A new ransomware named as Nefilim, surfaced and began spreading at the end of February 2020. As per Bleeping Computer, its code has signatures that suggest Nefilim ransomware is an upgraded version of Nemty 2.5 ransomware. Although the two have similarities in the code used for its development, a very important component from Nemty, that is, Ransomware-as-a-Service has been removed in Nefilim ransomware. It now completely relies on email communications with its victims for ransom payments rather than using Tor payment sites.
Nefilim Ransomware’s Modus Operandi
- Researchers are unsure how the ransomware is being distributed but deem an exposed Remote Desktop Service as a probable cause.
- Once the operators launch the attack, Nefilim ransomware uses a combination of AES-128 and RSA-2048 algorithms to encrypt the victims’ files. First the files are encrypted using AES-128 encryption and AES encryption key is further encrypted using the RSA-2048 public key. This key is then embedded in the executable file of the ransomware.
- The file extension name .NEFILIM is appended at the end of each encrypted file name along with a NEFILIM file marker for all encrypted files. This is how the ransomware gets its name.
- On successfully encrypting all files, the ransomware plants a ransom note ‘NEFILIM-DECRYPT.txt’ that instructs the victim on how to recover their files.
- The ransom note contains different contact emails for contacting its operators. It also includes a line that warns victims of leaking their data if the ransom is not paid within seven days.
Nefilim Ransomware Note says…
All of your files have been encrypted with military grade algorithms. We ensure that the only way to retrieve your data is with our software. We will make sure that you receive your data swiftly and securely when our demands are met. Restoration of your data requires a private key which only we possess. A large amount of your private files have been extracted and is kept in a secure location. If you do not contact us in seven working days of the breach we will start leaking the data. After you contact us we will provide you proof that your files has been extracted. To confirm that our decryption software works email to us two files from random computers. You will receive further instructions after you send us the test files.
|Threat type||Ransomware, Files locker|
|Encrypted files extension||.NEFILIM|
|File name of ransom note||NEFILIM-DECRYPT.txt|
|Contact details for ransomware decryption||[email protected], [email protected], and [email protected]|
|Indicators of attack||Unable to open previously accessible stored files on the computer. The file extension name is appended with “.NEFILIM” (for example, xyz.doc.NEFILIM). A ransom demand message is displayed on the desktop or in the encrypted drive or directory.|
|Damages caused||All files are encrypted and cannot be opened without paying a ransom. Additional password-stealing trojans and malware infections can be installed together with ransomware infection.|