Nefilim

Description

According to Vitali Kremez and Michael Gillespie, this ransomware shares much code with Nemty 2.5. A difference is removal of the RaaS component, which was switched to email communications for payments. Uses AES-128, which is then protected RSA2048.

External Analysis
https://www.zdnet.com/article/a-deep-dive-into-nefilim-a-double-extortion-ransomware-group
https://www.trendmicro.com/en_nz/research/21/f/nefilim-modern-ransomware-attack-story.html
http://www.secureworks.com/research/threat-profiles/gold-mansard
https://blog.qualys.com/vulnerabilities-research/2021/05/12/nefilim-ransomware
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://documents.trendmicro.com/assets/white_papers/wp-modern-ransomwares-double-extortion-tactics.pdf
https://id-ransomware.blogspot.com/2020/03/nefilim-ransomware.html
https://intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry
https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/
https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/
https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/
https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/
https://securelist.com/evolution-of-jsworm-ransomware/102428/
https://us-cert.cisa.gov/ncas/alerts/aa20-345a
https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/
https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf
https://www.bleepingcomputer.com/news/security/home-appliance-giant-whirlpool-hit-in-nefilim-ransomware-attack/
https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/
https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/
https://www.cert.govt.nz/it-specialists/advisories/active-ransomware-campaign-leveraging-remote-access-technologies/
https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html
https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/
https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf
https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot
https://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://www.trendmicro.com/en_us/research/21/b/nefilim-ransomware.html
https://www.trendmicro.com/en_us/research/21/f/nefilim-modern-ransomware-attack-story.html
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/nefilim-ransomware-threatens-to-expose-stolen-data
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks

Urls	Screen
http://hxt254aygrsziejn.onion

File servers	Screen

Posts

Date	Title	Description	Screen
2021-09-09	Atlanta Allergy & Asthma. Part 1.
2021-09-09	Grimmway Farms. Part 1.
2021-09-09	Elliott Group / Cascade Engineering / Unitex Textile Rental Services. Teaser.
2021-09-09	Seven Seas. Part 1.
2021-09-09	The MADSACK Media Group. Part 1.
2021-09-09	Tegut. Part 1.
2021-09-09	TPG Internet. Part 1.
2021-09-09	Saipa Press. Part 1.
2021-09-09	Tegut. Part 2.
2021-09-09	The MADSACK Media Group. Part 2.