SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nefilim (Back to overview)

Nefilim Ransomware

aka: Nephilim Ransomware

According to Vitali Kremez and Michael Gillespie, this ransomware shares much code with Nemty 2.5. A difference is removal of the RaaS component, which was switched to email communications for payments. Uses AES-128, which is then protected RSA2048.

References
2020-07-15FireEyeNathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt
@online{brubaker:20200715:financially:f217555, author = {Nathan Brubaker and Daniel Kapellmann Zafra and Keith Lunden and Ken Proska and Corey Hildebrandt}, title = {{Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families}}, date = {2020-07-15}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html}, language = {English}, urldate = {2020-07-16} } Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
DoppelPaymer LockerGoga Maze MegaCortex Nefilim Ransomware Snake Ransomware
2020-06-16New Zealand CERTNew Zealand CERT
@online{cert:20200616:active:1c01229, author = {New Zealand CERT}, title = {{Active ransomware campaign leveraging remote access technologies}}, date = {2020-06-16}, organization = {New Zealand CERT}, url = {https://www.cert.govt.nz/it-specialists/advisories/active-ransomware-campaign-leveraging-remote-access-technologies/}, language = {English}, urldate = {2020-06-21} } Active ransomware campaign leveraging remote access technologies
Nefilim Ransomware
2020-05-04SentinelOneJim Walter
@online{walter:20200504:meet:7943fa2, author = {Jim Walter}, title = {{Meet NEMTY Successor, Nefilim/Nephilim Ransomware}}, date = {2020-05-04}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/}, language = {English}, urldate = {2020-06-22} } Meet NEMTY Successor, Nefilim/Nephilim Ransomware
Nefilim Ransomware Nemty
2020-03-24Bleeping ComputerLawrence Abrams
@online{abrams:20200324:three:fb92d03, author = {Lawrence Abrams}, title = {{Three More Ransomware Families Create Sites to Leak Stolen Data}}, date = {2020-03-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/}, language = {English}, urldate = {2020-03-26} } Three More Ransomware Families Create Sites to Leak Stolen Data
Clop DoppelPaymer Maze Nefilim Ransomware Nemty REvil
2020-03-23Trend MicroTrend Micro
@online{micro:20200323:nefilim:aaca451, author = {Trend Micro}, title = {{Nefilim Ransomware Threatens to Expose Stolen Data}}, date = {2020-03-23}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/nefilim-ransomware-threatens-to-expose-stolen-data}, language = {English}, urldate = {2020-06-22} } Nefilim Ransomware Threatens to Expose Stolen Data
Nefilim Ransomware
2020-03-17Bleeping ComputerLawrence Abrams
@online{abrams:20200317:new:d6fa158, author = {Lawrence Abrams}, title = {{New Nefilim Ransomware Threatens to Release Victims' Data}}, date = {2020-03-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/}, language = {English}, urldate = {2020-03-19} } New Nefilim Ransomware Threatens to Release Victims' Data
Nefilim Ransomware
2020-03-14ID RansomwareAndrew Ivanov
@online{ivanov:20200314:nefilim:329ccf1, author = {Andrew Ivanov}, title = {{Nefilim Ransomware}}, date = {2020-03-14}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/nefilim-ransomware.html}, language = {English}, urldate = {2020-03-22} } Nefilim Ransomware
Nefilim Ransomware
Yara Rules
[TLP:WHITE] win_nefilim_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_nefilim_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nefilim"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 764f 56 83f810 7534 50 8d45ec 57 }
            // n = 7, score = 200
            //   764f                 | jbe                 0x51
            //   56                   | push                esi
            //   83f810               | cmp                 eax, 0x10
            //   7534                 | jne                 0x36
            //   50                   | push                eax
            //   8d45ec               | lea                 eax, [ebp - 0x14]
            //   57                   | push                edi

        $sequence_1 = { ff742424 ff74241c ffd7 53 ff15???????? 53 }
            // n = 6, score = 200
            //   ff742424             | push                dword ptr [esp + 0x24]
            //   ff74241c             | push                dword ptr [esp + 0x1c]
            //   ffd7                 | call                edi
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   53                   | push                ebx

        $sequence_2 = { 8b4c241c 53 03c6 53 13cb }
            // n = 5, score = 200
            //   8b4c241c             | mov                 ecx, dword ptr [esp + 0x1c]
            //   53                   | push                ebx
            //   03c6                 | add                 eax, esi
            //   53                   | push                ebx
            //   13cb                 | adc                 ecx, ebx

        $sequence_3 = { ffd7 8d4df4 83ec1c 8945ec }
            // n = 4, score = 200
            //   ffd7                 | call                edi
            //   8d4df4               | lea                 ecx, [ebp - 0xc]
            //   83ec1c               | sub                 esp, 0x1c
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax

        $sequence_4 = { 50 ffd6 85c0 0f8470030000 68???????? 8d8424d0000000 50 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   0f8470030000         | je                  0x376
            //   68????????           |                     
            //   8d8424d0000000       | lea                 eax, [esp + 0xd0]
            //   50                   | push                eax

        $sequence_5 = { 68???????? 8d742444 e8???????? 6a01 33ff e8???????? }
            // n = 6, score = 200
            //   68????????           |                     
            //   8d742444             | lea                 esi, [esp + 0x44]
            //   e8????????           |                     
            //   6a01                 | push                1
            //   33ff                 | xor                 edi, edi
            //   e8????????           |                     

        $sequence_6 = { 8b4c2430 397c2444 7304 8d4c2430 }
            // n = 4, score = 200
            //   8b4c2430             | mov                 ecx, dword ptr [esp + 0x30]
            //   397c2444             | cmp                 dword ptr [esp + 0x44], edi
            //   7304                 | jae                 6
            //   8d4c2430             | lea                 ecx, [esp + 0x30]

        $sequence_7 = { 8bf0 a1???????? 59 8975fc 7305 b8???????? ff35???????? }
            // n = 7, score = 200
            //   8bf0                 | mov                 esi, eax
            //   a1????????           |                     
            //   59                   | pop                 ecx
            //   8975fc               | mov                 dword ptr [ebp - 4], esi
            //   7305                 | jae                 7
            //   b8????????           |                     
            //   ff35????????         |                     

        $sequence_8 = { 46 3b75f0 7ceb 8b4dfc 5f 5e }
            // n = 6, score = 200
            //   46                   | inc                 esi
            //   3b75f0               | cmp                 esi, dword ptr [ebp - 0x10]
            //   7ceb                 | jl                  0xffffffed
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_9 = { 6689442450 57 8d4508 8d4c2454 89742468 897c2464 }
            // n = 6, score = 200
            //   6689442450           | mov                 word ptr [esp + 0x50], ax
            //   57                   | push                edi
            //   8d4508               | lea                 eax, [ebp + 8]
            //   8d4c2454             | lea                 ecx, [esp + 0x54]
            //   89742468             | mov                 dword ptr [esp + 0x68], esi
            //   897c2464             | mov                 dword ptr [esp + 0x64], edi

    condition:
        7 of them and filesize < 142336
}
Download all Yara Rules