# New Nefilim Ransomware Threatens to Release Victims' Data **[bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/](https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/)** Lawrence Abrams By [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) March 17, 2020 12:28 PM 0 A new ransomware called Nefilim that shares much of the same code as Nemty has started to become active in the wild and threatens to release stolen data. Nefilim became active at the end of February 2020 and while it not known for sure how the ransomware is being distributed, it is most likely through exposed Remote Desktop Services. [Head of SentinelLabs Vitali Kremez and ID Ransomware's Michael Gillespie both told](https://twitter.com/VK_Intel) BleepingComputer that Nefilim and Nemty 2.5 share much of the same code. The main difference is that Nefilim has removed the Ransomware-as-a-Service (RaaS) component and now relies on email communications for payments rather than a Tor payment site. It is not known if this is a fork of their ransomware from the original operators or if new threat actors obtained the source code to release a new version. ## Nefilim threatens to release data In the Nefilim ransom note, the attackers state that if a user does not pay the ransom in seven days they will release data that was stolen from the network ----- A large amount of your private files have been extracted and is kept in a secure location. If you do not contact us in seven working days of the breach we will start leaking the data. After you contact us we will provide you proof that your files have been extracted. In the past, this would have been seen as an empty threat, but with ransomware infections such as [Maze,](https://www.bleepingcomputer.com/news/security/maze-ransomware-not-getting-paid-leaks-data-left-and-right/) [Sodinokibi,](https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/) [DoppelPaymer, and](https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/) [Nemty all following through with their threats,](https://www.bleepingcomputer.com/news/security/nemty-ransomware-punishes-victims-by-posting-their-stolen-data/) it should no longer be ignored. ## The Nefilim encryption process When encrypting files, Nefilim will encrypt a file using AES-128 encryption. This AES encryption key will then be encrypted by an RSA-2048 public key that is embedded in the ransomware executable. This encrypted AES key will then be added to the contents of each encrypted file and can only be decrypted by the RSA private key known to the ransomware developers. For each encrypted file, Nefilim will append the .NEFILIM extension to the file name. For example, a file called 1.doc would be encrypted and named 1.doc.NEFILIM. **Files encrypted by the Nefilim Ransomware** In addition to the encrypted AES key, the ransomware will also add the "NEFILIM" string as a file marker to all encrypted files as shown below. ----- **NEFILIM file marker** When done, a ransom note named NEFILIM-DECRYPT.txt will be created throughout the system that contains instructions on how to contact the ransomware developers. This ransom note contains different contact emails and the threat that they will leak data if a ransom is not paid within seven days of the "breach". Caption ----- Unfortunately, a brief analysis by Gillespie indicates that this ransomware appears to be secure, which means that there is no current way to recover files for free. The ransomware, though, is still being researched and if new weaknesses we will publish updated information. ### Related Articles: [Industrial Spy data extortion market gets into the ransomware game](https://www.bleepingcomputer.com/news/security/industrial-spy-data-extortion-market-gets-into-the-ransomware-game/) [New RansomHouse group sets up extortion market, adds first victims](https://www.bleepingcomputer.com/news/security/new-ransomhouse-group-sets-up-extortion-market-adds-first-victims/) [Quantum ransomware seen deployed in rapid network attacks](https://www.bleepingcomputer.com/news/security/quantum-ransomware-seen-deployed-in-rapid-network-attacks/) [Ransom payment is roughly 15% of the total cost of ransomware attacks](https://www.bleepingcomputer.com/news/security/ransom-payment-is-roughly-15-percent-of-the-total-cost-of-ransomware-attacks/) [Karakurt revealed as data extortion arm of Conti cybercrime syndicate](https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/) ## IOCs ### Hashes: ``` 5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6 Associated files: NEFILIM-DECRYPT.txt Associated emails: jamesgonzaleswork1972@protonmail.com pretty_hardjob2881@mail.com dprworkjessiaeye1955@tutanota.com Ransom note text: ``` ----- ``` All of your files have been encrypted with military grade algorithms. We ensure that the only way to retrieve your data is with our software. We will make sure you retrieve your data swiftly and securely when our demands are met. Restoration of your data requires a private key which only we possess. A large amount of your private files have been extracted and is kept in a secure location. If you do not contact us in seven working days of the breach we will start leaking the data. After you contact us we will provide you proof that your files have been extracted. To confirm that our decryption software works email to us 2 files from random computers. You will receive further instructions after you send us the test files. jamesgonzaleswork1972@protonmail.com pretty_hardjob2881@mail.com dprworkjessiaeye1955@tutanota.com ``` [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. -----