Nefilim (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.nefilim (Back to overview)

Nefilim

aka: Nephilim

VTCollection

According to Vitali Kremez and Michael Gillespie, this ransomware shares much code with Nemty 2.5. A difference is removal of the RaaS component, which was switched to email communications for payments. Uses AES-128, which is then protected RSA2048.

References

2022-03-17 ⋅ Sophos ⋅ Tilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker

2021-10-05 ⋅ Trend Micro ⋅ Byron Gelera, Fyodor Yarochkin, Janus Agcaoili, Nikko Tamana
Ransomware as a Service: Enabler of Widespread Attacks
Cerber Conti DarkSide Gandcrab Locky Nefilim REvil Ryuk

2021-07-14 ⋅ Intel 471 ⋅ Intel 471
How cybercriminals create turbulence for the transportation industry
Mount Locker Nefilim

2021-06-28 ⋅ Trend Micro ⋅ Trend Micro
Nefilim Ransomware Attack Through a MITRE Att&ck Lens
Nefilim

2021-06-08 ⋅ Trend Micro ⋅ David Sancho, Feike Hacquebord, Fernando Mercês, Ian Kenefick, Mayra Fuentes, Robert McArdle, Stephen Hilt, Vladimir Kropotov
Modern Ransomware’s Double Extortion Tactics and How to Protect Enterprises Against Them
Nefilim

2021-05-25 ⋅ Kaspersky ⋅ Fedor Sinitsyn, Yanis Zinchenko
Evolution of JSWorm ransomware
Nefilim Nemty

2021-05-12 ⋅ Qualys ⋅ Bajrang Mane
Nefilim Ransomware
Nefilim

2021-05-10 ⋅ DarkTracer ⋅ DarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX

2021-04-25 ⋅ Vulnerability.ch Blog ⋅ Corsin Camichel
Ransomware and Data Leak Site Publication Time Analysis
Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil

2021-02-28 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team

2021-02-25 ⋅ Intezer ⋅ Intezer
Year of the Gopher A 2020 Go Malware Round-Up
NiuB WellMail elf.wellmess ArdaMax AsyncRAT CyberGate DarkComet Glupteba Nanocore RAT Nefilim NjRAT Quasar RAT WellMess Zebrocy

2021-02-23 ⋅ Trend Micro ⋅ Byron Gelera, Janus Agcaoili
An Analysis of the Nefilim Ransomware
Nefilim

2021-01-26 ⋅ SophosLabs Uncut ⋅ Bill Kearney, David Anderson, Michael Heller, Peter Mackenzie, Sergio Bestulic
Nefilim Ransomware Attack Uses “Ghost” Credentials
Nefilim

2021-01-01 ⋅ Secureworks ⋅ SecureWorks
Threat Profile: GOLD MANSARD
Nefilim Nemty GOLD MANSARD

2020-12-28 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Home appliance giant Whirlpool hit in Nefilim ransomware attack
Nefilim

2020-12-16 ⋅ Accenture ⋅ Paul Mansfield
Tracking and combatting an evolving danger: Ransomware extortion
DarkSide Egregor Maze Nefilim RagnarLocker REvil Ryuk SunCrypt

2020-12-10 ⋅ US-CERT ⋅ FBI, MS-ISAC, US-CERT
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus

2020-12-03 ⋅ PICUS Security ⋅ Süleyman Özarslan
How to Beat Nefilim Ransomware Attacks
Nefilim

2020-10-23 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab
Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt

2020-08-25 ⋅ KELA ⋅ Victoria Kivilevich
How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet

2020-07-15 ⋅ Mandiant ⋅ Corey Hildebrandt, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Nathan Brubaker
Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
Clop DoppelPaymer LockerGoga Maze MegaCortex Nefilim Snake

2020-06-16 ⋅ New Zealand CERT ⋅ New Zealand CERT
Active ransomware campaign leveraging remote access technologies
Nefilim

2020-05-04 ⋅ SentinelOne ⋅ Jim Walter
Meet NEMTY Successor, Nefilim/Nephilim Ransomware
Nefilim Nemty

2020-03-24 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Three More Ransomware Families Create Sites to Leak Stolen Data
Clop DoppelPaymer Maze Nefilim Nemty REvil

2020-03-23 ⋅ Trend Micro ⋅ Trend Micro
Nefilim Ransomware Threatens to Expose Stolen Data
Nefilim

2020-03-17 ⋅ Bleeping Computer ⋅ Lawrence Abrams
New Nefilim Ransomware Threatens to Release Victims' Data
Nefilim

2020-03-14 ⋅ ID Ransomware ⋅ Andrew Ivanov
Nefilim Ransomware
Nefilim

2020-01-01 ⋅ Blackberry ⋅ Blackberry Research
State of Ransomware
Maze MedusaLocker Nefilim Phobos REvil Ryuk STOP

Yara Rules

[TLP:WHITE] win_nefilim_auto (20260504 | Detects win.nefilim.)

rule win_nefilim_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.nefilim."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nefilim"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8810 40 49 75f7 8b4dfc 5f 33cd }
            // n = 7, score = 200
            //   8810                 | mov                 byte ptr [eax], dl
            //   40                   | inc                 eax
            //   49                   | dec                 ecx
            //   75f7                 | jne                 0xfffffff9
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   5f                   | pop                 edi
            //   33cd                 | xor                 ecx, ebp

        $sequence_1 = { 7d0d 8a4c181c 8888b8e54000 40 ebe9 }
            // n = 5, score = 200
            //   7d0d                 | jge                 0xf
            //   8a4c181c             | mov                 cl, byte ptr [eax + ebx + 0x1c]
            //   8888b8e54000         | mov                 byte ptr [eax + 0x40e5b8], cl
            //   40                   | inc                 eax
            //   ebe9                 | jmp                 0xffffffeb

        $sequence_2 = { be???????? 56 bb???????? 53 ffd7 85c0 }
            // n = 6, score = 200
            //   be????????           |                     
            //   56                   | push                esi
            //   bb????????           |                     
            //   53                   | push                ebx
            //   ffd7                 | call                edi
            //   85c0                 | test                eax, eax

        $sequence_3 = { ffd6 85c0 0f8436010000 8b442414 }
            // n = 4, score = 200
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   0f8436010000         | je                  0x13c
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]

        $sequence_4 = { 50 ffd7 8d4df4 83ec1c }
            // n = 4, score = 200
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   8d4df4               | lea                 ecx, [ebp - 0xc]
            //   83ec1c               | sub                 esp, 0x1c

        $sequence_5 = { f7db 1adb 6a01 33ff 8d75c4 e8???????? }
            // n = 6, score = 200
            //   f7db                 | neg                 ebx
            //   1adb                 | sbb                 bl, bl
            //   6a01                 | push                1
            //   33ff                 | xor                 edi, edi
            //   8d75c4               | lea                 esi, [ebp - 0x3c]
            //   e8????????           |                     

        $sequence_6 = { 75f7 8b4dfc 5f 33cd }
            // n = 4, score = 200
            //   75f7                 | jne                 0xfffffff9
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   5f                   | pop                 edi
            //   33cd                 | xor                 ecx, ebp

        $sequence_7 = { 0f862d020000 be48e80100 eb04 8b4c2418 2b4c2428 }
            // n = 5, score = 200
            //   0f862d020000         | jbe                 0x233
            //   be48e80100           | mov                 esi, 0x1e848
            //   eb04                 | jmp                 6
            //   8b4c2418             | mov                 ecx, dword ptr [esp + 0x18]
            //   2b4c2428             | sub                 ecx, dword ptr [esp + 0x28]

        $sequence_8 = { f3a5 ff2495d0324000 8bc7 ba03000000 83e904 720c }
            // n = 6, score = 200
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   ff2495d0324000       | jmp                 dword ptr [edx*4 + 0x4032d0]
            //   8bc7                 | mov                 eax, edi
            //   ba03000000           | mov                 edx, 3
            //   83e904               | sub                 ecx, 4
            //   720c                 | jb                  0xe

        $sequence_9 = { ff74242c 8944242c e8???????? ff74242c e8???????? be00010000 56 }
            // n = 7, score = 200
            //   ff74242c             | push                dword ptr [esp + 0x2c]
            //   8944242c             | mov                 dword ptr [esp + 0x2c], eax
            //   e8????????           |                     
            //   ff74242c             | push                dword ptr [esp + 0x2c]
            //   e8????????           |                     
            //   be00010000           | mov                 esi, 0x100
            //   56                   | push                esi

    condition:
        7 of them and filesize < 142336
}

Download all Yara Rules

Nefilim Propose Change

References

Yara Rules

Nefilim