Nefilim Ransomware Warned: Menacing Extortion Tactics Target High-Profile Organizations
Cybersecurity experts have warned about the rising threat of Nefilim ransomware, which has gained notoriety for its extortion tactics. The malware, first detected in March 2020, has targeted high-profile organisations and employs a particularly menacing strategy.
Nefilim's modus operandi involves exfiltrating sensitive data from infected systems before encryption. This data is then posted on the dark web if ransoms are not paid, adding a layer of extortion to the typical ransomware attack. This technique bypasses some mitigations like backups, which would otherwise allow recovery without paying the ransom.
One of the most prominent victims of Nefilim was the New York Metropolitan Transportation Authority (MTA) in May 2020. Around the same time, the Australian shipping giant Toll Group also fell prey to this malicious software. Nefilim's codebase is based on Nemty, according to experts Vitali Kremez and Michael Gillespie of ID Ransomware.
The malware targets vulnerabilities in Citrix gateway devices, such as CVE-2019-11634 and CVE-2019-19781, and uses Remote Desktop Protocol (RDP) setups and known vulnerabilities for initial access. It relies on tools like PsExec for lateral movement within targeted networks. Nefilim uses AES-128 encryption to lock files and demands payments via email, with encrypted files appended with the '.NEFILIM' extension.
To mitigate Nefilim attacks, organisations are advised to maintain strong passwords, disable RDP if not used, and regularly update software and back up important files. The rise of extortion malware like Nefilim underscores the importance of robust malware protection and incident response planning.
