Nefilim Ransomware Uses RDP to Expose Sensitive Data

Jun 28, 2020

New Zealand. Home to fluffy sheep, geothermal pools and a new strain of Nefilim ransomware.

On June 16, CertNZ, the government body tasked with supporting Kiwi organizations affected by cyber incidents, issued an alert regarding a new variant of Nefilim ransomware targeting vulnerabilities in Remote Desktop Protocols.

NEMTY —-> Nefilim—> Nephilim—->????
Nefilim ransomware has been making rounds since March 2020. It seems to be based on an older ransomware variant, called NEMTY, which was first spotted in August 2019. It’s not known how Nefilim acquired the code from NEMTY as it doesn’t seem to be run by the same operators and it has a very different service models; Whereas NEMTY offers an affiliate ransomware-as-a-service model, in which any cybercriminal can rent all the software needed to deploy the attack, Nefilim is private, and only the criminals who created it have access to it.

Also noteworthy, Nefilim demands payment via email, as opposed to paying via a bitcoin account. It also seems that a portion of the variant has morphed into Nephilim, evidenced by the switch in some file extension names from Nefilim to Nephilim.

Whatever you want to call it, it seems the threat is using vulnerabilities in remote access tools to make its way deep inside corporate networks. Once it finds a weakness in the RDP or VPN, according to CertNZ, it uses “mimikatz, psexec, and Cobalt Strike to elevate privileges, move laterally across a network, and establish persistence on the network.”

This is especially troubling because Nefilim/Nephilim doesn’t only encrypt data—it posts the stolen data to their own and other dark web websites. Dumping/selling data is becoming an increasingly common method, also used by Sodinokibi/REvil, Maze, and some other popular variants. This is likely becoming a more popular method as companies beef up their disaster recovery and backup efforts, which has made the imperative of paying up ransom less, well, imperative. In sophisticated attacks like this, operators can get their hands on incredibly sensitive data and unless victims pay up in time, that data can easily be exposed on the internet or sold to the highest bidder.

Nefilim/Nephilim in Action
Back to our friends on the other side of the world; in May, Nefilim hit an Australian shipping company, Toll Group, who had just gotten walloped by a different strain of ransomware just one month prior. Not only did Nefilim steal their data, operators leaked highly damaging information regarding the company’s missteps in the aftermath of the first attack. They posted a portion of the data to their own website, saying, “Toll Group failed to secure their network even after the first attack. We have more than 200 GB of archives of their private data”. According to ZDnet.com, “the latest ransomware infection has resulted in a rebuild of core systems, the need to scrub infected servers clean, and the use of backups to restore files — rather than give in to demands for payment.”

In early June, appliance manufacturer Fisher & Paykel was also hit by the ransomware, forcing production to halt while it tried to recover. The stolen data, which was leaked gradually, was uploaded to the darkweb and according to Nefilim operator’s website, “The information will usually be leaked in parts, so the company has a chance to stop the leak before all the information is released.”

Ransomware + COVID-19 = Big Problems
Sounds super scary right? We’re not only talking about encryption, we’re talking exposure. And at the moment researchers have not been able to find any chinks in its armor, meaning no decryption tools, aside from the operators own private key can be applied to it once data has been locked. What’s worse is the fact that it enters via RD protocols, which are more popular than ever thanks to the shift to working from home due to COVID-19. The occurrence of exposed RDP shot up 127% over the course of the pandemic, providing attackers with an easy way to get the sensitive data they’re after. With corporations scrambling to get employees set up from home, misconfigurations occur and security measures are often bypassed, creating a perfect window of opportunity for attackers to enter via insecure RDP.

As beneficial as RDP is, it inherently opens organizations up to risk. To get all the benefits without the risks and zero trust your RDP, consider using it with a Software Defined Perimeter (SDP) solution. SDP seamlessly secures remote access so employees can work from anywhere without exposure to threats like Nefilim/Nephilim.

The occurrence of ransomware variants like Nefilim/Nephilim shine a spotlight on the need to do things right, even under pressure. When it comes to the potential exposure of highly sensitive data, it doesn’t matter why corners get cut; if there’s a way in, attackers will use it.



Dafna Lipowicz

VP of Human Resources

In her role, Dafna leads all HR activities at Safe-T, including: partnering with management team to advance and support the company vision and strategy, developing strategic HR plans and policies (training, compensation and benefits, etc.), organizational and managers development, recruitment and welfare. Dafna brings to Safe-T more than 17 years of experience in various HR managerial roles, in global and complex organizations as well as in growing start-ups (such as SanDisk, Logic Industries and Mantis Vision), specializing in establishing and leading HR departments, initiating and building organizational development, according to company strategy, management consultant, talent management and recruitment. Dafna holds both an LLB and an MA in Labor Studies from Tel Aviv University. She is also a certified mediator and group facilitator.

Request a Demo