SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nefilim (Back to overview)

Nefilim

aka: Nephilim

According to Vitali Kremez and Michael Gillespie, this ransomware shares much code with Nemty 2.5. A difference is removal of the RaaS component, which was switched to email communications for payments. Uses AES-128, which is then protected RSA2048.

References
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2021-10-05Trend MicroFyodor Yarochkin, Janus Agcaoili, Byron Gelera, Nikko Tamana
@online{yarochkin:20211005:ransomware:e5f5375, author = {Fyodor Yarochkin and Janus Agcaoili and Byron Gelera and Nikko Tamana}, title = {{Ransomware as a Service: Enabler of Widespread Attacks}}, date = {2021-10-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks}, language = {English}, urldate = {2021-10-20} } Ransomware as a Service: Enabler of Widespread Attacks
Cerber Conti DarkSide Gandcrab Locky Nefilim REvil Ryuk
2021-07-14Intel 471Intel 471
@online{471:20210714:how:0cf4b03, author = {Intel 471}, title = {{How cybercriminals create turbulence for the transportation industry}}, date = {2021-07-14}, organization = {Intel 471}, url = {https://intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry}, language = {English}, urldate = {2021-07-29} } How cybercriminals create turbulence for the transportation industry
Mount Locker Nefilim
2021-06-28Trend MicroTrend Micro
@online{micro:20210628:nefilim:1a904b2, author = {Trend Micro}, title = {{Nefilim Ransomware Attack Through a MITRE Att&ck Lens}}, date = {2021-06-28}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/f/nefilim-modern-ransomware-attack-story.html}, language = {English}, urldate = {2021-07-05} } Nefilim Ransomware Attack Through a MITRE Att&ck Lens
Nefilim
2021-06-08Trend MicroMayra Fuentes, Feike Hacquebord, Stephen Hilt, Ian Kenefick, Vladimir Kropotov, Robert McArdle, Fernando Mercês, David Sancho
@techreport{fuentes:20210608:modern:a5dd52c, author = {Mayra Fuentes and Feike Hacquebord and Stephen Hilt and Ian Kenefick and Vladimir Kropotov and Robert McArdle and Fernando Mercês and David Sancho}, title = {{Modern Ransomware’s Double Extortion Tactics and How to Protect Enterprises Against Them}}, date = {2021-06-08}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-modern-ransomwares-double-extortion-tactics.pdf}, language = {English}, urldate = {2021-06-16} } Modern Ransomware’s Double Extortion Tactics and How to Protect Enterprises Against Them
Nefilim
2021-05-25KasperskyFedor Sinitsyn, Yanis Zinchenko
@online{sinitsyn:20210525:evolution:d76aea7, author = {Fedor Sinitsyn and Yanis Zinchenko}, title = {{Evolution of JSWorm ransomware}}, date = {2021-05-25}, organization = {Kaspersky}, url = {https://securelist.com/evolution-of-jsworm-ransomware/102428/}, language = {English}, urldate = {2021-06-16} } Evolution of JSWorm ransomware
Nefilim Nemty
2021-05-12QualysBajrang Mane
@online{mane:20210512:nefilim:c8ef990, author = {Bajrang Mane}, title = {{Nefilim Ransomware}}, date = {2021-05-12}, organization = {Qualys}, url = {https://blog.qualys.com/vulnerabilities-research/2021/05/12/nefilim-ransomware}, language = {English}, urldate = {2021-05-13} } Nefilim Ransomware
Nefilim
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-04-25Vulnerability.ch BlogCorsin Camichel
@online{camichel:20210425:ransomware:1a1ee7f, author = {Corsin Camichel}, title = {{Ransomware and Data Leak Site Publication Time Analysis}}, date = {2021-04-25}, organization = {Vulnerability.ch Blog}, url = {https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/}, language = {English}, urldate = {2021-04-29} } Ransomware and Data Leak Site Publication Time Analysis
Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-02-25IntezerIntezer
@techreport{intezer:20210225:year:eb47cd1, author = {Intezer}, title = {{Year of the Gopher A 2020 Go Malware Round-Up}}, date = {2021-02-25}, institution = {Intezer}, url = {https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf}, language = {English}, urldate = {2021-06-30} } Year of the Gopher A 2020 Go Malware Round-Up
NiuB WellMail elf.wellmess ArdaMax AsyncRAT CyberGate DarkComet Glupteba Nanocore RAT Nefilim NjRAT Quasar RAT WellMess Zebrocy
2021-02-23Trend MicroByron Gelera, Janus Agcaoili
@online{gelera:20210223:analysis:a4c0c51, author = {Byron Gelera and Janus Agcaoili}, title = {{An Analysis of the Nefilim Ransomware}}, date = {2021-02-23}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/b/nefilim-ransomware.html}, language = {English}, urldate = {2021-02-25} } An Analysis of the Nefilim Ransomware
Nefilim
2021-01-26SophosLabs UncutMichael Heller, David Anderson, Peter Mackenzie, Sergio Bestulic, Bill Kearney
@online{heller:20210126:nefilim:6b20ee0, author = {Michael Heller and David Anderson and Peter Mackenzie and Sergio Bestulic and Bill Kearney}, title = {{Nefilim Ransomware Attack Uses “Ghost” Credentials}}, date = {2021-01-26}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/}, language = {English}, urldate = {2021-02-18} } Nefilim Ransomware Attack Uses “Ghost” Credentials
Nefilim
2021SecureworksSecureWorks
@online{secureworks:2021:threat:b0aa2ab, author = {SecureWorks}, title = {{Threat Profile: GOLD MANSARD}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-mansard}, language = {English}, urldate = {2021-05-31} } Threat Profile: GOLD MANSARD
Nefilim Nemty GOLD MANSARD
2020-12-28Bleeping ComputerLawrence Abrams
@online{abrams:20201228:home:5e0aaf7, author = {Lawrence Abrams}, title = {{Home appliance giant Whirlpool hit in Nefilim ransomware attack}}, date = {2020-12-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/home-appliance-giant-whirlpool-hit-in-nefilim-ransomware-attack/}, language = {English}, urldate = {2021-01-01} } Home appliance giant Whirlpool hit in Nefilim ransomware attack
Nefilim
2020-12-16AccenturePaul Mansfield
@online{mansfield:20201216:tracking:25540bd, author = {Paul Mansfield}, title = {{Tracking and combatting an evolving danger: Ransomware extortion}}, date = {2020-12-16}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion}, language = {English}, urldate = {2020-12-17} } Tracking and combatting an evolving danger: Ransomware extortion
DarkSide Egregor Maze Nefilim RagnarLocker REvil Ryuk SunCrypt
2020-12-10US-CERTUS-CERT, FBI, MS-ISAC
@online{uscert:20201210:alert:a5ec77e, author = {US-CERT and FBI and MS-ISAC}, title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}}, date = {2020-12-10}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a}, language = {English}, urldate = {2020-12-11} } Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus
2020-12-03PICUS SecuritySüleyman Özarslan
@online{zarslan:20201203:how:9bb7c27, author = {Süleyman Özarslan}, title = {{How to Beat Nefilim Ransomware Attacks}}, date = {2020-12-03}, organization = {PICUS Security}, url = {https://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks}, language = {English}, urldate = {2020-12-08} } How to Beat Nefilim Ransomware Attacks
Nefilim
2020-10-23HornetsecurityHornetsecurity Security Lab
@online{lab:20201023:leakwareransomwarehybrid:ae1de8e, author = {Hornetsecurity Security Lab}, title = {{Leakware-Ransomware-Hybrid Attacks}}, date = {2020-10-23}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/}, language = {English}, urldate = {2020-12-08} } Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt
2020-08-25KELAVictoria Kivilevich
@online{kivilevich:20200825:how:5db6a82, author = {Victoria Kivilevich}, title = {{How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing}}, date = {2020-08-25}, organization = {KELA}, url = {https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/}, language = {English}, urldate = {2021-05-07} } How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet
2020-07-15FireEyeNathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt
@online{brubaker:20200715:financially:f217555, author = {Nathan Brubaker and Daniel Kapellmann Zafra and Keith Lunden and Ken Proska and Corey Hildebrandt}, title = {{Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families}}, date = {2020-07-15}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html}, language = {English}, urldate = {2020-07-16} } Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
DoppelPaymer LockerGoga Maze MegaCortex Nefilim Snake
2020-06-16New Zealand CERTNew Zealand CERT
@online{cert:20200616:active:1c01229, author = {New Zealand CERT}, title = {{Active ransomware campaign leveraging remote access technologies}}, date = {2020-06-16}, organization = {New Zealand CERT}, url = {https://www.cert.govt.nz/it-specialists/advisories/active-ransomware-campaign-leveraging-remote-access-technologies/}, language = {English}, urldate = {2020-06-21} } Active ransomware campaign leveraging remote access technologies
Nefilim
2020-05-04SentinelOneJim Walter
@online{walter:20200504:meet:7943fa2, author = {Jim Walter}, title = {{Meet NEMTY Successor, Nefilim/Nephilim Ransomware}}, date = {2020-05-04}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/}, language = {English}, urldate = {2020-06-22} } Meet NEMTY Successor, Nefilim/Nephilim Ransomware
Nefilim Nemty
2020-03-24Bleeping ComputerLawrence Abrams
@online{abrams:20200324:three:fb92d03, author = {Lawrence Abrams}, title = {{Three More Ransomware Families Create Sites to Leak Stolen Data}}, date = {2020-03-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/}, language = {English}, urldate = {2020-03-26} } Three More Ransomware Families Create Sites to Leak Stolen Data
Clop DoppelPaymer Maze Nefilim Nemty REvil
2020-03-23Trend MicroTrend Micro
@online{micro:20200323:nefilim:aaca451, author = {Trend Micro}, title = {{Nefilim Ransomware Threatens to Expose Stolen Data}}, date = {2020-03-23}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/nefilim-ransomware-threatens-to-expose-stolen-data}, language = {English}, urldate = {2020-06-22} } Nefilim Ransomware Threatens to Expose Stolen Data
Nefilim
2020-03-17Bleeping ComputerLawrence Abrams
@online{abrams:20200317:new:d6fa158, author = {Lawrence Abrams}, title = {{New Nefilim Ransomware Threatens to Release Victims' Data}}, date = {2020-03-17}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/}, language = {English}, urldate = {2020-03-19} } New Nefilim Ransomware Threatens to Release Victims' Data
Nefilim
2020-03-14ID RansomwareAndrew Ivanov
@online{ivanov:20200314:nefilim:329ccf1, author = {Andrew Ivanov}, title = {{Nefilim Ransomware}}, date = {2020-03-14}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/03/nefilim-ransomware.html}, language = {English}, urldate = {2020-03-22} } Nefilim Ransomware
Nefilim
2020BlackberryBlackberry Research
@techreport{research:2020:state:e5941af, author = {Blackberry Research}, title = {{State of Ransomware}}, date = {2020}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf}, language = {English}, urldate = {2021-01-01} } State of Ransomware
Maze MedusaLocker Nefilim Phobos REvil Ryuk STOP
Yara Rules
[TLP:WHITE] win_nefilim_auto (20220411 | Detects win.nefilim.)
rule win_nefilim_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.nefilim."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nefilim"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ffd6 85c0 0f84b2040000 68???????? 8d8424d0000000 50 }
            // n = 6, score = 200
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   0f84b2040000         | je                  0x4b8
            //   68????????           |                     
            //   8d8424d0000000       | lea                 eax, dword ptr [esp + 0xd0]
            //   50                   | push                eax

        $sequence_1 = { 59 59 8b7508 8d34f548e24000 391e }
            // n = 5, score = 200
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   8d34f548e24000       | lea                 esi, dword ptr [esi*8 + 0x40e248]
            //   391e                 | cmp                 dword ptr [esi], ebx

        $sequence_2 = { ff15???????? 8b4df0 68f4010000 89848d7cffffff ff15???????? ff45f0 8b4de8 }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   68f4010000           | push                0x1f4
            //   89848d7cffffff       | mov                 dword ptr [ebp + ecx*4 - 0x84], eax
            //   ff15????????         |                     
            //   ff45f0               | inc                 dword ptr [ebp - 0x10]
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]

        $sequence_3 = { 0f84a4000000 8b1d???????? bf???????? 57 ffd3 99 }
            // n = 6, score = 200
            //   0f84a4000000         | je                  0xaa
            //   8b1d????????         |                     
            //   bf????????           |                     
            //   57                   | push                edi
            //   ffd3                 | call                ebx
            //   99                   | cdq                 

        $sequence_4 = { 57 ffd3 99 83e203 03c2 c1f802 }
            // n = 6, score = 200
            //   57                   | push                edi
            //   ffd3                 | call                ebx
            //   99                   | cdq                 
            //   83e203               | and                 edx, 3
            //   03c2                 | add                 eax, edx
            //   c1f802               | sar                 eax, 2

        $sequence_5 = { 33c0 50 50 ff74241c ffd7 53 8d442434 }
            // n = 7, score = 200
            //   33c0                 | xor                 eax, eax
            //   50                   | push                eax
            //   50                   | push                eax
            //   ff74241c             | push                dword ptr [esp + 0x1c]
            //   ffd7                 | call                edi
            //   53                   | push                ebx
            //   8d442434             | lea                 eax, dword ptr [esp + 0x34]

        $sequence_6 = { 50 ff35???????? ff35???????? ff74241c ff15???????? 8b44241c 8b4c2418 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   ff35????????         |                     
            //   ff35????????         |                     
            //   ff74241c             | push                dword ptr [esp + 0x1c]
            //   ff15????????         |                     
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]
            //   8b4c2418             | mov                 ecx, dword ptr [esp + 0x18]

        $sequence_7 = { 8d8dbcfdffff 33c0 50 50 }
            // n = 4, score = 200
            //   8d8dbcfdffff         | lea                 ecx, dword ptr [ebp - 0x244]
            //   33c0                 | xor                 eax, eax
            //   50                   | push                eax
            //   50                   | push                eax

        $sequence_8 = { 0f8421050000 8b35???????? 68???????? 8d8424d0000000 50 }
            // n = 5, score = 200
            //   0f8421050000         | je                  0x527
            //   8b35????????         |                     
            //   68????????           |                     
            //   8d8424d0000000       | lea                 eax, dword ptr [esp + 0xd0]
            //   50                   | push                eax

        $sequence_9 = { 56 56 ff75ec 68???????? 56 56 }
            // n = 6, score = 200
            //   56                   | push                esi
            //   56                   | push                esi
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   68????????           |                     
            //   56                   | push                esi
            //   56                   | push                esi

    condition:
        7 of them and filesize < 142336
}
Download all Yara Rules