NEPHILIM (NEFILIM) RANSOMWARE

ransomware-2318381_1920

Introduction

Nephilim ransomware, which is also known as Nefilim, made its first appearance in 2020 as it was being distributed through the targeting vulnerabilities in Citrix gateway devices.
Attacks involving the Nephilim ransomware have been frequent and have been recorded to target organisations of medium to large size from many countries.
There is no decryptor for any of the active variants of the Nephilim ransomware and the average ransom required is $701,494 which can be paid via emails addresses provided in the ransomware note.

Modus Operandi

Initial access

The threat actor uses two ways of gaining initial access: targeting exposed Remote Desktop Protocol (RDP) setups by brute-forcing them or exploiting known vulnerabilities like CVE-2019-11634 and CVE-2019-19781 in Citrix gateway devices. As soon as the threat actor gains initial access, they download Nephilim ransomware, files, and exfiltration tools: Mimikatz, AdFind and Cobalt Strike.
The threat actor then uses the Mimikatz tool to harvest credentials for lateral movement, and then use the AdFind tool to explore Active Directory when they reach it. The threat actor also downloads and run Cobalt Strike to assistance with the lateral movement. After mapping the target network, the threat actor will copy the data from servers and shared network directories to a local directory on a compromised machine where the data is compressed with a 7zip binary. Then MEGAsync is installed which is used to synchronizes folders between the compromised machine and a cloud drive owned by the threat actor. And therefore, the threat actors can exfiltrate the 7zip compressed data file out of the target’s network.

Installation

The threat actors use Psexec.exe to executes remote commands that allow for them to execute batch (.bat) files. They would execute multiple batch files to spread the Nephilim ransomware and a batch file that would kill processes and stop services, to as many machines as possible via copy command or WMI.

Encryption

When Nephilim is executed, it starts to encrypt all the target files using a combination of AES-128 and RSA-2048 algorithms. Firstly, the files are encrypted using AES-128 encryption and then AES encryption key is encrypted using the RSA-2048 public key. Then the key is appended to the executable (.exe) file of the ransomware.
As soon as all the target files are encrypted, Nephilim drops a ransom note ‘NEFILIM-DECRYPT.txt’ that give instructions to the victim on how to recover their files.