if ransoms aren't paid. This has proven effective, with a rise in such extortion malware over the past year.
Nephilim emerged in March 2020 and has since become one of the more popular ransomware families to adopt this extortion tactic. It targets vulnerabilities in Citrix gateway devices, such as CVE-2019-11634 and CVE-2019-19781. To mitigate Nephilim attacks, organizations are advised to keep strong passwords, disable RDP if not used, and regularly update software and back up important data.
One of Nephilim's highest-profile attacks was against the Australian shipping organization, Toll Group, in May 2020. Despite refusing to pay the ransom, Toll Group suffered a leak of sensitive data, with Nephilim publicly criticizing their cybersecurity protocols. Nephilim uses AES-128 encryption to lock files and accepts payments via email. According to Vitali Kremez and Michael Gillespie of ID Ransomware, Nephilim appears to be based on Nemty's code.
The Nephilim ransomware group's shift to data exfiltration and public shaming has proven effective, leading to a rise in such extortion malware. Organizations must remain vigilant and follow best practices to protect against these evolving threats.
