Threat Research

Emulating the Long-Term Extortionist Nefilim Ransomware

AttackIQ

Nefilim is a ransomware-as-a-service operation that emerged in March 2020 and evolved from the Nemty family, employing double extortion by exfiltrating data before encryption. It has targeted North and South American financial, manufacturing, and transportation sectors, and AttackIQ presents an emulation to help security teams validate defenses and detections. #Nefilim #Nemty

Keypoints

  • Nefilim operates as a RaaS with a 30%/70% profit split between operators and affiliates, targeting multiple sectors in the Americas.
  • The group uses double extortion, exfiltrating data prior to encryption and leaking it over time to pressure victims.
  • Encryption uses AES-128 with the key encrypted by an embedded RSA-2048 public key; encrypted files bear the .NEFILIM extension and a NEFILIM marker, with a NEFILIM-DECRYPT.txt ransom note.
  • Initial access commonly comes from brute-forcing exposed RDP; some affiliates exploit Citrix gateway vulnerabilities (CVE-2019-11634, CVE-2019-19781).
  • Credential dumping with Mimikatz or LaZagne precedes lateral movement via RDP; PsExec/WMI are used for network deployment and execution.
  • Discovery and lateral movement involve local/network discovery (files, peripherals, remote systems, network shares) and remote access via RDP and WMI.
  • The emulation aims to help security teams validate detections and improve prevention across multiple MITRE-like techniques.

MITRE Techniques

  • [T1110] Brute Force – ‘During its activities, Nefilim has been primarily distributed through brute forcing of exposed Remote Desktop Protocol (RDP) setups.’
  • [T1190] Exploit Public-Facing Application – ‘observed targeting organizations using unpatched or poorly secured Citrix gateway devices by abusing known vulnerabilities such as CVE-2019-11634 and CVE-2019-19781.’
  • [T1003] OS Credential Dumping – ‘retrieve credentials from the system through the deployment of the Mimikatz hacktool. If not possible, the LaZagne tool is employed as an alternative.’
  • [T1105] Ingress Tool Transfer – ‘Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.’
  • [T1021.001] Remote Services: Remote Desktop Protocol – ‘Remote Desktop is the built-in remote access utility used by Windows. This scenario attempts to remotely connect to another accessible asset with stolen credentials.’
  • [T1047] Windows Management Instrumentation – ‘Windows Management Instrumentation (T1047): This scenario attempts to move laterally to any available asset inside the network through the use of WMI. If the remote asset can be accessed, a configurable command is executed.’
  • [T1548.002] Bypass User Account Control – ‘Bypass User Account Control (T1548.002): The malware attempts to disable UAC by setting a registry key.’
  • [T1486] Data Encrypted for Impact – ‘Data Encrypted for Impact (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using the same encryption algorithms observed in Nefilim ransomware.’
  • [T1083] File and Directory Discovery – ‘File and Directory Discovery (T1083): This scenario uses the native dir command to find files of interest and output to a temporary file.’
  • [T1120] Peripheral Device Discovery – ‘Peripheral Device Discovery (T1120): This scenario retrieves information about systems peripherals such as logical drives, physical memory, network cards through the execution of commands and binaries.’
  • [T1018] Remote System Discovery – ‘Remote System Discovery (T1018): This scenario will perform Active Directory discovery by leveraging the Adfind utility.’
  • [T1021.001] Remote Services: Remote Desktop Protocol – ‘Remote Desktop is the built-in remote access utility used by Windows. This scenario attempts to remotely connect to another accessible asset with stolen credentials.’
  • [T1135] Network Share Discovery – ‘Network Share Discovery (T1135): The native net tools are used to list all of the local mapped network shares with net share.’

Indicators of Compromise

  • [File Extension] – Encrypted files use the .NEFILIM extension; example: document.docx.NEIFILIM, image.png.NEIFILIM
  • [File Name] – NEFILIM-DECRYPT.txt ransom note dropped on infected systems
  • [File Marker] – The ransomware adds the “NEFILIM” string as a marker to all encrypted files

Read more: https://www.attackiq.com/2024/07/11/emulating-nefilim-ransomware/