Nefilim Ransomware Threatens to Expose Stolen Data

A new ransomware named Nefilim has been discovered, threatening to release its victims’ data to the public if they fail to pay the ransom. It is most likely distributed through exposed Remote Desktop Protocol (RDP), as shared by SentinelLabs’ Vitali Krimez and ID Ransomware's Michael Gillespie via Bleeping Computer.

Nefilim’s code shares many notable similarities with Nemty 2.5 ransomware; the main difference is the fact that Nefilim has done away with the Ransomware-as-a-Service (RaaS) component. It also manages payments via email communication rather than through a Tor payment site. There is nothing that indicates that the same threat actors are behind Nemty and Netfilim. The new ransomware is most likely spread through RDP, like other ransomware such as Nemty, Crysis, and SAMSAM.

Netfilim uses AES-128 encryption to encrypt victim’s files. An RSA-2048 embedded in the ransomware executable will then encrypt the AES encryption key. The encrypted AES key will then be added to every encrypted key. The ransomware also adds a “NEFILIM” string as a file marker to all encrypted files. The encrypted files will have .NEFILIM appended to their file names (for example, a file called 1.doc would be named 1.doc.NEFILIM).

To decrypt these files, victims need to get the RSA private key from the ransomware developers. Details of the ransom have not been released yet.

Ransomware continues to expand its reach as threat actors continue to come up with new ransomware variants and families. The healthcare, government, and education sectors were on the receiving end of many such attacks last year, as revealed in the Trend Micro 2019 Annual Security Roundup. Unfortunately, many feel pressured to pay the ransom to prevent the paralysis of operations and the loss of valuable data.

Like Nefilim, many of these ransomware attacks abuse exposed RDP ports. Enterprises can take the following steps to defend against RDP abuse:

Companies should also establish firm protocols and rules in dealing with unverified emails; employees should avoid opening these emails or attachments. To prevent data loss, employees should also regularly backup files. Finally, regularly updating software and applications can ensure that the system is protected against both old and recent vulnerabilities.

Enterprises can also further improve security against ransomware through the combination of behavioral analysis and high-fidelity machine learning across email, endpoints, servers, and networks.

Enterprises that are dealing with a ransomware attack can try the Trend Micro Ransomware File Decryptor (available in Windows and macOS) for free.