{
	"id": "79606861-38b0-42b1-9537-57a3088127b1",
	"created_at": "2026-04-06T00:15:06.471403Z",
	"updated_at": "2026-04-10T03:20:51.93212Z",
	"deleted_at": null,
	"sha1_hash": "1a3eb6fef3f1917d17b4e5723829dd4ff13fe2bb",
	"title": "How to Beat Nefilim Ransomware Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 373158,
	"plain_text": "How to Beat Nefilim Ransomware Attacks\r\nBy Suleyman Ozarslan, PhD\r\nPublished: 2020-12-03 · Archived: 2026-04-05 14:12:29 UTC\r\nA Detailed Walkthrough of Nefilim Ransomware TTPs\r\nOver the course of 2020, the number of ransomware attacks has increased enormously. As an emerging ransomware family,\r\nNefilim has caused dozens of high profile breaches since March 2020. In this blog post, we provide tactics, techniques and\r\nprocedures (TTPs) utilized by the Nefilim threat actors, since detecting and blocking TTPs used by a threat is the most\r\neffective method to prevent that threat. TTPs allow us to detect potential intrusions and analyze the behavior of those\r\nattempting to intrude.\r\nOur analysis uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT\u0026CK®) version 8\r\nframework. See the ATT\u0026CK for Enterprise version 8.1 for all referenced threat actor tactics and techniques.\r\nThis blog describes:\r\nTTPs used by the Nefilim ransomware, categorized under MITRE ATT\u0026CK tactics and techniques.\r\nAn example threat in the Picus Threat Library that can be used to simulate the TTP.\r\nAn example mitigation rule in the Picus Mitigation Library that can be used to prevent/detect the given TTP.\r\n1. Initial Access\r\nAdversaries use Initial Access techniques to gain a foothold in the target network.\r\n1.1 MITRE ATT\u0026CK T1190 Exploit Public-Facing Application\r\nNefilim operators exploit public-facing applications for initial access. They mainly use the CVE-2019-19781 Remote Code\r\nExecution vulnerability affecting Citrix ADC/Gateway. Picus Threat Library includes 600+ vulnerability exploitation threats\r\nassociated with the relevant CVE (Common Vulnerabilities and Exposures) identification number.\r\nFollowing threats in the Picus Threat Library can be used to simulate this TTP:\r\nThreat ID Threat Name\r\n321318 Citrix Application Delivery Controller (ADC) and Gateway Path Traversal Vulnerability Variant-1\r\n311195 Citrix Application Delivery Controller (ADC) and Gateway Path Traversal Vulnerability Variant-2\r\nFollowing mitigation signatures can be used to prevent CVE-2019-19781 exploitation:\r\nhttps://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks\r\nPage 1 of 10\n\nSecurity\r\nProduct\r\nSignature ID Signature Name\r\nCheck Point\r\nNGFW\r\nasm_dynamic_prop_CVE_2019_19781 Citrix Multiple Products Directory Traversal (CVE-2019-19781)\r\nCisco\r\nFirepower\r\nNGFW\r\n1.52512.2, 1.52603.1 \r\nSERVER-WEBAPP Citrix ADC and Gateway arbitrary code\r\nexecution attempt\r\nF5 BIG-IP 200004998 Citrix NetScaler NSC_USER Remote Code Execution \r\nForcepoint\r\nNGFW \r\n  HTTP_CRL-Citrix-Path-Traversal-CVE-2019-19781\r\nFortiGate\r\nIPS \r\n48653 Citrix.Application.Delivery.Controller.VPNs.Directory.Traversal\r\nFortiWeb\r\nWAF\r\n090501033 Known Exploits\r\nMcAfee\r\nNSP\r\n0x45272800\r\nHTTP: Citrix ADC Arbitrary Code Execution Vulnerability\r\n(CVE-2019-19781)\r\nPalo Alto\r\nNetworks\r\nNGFW\r\n57497\r\nCitrix Application Delivery Controller And Gateway Directory\r\nTraversal Vulnerability\r\nTippingPoint\r\nTPS\r\n36876\r\nHTTP: Citrix Application Delivery Controller (ADC) Directory\r\nTraversal Vulnerability\r\n2. Execution\r\n2.1 MITRE ATT\u0026CK T1106 Native API\r\nNefilim directly interacts with the native OS application programming interface ( API ) to execute behaviors.\r\nhttps://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks\r\nPage 2 of 10\n\nPicus Threat Library - Threat Picus Mitigation Library - Detection Rule \r\n338852 Execution through API Attack Scenario 8418 New Process Creation via CreateProcess API Call\r\n3. Defense Evasion\r\n3.1 MITRE ATT\u0026CK T1055 Process Injection\r\nThe Nefilim ransomware creates a new wermgr.exe (the Windows error reporting manager) process and injects its payload\r\nto evade process-based defenses. You can read our process injection blog post for a detailed description of this method.\r\nPicus Threat Library - Threat Picus Mitigation Library - Detection Rule \r\n481103 Process Injection Attack Scenario 6443  Reflective Portable Executable Injection\r\n3.2 MITRE ATT\u0026CK T1574.002 Hijack Execution Flow: DLL Side-Loading\r\nNefilim uses WerFault.exe and wermgr.exe for DLL Side Loading, a defense evasion technique used by adversaries to\r\nexecute malicious payloads by hijacking the library manifest used to load DLLs. Werfault.exe is the Windows Error\r\nReporting binary used by many different programs to report errors.\r\nPicus Threat Library - Threat Picus Mitigation Library - Detection Rule\r\n286264 DLL Side-Loading by using Xwizard.exe 6042 Arbitrary DLL Load\r\n3.3 MITRE ATT\u0026CK T1562.001 Impair Defenses: Disable or Modify Tools\r\nThe Nefilim ransomware uses a batch file to stop services and kill processes in the local host. This batch file abuses\r\ntaskill.exe using CMD to kill predefined services and processes in the target host. Nefilim distributes this batch file to\r\nmultiple hosts using two batch files. One of the batch files uses the ‘copy’ command, and the other one uses WMI with hard-coded admin credentials.\r\nPicus Threat Library - Threat Picus Mitigation Library - Detection Rule\r\n650331 Stop Service Attack Scenario 8863 Critical Services Termination with TaskKill Tool\r\n3.4 MITRE ATT\u0026CK T1070.004 Indicator Removal on Host: File Deletion\r\nNefilim removes itself from the target systems after infection with the following code:\r\nhttps://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks\r\nPage 3 of 10\n\ndel \"C:\\Users\\admin\\AppData\\Local\\Temp\\\u003cransomware_file_name\u003e.exe\" /s /f /q\r\nPicus Threat Library - Threat Picus Mitigation Library - Detection Rule\r\n681453 Indicator Removal on Host Attack Scenario 6467 Defense Evasion by Windows Security Event Log Deletion\r\n3.5 MITRE ATT\u0026CK T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion\r\nNefilim uses the following  ‘timeout’ command to delay the execution of the ‘del’ command. Adversaries use this command\r\nalso to evade sandbox analysis.\r\n\"C:\\Windows\\System32\\cmd.exe\" /c timeout /t 3 /nobreak\r\nPicus Threat Library - Threat Picus Mitigation Library - Detection Rule\r\n744943 Virtualization/Sandbox Evasion by using Timeout\r\nCommand in Command-Line Tool\r\n2313 Sandbox Evasion by Pausing The Command\r\nProcessor via Timeout Command\r\n4. Credential Access\r\nNefilim threat actor uses hard-coded admin credentials to utilize PsExec and WMI to execute commands and binaries in\r\nremote hosts (lateral movement). Since these credentials are hard-coded in the batch files, it must be stolen before the attack\r\nwith some credential access techniques.\r\n4.1. MITRE ATT\u0026CK T1056.001 Input Capture: Keylogging\r\nThe Nefilim ransomware creates a DirectInput object using the DirectDrawCreateEx function to capture keystrokes.\r\nPicus Threat Library - Threat Picus Mitigation Library - Detection Rule\r\n431235 Input Capture Attack Scenario 5924 User Input Capture via PowerShell Script\r\n4.2 MITRE ATT\u0026CK T1003 OS Credential Dumping\r\nNefilim uses the Mimikatz tool to obtain username and password information useful in gaining access to additional systems\r\nin the target network.\r\nPicus Threat Library - Threat Picus Mitigation Library - Detection Rule\r\nhttps://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks\r\nPage 4 of 10\n\n393510 Credential Dumping using Mimikatz Tool 4920 Password and Hash Dump via Mimikatz\r\n5. Discovery\r\nInterestingly, the batch files used by Nefilim include hard-coded Internal IP addresses, admin credentials, services, and\r\nprocesses. This means that Nefilim attacks are highly targeted attacks as the hard-coded information requires an intensive\r\ndiscovery operation prior to attacks. Dynamic analysis of the Nefilim ransomware samples shows that the following\r\ntechniques are used by Nefilim to discover the required information.\r\n5.1 MITRE ATT\u0026CK T1518.001 Software Discovery: Security Software Discovery\r\nThe Nefilim ransomware uses IsDebuggerPresent , CheckRemoteDebuggerPresent , and NtQueryInformationProcess API\r\nfunctions to check if a user-mode debugger is running. Debuggers are used by security analysts to inspect malware’s\r\nbehavior at the run-time. In the presence of a debugger,  malware samples exhibited less malicious behavior. Moreover,\r\nNefilim uses the NtSetInformationThread API function to evade debugging.\r\nPicus Threat Library - Threat Picus Mitigation Library - Detection Rule\r\n112771 Security Software Discovery Attack Scenario 3379 Security Software Discovery\r\n5.2 MITRE ATT\u0026CK T1018 Remote System Discovery\r\nNefilim reads the hosts file ( C:\\Windows\\System32\\drivers\\etc\\hosts ) to get a listing of other systems by IP addresses\r\nand hostnames on the network that may be used for Lateral Movement from the current system.\r\nPicus Threat Library - Threat Picus Mitigation Library - Detection Rule\r\n101233 Gather Windows Host\r\nFile\r\n6813 Remote System Discovery by Obtaining Mappings of IP Addresses to Host\r\nNames\r\n5.3 MITRE ATT\u0026CK T1082 System Information Discovery\r\nThe Nefilim ransomware queries volume information (disk volume name and serial number) and Cryptographic Machine\r\nGUID. Ransomware families use  Cryptographic Machine GUID and volume serial number to generate a unique identifier\r\nfor the host for encryption/decryption processes.\r\nNefilim obtains Cryptographic Machine GUID by querying the value of MachineGuid in the following Registry key:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\r\nhttps://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks\r\nPage 5 of 10\n\nPicus Threat Library - Threat Picus Mitigation Library - Detection Rule\r\n793307 Query Cryptographic Machine GUID\r\nin Registry\r\n6886 System Information Discovery via Querying MachineGuid Key\r\nValue in Registry\r\n5.4 MITRE ATT\u0026CK T1083 File and Directory Discovery\r\nLike a typical ransomware TTP, Nefilim enumerates files before encrypting them. It uses some FileAPI functions such as\r\nFindFirstFileW , lstrcmpiW and FindNextFileW to discover files.\r\nPicus Threat Library - Threat Picus Mitigation Library - Detection Rule\r\n286738 File and Directory Discovery Attack\r\nScenario\r\n4771 Sensitive Information Discovery by Searching\r\nFilenames \r\n6. Lateral Movement\r\nLateral Movement refers to a tactic that adversaries use to move through a network to access and control remote assets in the\r\nnetwork. To accomplish Lateral Movement, adversaries may use legitimate tools with valid accounts as well as their remote\r\naccess tools.\r\n6.1. MITRE ATT\u0026CK T1570 Lateral Tool Transfer\r\nThe Nefilim ransomware downloads the Psexec.exe tool, and it also abuses the Windows built-in WMI (Windows\r\nManagement Instrumentation) utility for lateral movement. PsExec is a free Microsoft tool that can be used to execute\r\ncommands and binaries on remote systems and download or upload a file over a network share. Nefilim uses PsExec and\r\nWMI with hard-coded admin credentials to remotely execute the batch files and the ransomware file in remote hosts.\r\nPicus Threat Library - Threat Picus Mitigation Library - Detection Rule\r\n526471 Remote File Encryption with PsExec 3244 PsExec Tool Remote Command Execution\r\n7. Collection\r\nAdversaries use the techniques in the Collection tactic to gather information relevant to their objectives. Various data types\r\nsuch as text, audio, and video are collected from multiple sources such as local system cloud, network drive, removable\r\nmedia, and clipboard.  The next goal after data collection is often to exfiltrate the data.\r\n7.1 MITRE ATT\u0026CK T1056.001 Input Capture: Keylogging\r\nhttps://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks\r\nPage 6 of 10\n\nThe Nefilim ransomware creates a DirectInput object using the DirectDrawCreateEx function to capture keystrokes.\r\nKeylogging is both a Credential Access and Collection tactic.\r\nPicus Threat Library - Threat Picus Mitigation Library - Detection Rule\r\n431235 Input Capture Attack Scenario 5924 User Input Capture via PowerShell Script\r\n8. Exfiltration\r\nAdversaries use techniques in the Exfiltration tactic to steal data from your network. They encrypt or compress the data to be\r\nexfiltrated and use different channels and protocols to avoid detection. For example, the Nefilim ransomware compresses\r\ncollected files and exfiltrates them to cloud storage.\r\nData loss protection is one of the top priority issues for CISOs today. Organizations utilize DLP solutions to protect and\r\nsecure their data and comply with regulations. Picus simulates the exfiltration of a wide range of data over different channels\r\nto test the effectiveness of both network and endpoint-based data loss prevention (DLP) solutions. Picus Threat Library\r\nincludes hundreds of data files consisting of different types of information mapped to standards and regulations, including\r\nPII, PCI DSS, PHI, GDPR, HIPAA, PIPEDA, confidential files such as password files of OSs, and Intellectual Property (IP)\r\ndata.\r\nSome examples of data exfiltration attacks in the Picus Threat Library are given in the following table:\r\nPicus Threat Library - Threat\r\n107307 Italy PCI and PII Information Exfiltration including Full Credit Card Info\r\n893939 Italy PII Info. Exfiltration including Codice Fiscale \r\n727983 IBAN Numbers of 100 Countries Exfiltration in XLSX Format\r\n8.1 MITRE ATT\u0026CK T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage\r\nNefilim operators use the MEGAsync application to exfiltrate data to cloud storage. MEGAsync application synchronizes\r\nfolders between the infected computer and an adversary-controlled MEGA Cloud Drive.\r\n9. Impact\r\nThe Impact tactic covers techniques that manipulate, interrupt, or destroy your systems to disrupt availability, compromise\r\nintegrity, or cover a confidentiality breach.\r\n9.1 MITRE ATT\u0026CK T1486 Data Encrypted for Impact\r\nhttps://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks\r\nPage 7 of 10\n\nLike other ransomware threats, Nefilim encrypts files on the target system using AES-128 and adds NEFILIM, NEPHILIM,\r\nMERIN, TRAPGET, MEFILIN, TELEGRAM, SIGARETA, or OFFWHITE  extension to encrypted files. It uses an RSA-2048 public key embedded in the ransomware executable to encrypt the AES encryption key. It also adds a file that includes\r\nthe ransom note to the root directory, such as C:\\NEFILIM-DECRYPT.txt .\r\nNefilim abuses Microsoft's Enhanced Cryptographic Provider to import cryptographic keys and encrypt data with API\r\nfunctions such as CryptImportKey , CryptAcquireContext , CryptCreateHash , CryptHashData , CryptDeriveKey ,\r\nCryptReleaseContext , CryptDestroyKey , CryptEncrypt .This behavior  is a very specific TTP of ransomware.\r\nPicus Threat Library - Threat Picus Mitigation Library - Detection Rule\r\n767981 File Encryption with PowerShell 4737 Cryptography Encryptor and Decryptor Utilization via PowerShell\r\n9.2 MITRE ATT\u0026CK T1490 Inhibit System Recovery\r\nDeleting volume shadow copies is very typical behavior of ransomware. The Nefilim ransomware uses WMIC with the\r\nfollowing command to delete all volume shadow copies on the system to prevent recovery. WMIC  is a command-line utility\r\nto access WMI.\r\nNefilim also uses bcdedit.exe twice to disable automatic Windows recovery features by modifying boot configuration data.\r\nbcdedit /set {default} recoveryenabled No\r\nbcdedit /set {default} bootstatuspolicy ignoreallfailures\r\nMoreover, the Nefilim ransomware uses wbadmin to delete the backup catalog:\r\nwbadmin delete catalog -quiet\r\nPicus Threat Library - Threat Picus Mitigation Library - Detection Rule\r\n205796  Inhibit System Recovery by Deleting All Volume Shadow\r\nCopies with WMIC\r\n7087 Shadow Copy Deletion via WMIC Tool\r\nhttps://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks\r\nPage 8 of 10\n\n562990 Inhibit System Recovery by Disable Automatic Windows\r\nRecovery Features with bcdedit\r\n3165 Disabling Windows Recovery Features\r\nvia Bcdedit Tool\r\n407822 Inhibit System Recovery by Deleting Windows Backup\r\nCatalog with Vbadmin\r\n7067 Deleting Windows Backup Catalog via\r\nVbadmin tool\r\nNefilim TTP Map\r\nTTP Map of Nefilim that is created with TTPs detected from dozens of Nefilim ransomware samples can be found in the\r\ntable below.\r\nAlthough these TTPs are determined from the Nefilim samples, they are common in most ransomware families. The red\r\ntechniques are very specific ransomware TTPs.\r\nhttps://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks\r\nPage 9 of 10\n\nConclusion\r\nWe analyzed dozens of Nefilim ransomware samples to determine tactics, techniques and procedures (TTPs) utilized by\r\nNefilim. Continuously monitoring adversary TTPs within a company’s IT system allows companies to discover adversary\r\nbehaviors and stop them before they can go any further. Picus emulates adversary TTPs and gives actionable mitigation\r\ninformation for each TTP for building a proactive defense against adversaries and their malware.\r\nSource: https://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks\r\nhttps://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks"
	],
	"report_names": [
		"how-to-beat-nefilim-ransomware-attacks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434506,
	"ts_updated_at": 1775791251,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1a3eb6fef3f1917d17b4e5723829dd4ff13fe2bb.pdf",
		"text": "https://archive.orkl.eu/1a3eb6fef3f1917d17b4e5723829dd4ff13fe2bb.txt",
		"img": "https://archive.orkl.eu/1a3eb6fef3f1917d17b4e5723829dd4ff13fe2bb.jpg"
	}
}