SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nefilim (Back to overview)

Nefilim Ransomware

aka: Nephilim Ransomware

According to Vitali Kremez and Michael Gillespie, this ransomware shares much code with Nemty 2.5. A difference is removal of the RaaS component, which was switched to email communications for payments. Uses AES-128, which is then protected RSA2048.

References
2020-12-28Bleeping ComputerLawrence Abrams
@online{abrams:20201228:home:5e0aaf7, author = {Lawrence Abrams}, title = {{Home appliance giant Whirlpool hit in Nefilim ransomware attack}}, date = {2020-12-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/home-appliance-giant-whirlpool-hit-in-nefilim-ransomware-attack/}, language = {English}, urldate = {2021-01-01} } Home appliance giant Whirlpool hit in Nefilim ransomware attack
Nefilim Ransomware
2020-12-16AccenturePaul Mansfield
@online{mansfield:20201216:tracking:25540bd, author = {Paul Mansfield}, title = {{Tracking and combatting an evolving danger: Ransomware extortion}}, date = {2020-12-16}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion}, language = {English}, urldate = {2020-12-17} } Tracking and combatting an evolving danger: Ransomware extortion
DarkSide Egregor Maze Nefilim Ransomware RagnarLocker REvil Ryuk SunCrypt
2020-12-10US-CERTUS-CERT, FBI, MS-ISAC
@online{uscert:20201210:alert:a5ec77e, author = {US-CERT and FBI and MS-ISAC}, title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}}, date = {2020-12-10}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a}, language = {English}, urldate = {2020-12-11} } Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim Ransomware REvil Ryuk Zeus
2020-12-03PICUS SecuritySüleyman Özarslan
@online{zarslan:20201203:how:9bb7c27, author = {Süleyman Özarslan}, title = {{How to Beat Nefilim Ransomware Attacks}}, date = {2020-12-03}, organization = {PICUS Security}, url = {https://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks}, language = {English}, urldate = {2020-12-08} } How to Beat Nefilim Ransomware Attacks
Nefilim Ransomware
2020-10-23HornetsecurityHornetsecurity Security Lab
@online{lab:20201023:leakwareransomwarehybrid:ae1de8e, author = {Hornetsecurity Security Lab}, title = {{Leakware-Ransomware-Hybrid Attacks}}, date = {2020-10-23}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/}, language = {English}, urldate = {2020-12-08} } Leakware-Ransomware-Hybrid Attacks
Avaddon Ransomware Clop Conti Ransomware DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim Ransomware RagnarLocker REvil Sekhmet Ransomware SunCrypt
2020-07-15FireEyeNathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt
@online{brubaker:20200715:financially:f217555, author = {Nathan Brubaker and Daniel Kapellmann Zafra and Keith Lunden and Ken Proska and Corey Hildebrandt}, title = {{Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families}}, date = {2020-07-15}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html}, language = {English}, urldate = {2020-07-16} } Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
DoppelPaymer LockerGoga Maze MegaCortex Nefilim Ransomware Snake Ransomware
2020-06-16New Zealand CERTNew Zealand CERT
@online{cert:20200616:active:1c01229, author = {New Zealand CERT}, title = {{Active ransomware campaign leveraging remote access technologies}}, date = {2020-06-16}, organization = {New Zealand CERT}, url = {https://www.cert.govt.nz/it-specialists/advisories/active-ransomware-campaign-leveraging-remote-access-technologies/}, language = {English}, urldate = {2020-06-21} } Active ransomware campaign leveraging remote access technologies
Nefilim Ransomware
2020-05-04SentinelOneJim Walter
@online{walter:20200504:meet:7943fa2, author = {Jim Walter}, title = {{Meet NEMTY Successor, Nefilim/Nephilim Ransomware}}, date = {2020-05-04}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/}, language = {English}, urldate = {2020-06-22} } Meet NEMTY Successor, Nefilim/Nephilim Ransomware
Nefilim Ransomware Nemty
2020-03-24Bleeping ComputerLawrence Abrams
@online{abrams:20200324:three:fb92d03, author = {Lawrence Abrams}, title = {{Three More Ransomware Families Create Sites to Leak Stolen Data}}, date = {2020-03-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/}, language = {English}, urldate = {2020-03-26} } Three More Ransomware Families Create Sites to Leak Stolen Data
Clop DoppelPaymer Maze Nefilim Ransomware Nemty REvil
2020-03-23Trend MicroTrend Micro
@online{micro:20200323:nefilim:aaca451, author = {Trend Micro}, title = {{Nefilim Ransomware Threatens to Expose Stolen Data}}, date = {2020-03-23}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/nefilim-ransomware-threatens-to-expose-stolen-data}, language = {English}, urldate = {2020-06-22} } Nefilim Ransomware Threatens to Expose Stolen Data
Nefilim Ransomware
2020-03-17Bleeping ComputerLawrence Abrams
@online{abrams:20200317:new:d6fa158, author = {Lawrence Abrams}, title = {{New Nefilim Ransomware Threatens to Release Victims' Data}}, date = {2020-03-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/}, language = {English}, urldate = {2020-03-19} } New Nefilim Ransomware Threatens to Release Victims' Data
Nefilim Ransomware
2020-03-14ID RansomwareAndrew Ivanov
@online{ivanov:20200314:nefilim:329ccf1, author = {Andrew Ivanov}, title = {{Nefilim Ransomware}}, date = {2020-03-14}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/nefilim-ransomware.html}, language = {English}, urldate = {2020-03-22} } Nefilim Ransomware
Nefilim Ransomware
2020BlackberryBlackberry Research
@techreport{research:2020:state:e5941af, author = {Blackberry Research}, title = {{State of Ransomware}}, date = {2020}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf}, language = {English}, urldate = {2021-01-01} } State of Ransomware
Maze MedusaLocker Nefilim Ransomware Phobos Ransomware REvil Ryuk STOP Ransomware Zeppelin Ransomware
Yara Rules
[TLP:WHITE] win_nefilim_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_nefilim_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nefilim"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 66890c58 8bde 8b7508 e8???????? 8bc6 5e 5b }
            // n = 7, score = 200
            //   66890c58             | mov                 word ptr [eax + ebx*2], cx
            //   8bde                 | mov                 ebx, esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   e8????????           |                     
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_1 = { 53 8db42488000000 e8???????? 53 8d742450 e8???????? 53 }
            // n = 7, score = 200
            //   53                   | push                ebx
            //   8db42488000000       | lea                 esi, [esp + 0x88]
            //   e8????????           |                     
            //   53                   | push                ebx
            //   8d742450             | lea                 esi, [esp + 0x50]
            //   e8????????           |                     
            //   53                   | push                ebx

        $sequence_2 = { 4a 741d 4a 7409 4a 752e 080c30 }
            // n = 7, score = 200
            //   4a                   | dec                 edx
            //   741d                 | je                  0x1f
            //   4a                   | dec                 edx
            //   7409                 | je                  0xb
            //   4a                   | dec                 edx
            //   752e                 | jne                 0x30
            //   080c30               | or                  byte ptr [eax + esi], cl

        $sequence_3 = { c1e606 033485a0f94000 8b45f8 8b00 8906 }
            // n = 5, score = 200
            //   c1e606               | shl                 esi, 6
            //   033485a0f94000       | add                 esi, dword ptr [eax*4 + 0x40f9a0]
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   8906                 | mov                 dword ptr [esi], eax

        $sequence_4 = { 8bc6 e8???????? 8b75c0 8bd8 e8???????? e8???????? 83c41c }
            // n = 7, score = 200
            //   8bc6                 | mov                 eax, esi
            //   e8????????           |                     
            //   8b75c0               | mov                 esi, dword ptr [ebp - 0x40]
            //   8bd8                 | mov                 ebx, eax
            //   e8????????           |                     
            //   e8????????           |                     
            //   83c41c               | add                 esp, 0x1c

        $sequence_5 = { 7304 8d442414 68???????? 50 ffd6 85c0 0f8482000000 }
            // n = 7, score = 200
            //   7304                 | jae                 6
            //   8d442414             | lea                 eax, [esp + 0x14]
            //   68????????           |                     
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   0f8482000000         | je                  0x88

        $sequence_6 = { 0f84b2040000 68???????? 8d8424d0000000 50 }
            // n = 4, score = 200
            //   0f84b2040000         | je                  0x4b8
            //   68????????           |                     
            //   8d8424d0000000       | lea                 eax, [esp + 0xd0]
            //   50                   | push                eax

        $sequence_7 = { 8d8424d0000000 50 ffd6 85c0 7421 8b4c2430 397c2444 }
            // n = 7, score = 200
            //   8d8424d0000000       | lea                 eax, [esp + 0xd0]
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   7421                 | je                  0x23
            //   8b4c2430             | mov                 ecx, dword ptr [esp + 0x30]
            //   397c2444             | cmp                 dword ptr [esp + 0x44], edi

        $sequence_8 = { 66890c453cf94000 40 ebe8 33c0 8945e4 }
            // n = 5, score = 200
            //   66890c453cf94000     | mov                 word ptr [eax*2 + 0x40f93c], cx
            //   40                   | inc                 eax
            //   ebe8                 | jmp                 0xffffffea
            //   33c0                 | xor                 eax, eax
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax

        $sequence_9 = { 59 e9???????? 51 53 ff15???????? 50 }
            // n = 6, score = 200
            //   59                   | pop                 ecx
            //   e9????????           |                     
            //   51                   | push                ecx
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   50                   | push                eax

    condition:
        7 of them and filesize < 142336
}
Download all Yara Rules