Nefilm Ransomware Group Eyes for $1bn+ Revenue Companies

On Tuesday, Trend Micro released a case study analyzing Nefilim, a ransomware gang that the researchers believe is or was once linked with Nemty as a ransomware-as-a-service (RaaS) outfit. 

Nemty first surfaced in 2019 together with Sentinel Labs, Trend Micro claims that Nefilim first surfaced in March 2020. Both actors, named “Water Roc” by the firm, offered RaaS subscription services with a 70/30 split, with margins dropping to 90/10 when high-profile victims were snatched by affiliates. 

According to Trend Micro, Nefilim looks for vulnerabilities in exposed Remote Desktop Services (RDP) services and public proof-of-concept (PoC) exploit code. The two known vulnerabilities, CVE-2019-19781 and CVE-2019-11634 in Citrix gateway devices were patched in 2020. When unpatched services are discovered, however, exploit code is run and first access is gained. Nefilim starts by downloading a Cobalt Strike beacon, Process Hacker (for terminating endpoint security agents), Mimikatz credentials dumper, and other tools. 

Nefilim was also able to exploit CVE-2017-0213, an outdated weakness in Windows Component Object Model (COM) software, in one case reported by the researchers. Even though a patch was released in 2017, the problem remained, allowing the group to raise their powers to administrator levels. 

For lateral movement and access to corporate networks, ransomware operators may use stolen or easily forced credentials and MEGAsync could be used to steal data during an assault. The ransomware Nefilim will then be installed and begin encrypting data. Although the extensions differ, the group has been related to the extensions .Nephilim, Merin, and .Off-White. 

For each file queued for encryption, a random AES key is produced. The malware will then use a fixed RC4 key to decrypt a ransom note, which provides email addresses for victims to reach them regarding payment. 

The researchers stated, “To enable file decryption in case the victim pays the ransom amount, the malware encrypts the generated AES key with a fixed RSA public key and appends it to the encrypted file. To date, only the attackers can decrypt this scheme as they alone own the paired private RSA key.” 

When it comes to victims, Nefilim has been linked to assaults against companies with yearly revenues of $1 billion or more; nevertheless, the malware’s operators have also affected small companies. The majority of victims are in the US, followed by Europe, Asia, and Oceania. 

Trend Micro reported, “Modern attackers have moved on from widespread mass-mailed indiscriminate ransomware to a new model that is much more dangerous.” 

“Today, corporations are subject to these new APT-level ransomware attacks. In fact, they can be worse than APTs because ransomware often ends up destroying data, whereas information-stealing APTs are almost never destructive. There is a more pressing need to defend organizations against ransomware attacks, and now, the stakes are much higher.”