NEFILIM Ransomware

PUBLISHED:
8 April 2020

NEFILIM Ransomware

Ransomware continues to expand its reach as threat actors continue to come up with new ransomware variants and families. NEFILIM is a newly emerged ransomware and it is most likely distributed through exposed Remote Desktop Protocol (RDP) like other ransomware such as Nemty, Crysis, and SAMSAM. It uses several other ways also to penetrate in to IT systems including:

  • Spam email
  • P2P file sharing
  • Free software
  • Malicious websites
  • Torrent websites

The ransomware adds the “NEFILIM” string as a file marker to all encrypted files. The encrypted files will have .NEFILIM appended to their file names. Further, it has launched a site called “Corporate Leaks” that is being used to dump the data of victims who do not pay a ransom.

As proactive measures, below actions, can be taken to minimize the risk of ransomware, going to target vulnerabilities in RDP.

  • Close unused RDP ports.
  • When RDP is essential, limit the source addresses that can access the RDP service.
  • Configure settings to ensure that only authorized users can gain RDP network admin access.
  • Monitor the network to spot signs of attacks.
  • Limit the number of failed login attempts.

In addition to the above recommendations, you may also apply proactive measures suggested on the below articles published on TechCERT official website to counter/minimize the risk of ransomware attacks.

Due to the COVID-19 outbreak, ransomware attack and other cyber attacks will likely take place unnoticed since organizations are operating in limited resources and due to Working from Home schemes. TechCERT secure working from the home guide can be obtained from the following link.

More Information

  1. https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/nefilim-ransomware-threatens-to-expose-stolen-data
  2. https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data
21 April 2022 [NO.TCSA : 20220422-1-1-P]

A Critical Unauthenticated Remote Code Execution (RCE) Flaw Found in WSO2 API Manager, Identity Server & Enterprise Integrator

READ MORE READ MORE
19 April 2022 [NO.TCSA : 20220419-1-1-P]

Possible Increase of Intrusion Attempts on Sri Lankan Websites

READ MORE READ MORE
1 April 2022 [NO.TCSA : 20220401-1-1-P]

Spring4Shell – A Critical Remote Execution Found Spring Framework

READ MORE READ MORE
Read More BACK TO THREAT BULLETIN