Nefilim Ransomware: New Threat Exfiltrates Data Before Encryption
Cybersecurity experts have warned about the increasing threat of Nefilim ransomware. This malware, which emerged in March 2020, is known for its extortion tactics and has targeted high-profile organizations like the Australian shipping giant, Toll Group.
Nefilim gains initial access to networks through Remote Desktop Protocol (RDP) setups and known vulnerabilities in Citrix gateway devices, such as CVE-2019-11634 and CVE-2019-19781. Once inside, it uses tools like PsExec, Mimikatz, LaZagne, and NetPass for lateral movement, allowing it to spread throughout the network.
The ransomware is believed to be based on Nemty's code, according to experts Vitali Kremez and Michael Gillespie of ID Ransomware. It uses AES-128 encryption to lock files and accepts payments via email. However, what sets Nefilim apart is its practice of exfiltrating sensitive data before encryption. If ransoms are not paid, this data is posted on the dark web, adding a layer of extortion to the attack.
The rise of Nefilim and similar ransomware families highlights a growing trend in cybersecurity. By threatening to expose sensitive data, these malware strains bypass traditional mitigation strategies like backups. As such, organizations are urged to bolster their cybersecurity measures, particularly around RDP setups and known vulnerabilities.
