Introduction

Nephilim ransomware, which is also known as Nefilim, made its first appearance in 2020 as it was being distributed through the targeting vulnerabilities in Citrix gateway devices.
Attacks involving the Nephilim ransomware have been frequent and have been recorded to target organisations of medium to large size from many countries.
There is no decryptor for any of the active variants of the Nephilim ransomware and the average ransom required is $701,494 which can be paid via emails addresses provided in the ransomware note.

Modus Operandi

Initial access

The threat actor uses two ways of gaining initial access: targeting exposed Remote Desktop Protocol (RDP) setups by brute-forcing them or exploiting known vulnerabilities like CVE-2019-11634 and CVE-2019-19781 in Citrix gateway devices. As soon as the threat actor gains initial access, they download Nephilim ransomware, files, and exfiltration tools: Mimikatz, AdFind and Cobalt Strike.
The threat actor then uses the Mimikatz tool to harvest credentials for lateral movement, and then use the AdFind tool to explore Active Directory when they reach it. The threat actor also downloads and run Cobalt Strike to assistance with the lateral movement. After mapping the target network, the threat actor will copy the data from servers and shared network directories to a local directory on a compromised machine where the data is compressed with a 7zip binary. Then MEGAsync is installed which is used to synchronizes folders between the compromised machine and a cloud drive owned by the threat actor. And therefore, the threat actors can exfiltrate the 7zip compressed data file out of the target’s network.