Thursday, December 16, 2021

Nefilim Ransomware Successor to Nemty Ransomware

In 2020 many companies around the world fell victim to the “Nefilim” ransomware. One of them, the logistics and transportation company from Australia, Toll Group, which has an impact on its business operations.

The company is often used by e-commerce giants like eBay to transport bulk commodities, essential parts and medical supplies.

Reluctant to pay the demanded ransom, the Nefilim gang leaked the stolen 200 gigata (GB) data. The data is in the form of detailed employee information, including invoices for medical examination results and financial reports.

How do the Nephilim infect victims?

According to a Japanese cybersecurity company, Trend Micro, accessed on Wednesday (28 April 2021), Nefilim is one of the ransomware that uses double-attack extortion tactics, such as the Maze ransomware gang.

Nefilim not only encrypts the victim's computer data, but demands a ransom. If they refuse to pay the requested ransom, hackers threaten to release stolen company data.

The ransomware was first discovered in March 2020. Trend Micro believes it is an evolution of the “Nemty” ransomware because it has several similarities.

The Nephilim code has many important similarities with Nemty 2.5; the main difference is that Nefilim has removed the Ransomware-as-a-Service (RaaS) component. They also manage payments via email communications rather than through the Tor payments website.

For early access, Nefilim operators tend to take advantage of various ways to spread their malware. They exploit the Remote Desktop Protocol (RDP) vulnerability or the Citrix vulnerability (CVE-2019-19781) and use brute force attacks to infiltrate victim systems.

“Nefilim also uses other tools to collect credentials such as imikatz, LaZagne, and NirSoft's NetPass. Stolen credentials were used to reach the server," Trend Micro wrote.

After successfully entering the victim's system, the operator will start running its components, such as anti-antivirus, exfiltration tools, and finally Nefilim itself.

The hacker will use several legitimate tools for lateral movement—spreading on the victim's computer. For example, it uses PsExec or Windows Management Instrumentation (WMI), dropping and running other components, including the ransomware itself.

Nefilim was observed using batch files to terminate certain processes and services, even using third-party tools such as PC Hunter, Process Hacker, and Revo Uninstaller to terminate antivirus-related processes, services, and applications. This includes, using AdFind, BloodHound, or SMBTool to identify Active Directory and/or machines connected to the domain.

One of the most important aspects of Nefilim is its data exfiltration capabilities. Researchers observed Nefilim copying data from servers or shared directories to local directories and archiving them using 7-Zip. Then, it uses MEGAsync to extract the victim's data.

Meanwhile, to encrypt victim data, Nefilim uses AES-128. Then this AES encryption key will be re-encrypted using the RSA 2408 public key.

Therefore, to decrypt a locked file, it is necessary to obtain the attacker's RSA private key. For each encrypted file, Nefilim will add the .NEFILIM extension to the file name, as a file marker to all encrypted files, for example, a file named 1.doc will be named 1.doc.NEFILIM.”

According to the Indonesian National Cyber ​​and Crypto Agency (BSSN) after the exploitation process is complete, a ransom note file named NEFILIM-DECRYPT.txt will be generated by operators throughout the system. The file will contain instructions on how to contact the operator as well as data breach threats that put pressure on the victim if the ransom is not paid within seven days.

In fact, Nefilim operators provide links to websites that attackers use to leak victim data.

How to prevent the Nephilim?

The BSSN said, in some cyber incidents, Nefilim would be executed after the attacker managed to get into the victim's network. Furthermore, the attacker can retrieve the data.

If you become a victim of a Nefilim attack, BSSN recommends that the company does not pay the ransom because the attacker will still have access to the data even if the company pays the ransom.

If you become a victim of a Nefilim attack, BSSN advises that the company does not pay the ransom because the attacker will still have access to the data even if the company pays the ransom.

Here are some steps that can be used as an effort to prevent Nefilim ransomware:

  1. Close unused RDP ports. If it is not possible to close it, limit the source addresses that can access the port.
  2. Configure the settings to ensure that only authorized users can gain access as RDP admins. For RDP administrator accounts, use a strong password and multi-factor authentication (MFA).
  3. Perform network monitoring for signs of an attack.
  4. Limit the number of failed login attempts to prevent unauthorized logins.
  5. Use spam filters and antivirus to detect and filter out malicious emails.
  6. Always make sure your computer gets the latest patches and updates.
  7. Scan your computer using an antivirus with the latest updates.
  8. Always enable the firewall on the computer.
  9. Back up data periodically by backing up on external storage media.
  10. Turn off file sharing if not needed. If file sharing is required, we recommend using ACLs and passwords to restrict access. Disable anonymous access for shared folders.
  11. Do not open suspicious emails and be aware of any links received.
  12. Do not download or use crack software and illegal software.
  13. Be careful with external devices connected to the computer and when installing free programs downloaded on the internet
Previous Post
Next Post