SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nefilim (Back to overview)

Nefilim Ransomware

aka: Nephilim Ransomware

According to Vitali Kremez and Michael Gillespie, this ransomware shares much code with Nemty 2.5. A difference is removal of the RaaS component, which was switched to email communications for payments. Uses AES-128, which is then protected RSA2048.

References
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Ransomware Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Ransomware Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-02-25IntezerIntezer
@techreport{intezer:20210225:year:eb47cd1, author = {Intezer}, title = {{Year of the Gopher A 2020 Go Malware Round-Up}}, date = {2021-02-25}, institution = {Intezer}, url = {https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf}, language = {English}, urldate = {2021-02-25} } Year of the Gopher A 2020 Go Malware Round-Up
WellMail elf.wellmess ArdaMax AsyncRAT CyberGate DarkComet Glupteba Nanocore RAT Nefilim Ransomware NjRAT Quasar RAT WellMess Zebrocy
2021-02-23Trend MicroByron Gelera, Janus Agcaoili
@online{gelera:20210223:analysis:a4c0c51, author = {Byron Gelera and Janus Agcaoili}, title = {{An Analysis of the Nefilim Ransomware}}, date = {2021-02-23}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/b/nefilim-ransomware.html}, language = {English}, urldate = {2021-02-25} } An Analysis of the Nefilim Ransomware
Nefilim Ransomware
2021-01-26SophosLabs UncutMichael Heller, David Anderson, Peter Mackenzie, Sergio Bestulic, Bill Kearney
@online{heller:20210126:nefilim:6b20ee0, author = {Michael Heller and David Anderson and Peter Mackenzie and Sergio Bestulic and Bill Kearney}, title = {{Nefilim Ransomware Attack Uses “Ghost” Credentials}}, date = {2021-01-26}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/}, language = {English}, urldate = {2021-02-18} } Nefilim Ransomware Attack Uses “Ghost” Credentials
Nefilim Ransomware
2020-12-28Bleeping ComputerLawrence Abrams
@online{abrams:20201228:home:5e0aaf7, author = {Lawrence Abrams}, title = {{Home appliance giant Whirlpool hit in Nefilim ransomware attack}}, date = {2020-12-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/home-appliance-giant-whirlpool-hit-in-nefilim-ransomware-attack/}, language = {English}, urldate = {2021-01-01} } Home appliance giant Whirlpool hit in Nefilim ransomware attack
Nefilim Ransomware
2020-12-16AccenturePaul Mansfield
@online{mansfield:20201216:tracking:25540bd, author = {Paul Mansfield}, title = {{Tracking and combatting an evolving danger: Ransomware extortion}}, date = {2020-12-16}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion}, language = {English}, urldate = {2020-12-17} } Tracking and combatting an evolving danger: Ransomware extortion
DarkSide Egregor Maze Nefilim Ransomware RagnarLocker REvil Ryuk SunCrypt
2020-12-10US-CERTUS-CERT, FBI, MS-ISAC
@online{uscert:20201210:alert:a5ec77e, author = {US-CERT and FBI and MS-ISAC}, title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}}, date = {2020-12-10}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a}, language = {English}, urldate = {2020-12-11} } Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim Ransomware REvil Ryuk Zeus
2020-12-03PICUS SecuritySüleyman Özarslan
@online{zarslan:20201203:how:9bb7c27, author = {Süleyman Özarslan}, title = {{How to Beat Nefilim Ransomware Attacks}}, date = {2020-12-03}, organization = {PICUS Security}, url = {https://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks}, language = {English}, urldate = {2020-12-08} } How to Beat Nefilim Ransomware Attacks
Nefilim Ransomware
2020-10-23HornetsecurityHornetsecurity Security Lab
@online{lab:20201023:leakwareransomwarehybrid:ae1de8e, author = {Hornetsecurity Security Lab}, title = {{Leakware-Ransomware-Hybrid Attacks}}, date = {2020-10-23}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/}, language = {English}, urldate = {2020-12-08} } Leakware-Ransomware-Hybrid Attacks
Avaddon Ransomware Clop Conti Ransomware DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim Ransomware RagnarLocker REvil Sekhmet Ransomware SunCrypt
2020-07-15FireEyeNathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt
@online{brubaker:20200715:financially:f217555, author = {Nathan Brubaker and Daniel Kapellmann Zafra and Keith Lunden and Ken Proska and Corey Hildebrandt}, title = {{Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families}}, date = {2020-07-15}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html}, language = {English}, urldate = {2020-07-16} } Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
DoppelPaymer LockerGoga Maze MegaCortex Nefilim Ransomware Snake Ransomware
2020-06-16New Zealand CERTNew Zealand CERT
@online{cert:20200616:active:1c01229, author = {New Zealand CERT}, title = {{Active ransomware campaign leveraging remote access technologies}}, date = {2020-06-16}, organization = {New Zealand CERT}, url = {https://www.cert.govt.nz/it-specialists/advisories/active-ransomware-campaign-leveraging-remote-access-technologies/}, language = {English}, urldate = {2020-06-21} } Active ransomware campaign leveraging remote access technologies
Nefilim Ransomware
2020-05-04SentinelOneJim Walter
@online{walter:20200504:meet:7943fa2, author = {Jim Walter}, title = {{Meet NEMTY Successor, Nefilim/Nephilim Ransomware}}, date = {2020-05-04}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/}, language = {English}, urldate = {2020-06-22} } Meet NEMTY Successor, Nefilim/Nephilim Ransomware
Nefilim Ransomware Nemty
2020-03-24Bleeping ComputerLawrence Abrams
@online{abrams:20200324:three:fb92d03, author = {Lawrence Abrams}, title = {{Three More Ransomware Families Create Sites to Leak Stolen Data}}, date = {2020-03-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/}, language = {English}, urldate = {2020-03-26} } Three More Ransomware Families Create Sites to Leak Stolen Data
Clop DoppelPaymer Maze Nefilim Ransomware Nemty REvil
2020-03-23Trend MicroTrend Micro
@online{micro:20200323:nefilim:aaca451, author = {Trend Micro}, title = {{Nefilim Ransomware Threatens to Expose Stolen Data}}, date = {2020-03-23}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/nefilim-ransomware-threatens-to-expose-stolen-data}, language = {English}, urldate = {2020-06-22} } Nefilim Ransomware Threatens to Expose Stolen Data
Nefilim Ransomware
2020-03-17Bleeping ComputerLawrence Abrams
@online{abrams:20200317:new:d6fa158, author = {Lawrence Abrams}, title = {{New Nefilim Ransomware Threatens to Release Victims' Data}}, date = {2020-03-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/}, language = {English}, urldate = {2020-03-19} } New Nefilim Ransomware Threatens to Release Victims' Data
Nefilim Ransomware
2020-03-14ID RansomwareAndrew Ivanov
@online{ivanov:20200314:nefilim:329ccf1, author = {Andrew Ivanov}, title = {{Nefilim Ransomware}}, date = {2020-03-14}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/nefilim-ransomware.html}, language = {English}, urldate = {2020-03-22} } Nefilim Ransomware
Nefilim Ransomware
2020BlackberryBlackberry Research
@techreport{research:2020:state:e5941af, author = {Blackberry Research}, title = {{State of Ransomware}}, date = {2020}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf}, language = {English}, urldate = {2021-01-01} } State of Ransomware
Maze MedusaLocker Nefilim Ransomware Phobos Ransomware REvil Ryuk STOP Ransomware Zeppelin Ransomware
Yara Rules
[TLP:WHITE] win_nefilim_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_nefilim_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nefilim"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 66890c58 8bde 8b7508 e8???????? 8bc6 5e 5b }
            // n = 7, score = 200
            //   66890c58             | mov                 word ptr [eax + ebx*2], cx
            //   8bde                 | mov                 ebx, esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   e8????????           |                     
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_1 = { 53 8db42488000000 e8???????? 53 8d742450 e8???????? 53 }
            // n = 7, score = 200
            //   53                   | push                ebx
            //   8db42488000000       | lea                 esi, [esp + 0x88]
            //   e8????????           |                     
            //   53                   | push                ebx
            //   8d742450             | lea                 esi, [esp + 0x50]
            //   e8????????           |                     
            //   53                   | push                ebx

        $sequence_2 = { 4a 741d 4a 7409 4a 752e 080c30 }
            // n = 7, score = 200
            //   4a                   | dec                 edx
            //   741d                 | je                  0x1f
            //   4a                   | dec                 edx
            //   7409                 | je                  0xb
            //   4a                   | dec                 edx
            //   752e                 | jne                 0x30
            //   080c30               | or                  byte ptr [eax + esi], cl

        $sequence_3 = { c1e606 033485a0f94000 8b45f8 8b00 8906 }
            // n = 5, score = 200
            //   c1e606               | shl                 esi, 6
            //   033485a0f94000       | add                 esi, dword ptr [eax*4 + 0x40f9a0]
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   8906                 | mov                 dword ptr [esi], eax

        $sequence_4 = { 8bc6 e8???????? 8b75c0 8bd8 e8???????? e8???????? 83c41c }
            // n = 7, score = 200
            //   8bc6                 | mov                 eax, esi
            //   e8????????           |                     
            //   8b75c0               | mov                 esi, dword ptr [ebp - 0x40]
            //   8bd8                 | mov                 ebx, eax
            //   e8????????           |                     
            //   e8????????           |                     
            //   83c41c               | add                 esp, 0x1c

        $sequence_5 = { 7304 8d442414 68???????? 50 ffd6 85c0 0f8482000000 }
            // n = 7, score = 200
            //   7304                 | jae                 6
            //   8d442414             | lea                 eax, [esp + 0x14]
            //   68????????           |                     
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   0f8482000000         | je                  0x88

        $sequence_6 = { 0f84b2040000 68???????? 8d8424d0000000 50 }
            // n = 4, score = 200
            //   0f84b2040000         | je                  0x4b8
            //   68????????           |                     
            //   8d8424d0000000       | lea                 eax, [esp + 0xd0]
            //   50                   | push                eax

        $sequence_7 = { 8d8424d0000000 50 ffd6 85c0 7421 8b4c2430 397c2444 }
            // n = 7, score = 200
            //   8d8424d0000000       | lea                 eax, [esp + 0xd0]
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   7421                 | je                  0x23
            //   8b4c2430             | mov                 ecx, dword ptr [esp + 0x30]
            //   397c2444             | cmp                 dword ptr [esp + 0x44], edi

        $sequence_8 = { 66890c453cf94000 40 ebe8 33c0 8945e4 }
            // n = 5, score = 200
            //   66890c453cf94000     | mov                 word ptr [eax*2 + 0x40f93c], cx
            //   40                   | inc                 eax
            //   ebe8                 | jmp                 0xffffffea
            //   33c0                 | xor                 eax, eax
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax

        $sequence_9 = { 59 e9???????? 51 53 ff15???????? 50 }
            // n = 6, score = 200
            //   59                   | pop                 ecx
            //   e9????????           |                     
            //   51                   | push                ecx
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   50                   | push                eax

    condition:
        7 of them and filesize < 142336
}
Download all Yara Rules