[BreachExchange] New Nefilim Ransomware Threatens to Release Victims' Data

[Destry Winant]

https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/

A new ransomware called Nefilim that shares much of the same code as
Nemty has started to become active in the wild and threatens to
release stolen data.

Nefilim became active at the end of February 2020 and while it not
known for sure how the ransomware is being distributed, it is most
likely through exposed Remote Desktop Services.

Head of SentinelLabs Vitali Krimez and ID Ransomware's Michael
Gillespie both told BleepingComputer that Nefilim and Nemty 2.5 share
much of the same code.

The main difference is that Nefilim has removed the
Ransomware-as-a-Service (RaaS) component and now relies on email
communications for payments rather than a Tor payment site.

It is not known if this is a fork of their ransomware from the
original operators or if new threat actors obtained the source code to
release a new version.

Nefilim threatens to release data

In the Nefilim ransom note, the attackers state that if a user does
not pay the ransom in seven days they will release data that was
stolen from the network.

A large amount of your private files have been extracted and is kept
in a secure location.
If you do not contact us in seven working days of the breach we will
start leaking the data.
After you contact us we will provide you proof that your files have
been extracted.

In the past, this would have been seen as an empty threat, but with
ransomware infections such as Maze, Sodinokibi, DoppelPaymer, and
Nemty all following through with their threats, it should no longer be
ignored.

The Nefilim encryption process

When encrypting files, Nefilim will encrypt a file using AES-128
encryption. This AES encryption key will then be encrypted by an
RSA-2048 public key that is embedded in the ransomware executable.

This encrypted AES key will then be added to the contents of each
encrypted file and can only be decrypted by the RSA private key known
to the ransomware developers.

For each encrypted file, Nefilim will append the .NEFILIM extension to
the file name. For example, a file called 1.doc would be encrypted and
named 1.doc.NEFILIM.

Files encrypted by the Nefilim Ransomware

In addition to the encrypted AES key, the ransomware will also add the
"NEFILIM" string as a file marker to all encrypted files as shown
below.

NEFILIM file marker

When done, a ransom note named NEFILIM-DECRYPT.txt will be created
throughout the system that contains instructions on how to contact the
ransomware developers.

This ransom note contains different contact emails and the threat that
they will leak data if a ransom is not paid within seven days of the
"breach".

Unfortunately, a brief analysis by Gillespie indicates that this
ransomware appears to be secure, which means that there is no current
way to recover files for free.

The ransomware, though, is still being researched and if new
weaknesses we will publish updated information.