{
	"id": "c58c0122-7168-41e0-ac51-16bab07ce4d4",
	"created_at": "2026-04-06T00:14:38.820894Z",
	"updated_at": "2026-04-10T13:13:07.437116Z",
	"deleted_at": null,
	"sha1_hash": "3c4311111b4689dfcfeafb5897da45e3fb5de009",
	"title": "Nefilim Ransomware Attack Through a MITRE Att\u0026ck Lens",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48590,
	"plain_text": "Nefilim Ransomware Attack Through a MITRE Att\u0026ck Lens\r\nBy By: Trend Micro Jun 28, 2021 Read time: 14 min (3807 words)\r\nPublished: 2021-06-28 · Archived: 2026-04-05 19:12:01 UTC\r\nNefilim is among a new breed of ransomware families that use advanced techniques for a more targeted and\r\nvirulent attack. It is operated by a group that we track under the intrusion set \"Water Roc\". This group combines\r\nadvanced techniques with legitimate tools to make them significantly harder to detect and respond before it is too\r\nlate.\r\nThis allows them to remain undetected in the system for weeks, navigating across the environment to maximize\r\ntheir damage. Before the attack is even initiated, deep victim profiling is done, allowing them to use victim-specific extortion pricing to tailor the ransom.\r\nNefilim is a Ransomware as a Service(RaaS) operation first discovered in March 2020open on a new tab, and\r\nbelieved to have evolved from the earlier Nemty ransomware family. They target multi-billion dollar companies,\r\nprimarily based in North or South America, in the financial, manufacturing or transportation industries. They\r\noperate under a profit share model, where Nefilim earns 30% for their ransomware service, and the remaining\r\n70% goes to the affiliates who provide the network access and implements the active phase of the attack.\r\nLike all ransomware, recovery is dependent on an external backup drive or paying for the encryption key, as\r\nNefilim ransomware replaces the original files with encrypted versions.\r\nAlong with a new wave of double extortionopen on a new tab ransomware families, Nefilim affiliates are\r\nparticularly vicious when victims don’t immediately pay the ransom, leaking their sensitive data over an extended\r\nperiod of time. They are one of few groups that host leaked victim data long-term, for months to years, using it to\r\ndeliver a chilling message to future victims.\r\nThe following is a fictional use case built using an in-depth case study of the Nefilim ransomware familyopen on a\r\nnew tab to demonstrate how their typical attack process occurs. The story leverages the MITRE ATT\u0026CK\r\nFrameworkopen on a new tab to define each tactic and technique used, with a detailed table below for further\r\ntechnical information.\r\nVictim Use Case of Nefilim\r\nMeet Company X, a fictional company serving the purpose of being the victim of a typical Nefilim ransomware\r\nattack. Company X is a global manufacturing organization with a yearly revenue of US$1 Billion and\r\nheadquartered in North America, making them an ideal target of Nefilim.\r\nInfiltrating the Environment\r\nDuring their active vulnerability scanning (T1595.002) of Company X’s internet facing hosts, the adversaries find\r\nthat X has not patched a Citrix Application Delivery Controller vulnerability (CVE-2019-19781open on a new\r\nhttps://www.trendmicro.com/en_us/research/21/f/nefilim-modern-ransomware-attack-story.html\r\nPage 1 of 3\n\ntab). This is a vulnerability they can exploit to gain initial access (T1133) through the exposed Remote Desktop\r\nProtocol (RDP), and so the attack begins!\r\nX’s security team should have maintained an inventory of their exposed services across their environment,\r\nperiodically scanning for vulnerabilities so they can proactively mitigate any potential inroads to their network.\r\nInternet-facing systems such as Citrix should always be a patching priority and managed with strong access\r\ncontrols. Access can be limited with a least-privileged administrative model and a strong multifactor\r\nauthentication system (M1032) to strengthen account security and prevent credential access. If the RDP is\r\nunnecessary, which may be why it was left unpatched, then it should be disabled or blocked (M1042). Network\r\nproxies, gateways, and firewalls can also be leveraged to deny direct remote access to the internal system,\r\nblocking the inroad by which the adversaries are entering. \r\nIntrusion Prevention Systems (IPS) can provide an additional layer of protection in advance of patch availability\r\nor patch deployment, which is particularly important with preventing targeted ransomware attacks, such as this\r\none. IPS logs also provide relevant information for detecting initial access activities.\r\nOnce the actors have successfully infiltrated X’s network, they begin downloading the additional tools they will\r\nneed to further their plot (T1608). They download a Cobalt Strike beacon to establish a backdoor and persistent\r\naccess to the environment so they can remotely execute commands, and later exfiltrate the data. This beacon is\r\nconnected back to one of their pre-established shell companies that hosts their Cobalt Strike Command and\r\nControl (C\u0026C) server. They also download Process Hacker to stop endpoint security agents (T1489), and\r\nMimikatz to dump credentials (T1003.001), along with other tools they will need throughout their attack.\r\nThe adversaries need elevated permissions to run certain tools as administrators. They take advantage of another\r\nunpatched vulnerability in X’s system (T1068), a Windows COM Elevation of Privilege Vulnerability (CVE-2017-0213open on a new tab). Armed with elevated permissions and credentials courtesy of Mimikatz, they are\r\nready to continue their invasion.\r\nThe use of multiple vulnerabilities that were disclosed several years ago is a reminder of the importance of timely\r\nsoftware updating (M1051) and patch management. A threat intelligence program can be developed to help\r\nidentify what software exploits and N-day vulnerabilities may have the most impact on an organization (M1019).\r\nVirtual patching programs can enhance existing patch management processes to further defend against known and\r\nunknown vulnerabilities. Application isolation and sandboxing can also be used to mitigate the impact of\r\nadvisories taking advantage of unpatched vulnerabilities (M1048). Ultimately, an organization needs good\r\napplication security that looks for and detects exploitation behavior.\r\nMimikatz is a popular tool used for credential dumping of plaintext passwords, hashes, Kerberos tickets and other\r\nsensitive data from memory. It can also be used to gain access to other systems within the network through a pass-the-hash attack (T1550). However, Mimikatz has no major legitimate use that would explain admins having it on\r\ntheir system, so this tool should be treated as suspicious in most cases.\r\nMitigations can be established through strict account management and Active Directory Audit Policiesopen on a\r\nnew tab. Enforcing the least-privileged administrative Model (M1018) and limiting credential overlap (M1026)\r\nacross systems helps to further prevent compromised credential enabling lateral movement.\r\nhttps://www.trendmicro.com/en_us/research/21/f/nefilim-modern-ransomware-attack-story.html\r\nPage 2 of 3\n\nCompleting the Invasion\r\nThe attackers take advantage of tools that already exist in the system to move laterally and expand their invasion\r\n(T1570). They use PsExec to launch taskkill to stop services that could alert X’s security team, and to stop backup\r\nservices (T1489). AdFind gives them vital information about the active directory setup which they use to map out\r\nX’s infrastructure and find other targets of interest (T1018). Over time, they move throughout X’s entire\r\nenvironment, including peripheral devices (T1120) and shared drives (T1135), identifying all the valuable data\r\n(T1083), and then using PowerShell commands, they strategically drop Cobalt Strike beacons in specific systems\r\nimportant to their attack as they go.\r\nNetwork intrusion detection and prevention systems (M1031) are critical to mitigate adversary activity after initial\r\naccess at the network level. These systems can help security teams see that they’ve been breached and track the\r\nattacker’s activities with sensors at the network, cloud, and endpoint/server layers. Network segmentation and\r\nmicro segmentation can help to inhibit lateral movement and support security monitoring.\r\nExfiltration for Encryption\r\nThe attackers use automated exfiltration (T1020) with their existing C\u0026C channels established with the Cobalt\r\nStrike beacons set up across X’s environment (T1041). The sensitive data is stolen using file transfer protocols\r\n(FTP) in fixed size chucks to avoid triggering network data transfer threshold alerts (T1030). For any large files,\r\nthey use mega.nz to callback the data over the legitimate web service (T1567).\r\nTo prevent the exfiltration of data, web-based content can be restricted (M1021) and network traffic can be filtered\r\n(M1037). Any suspicious DNS, HTTP and HTTPS connections should be monitored or blocked entirely. AV\r\nsoftware should also be kept up-to-date with machine learning plug-ins. As a rule of thumb, it is important to\r\nblock any traffic to a Cobalt Strike C\u0026C server, however since Cobalt Strike is designed to evade security\r\nmeasures, a multilayer approach is needed for this to be effective.\r\nExecution of Ransomware\r\nAfter a few weeks, the attackers are satisfied that they have identified all valuable data within X’s environment.\r\nThey wait until a weekend to help ensure they remain undetected, and then they deploy the Nefilim ransomware\r\non X’s network. The ransom note is prepared for decryption, then Nefilim imports an RSA-2048 public key and\r\nleaves it ready to use for encryption. The Nefilim payload is executed with a command-line argument (T1059)\r\ncontaining the full path of directory with the files identified to be encrypted. All of X’s logical drives are\r\nencrypted, and a decrypted ransom note named “NEFILIM-DECRYPT.txt” is written for each one.\r\nSource: https://www.trendmicro.com/en_us/research/21/f/nefilim-modern-ransomware-attack-story.html\r\nhttps://www.trendmicro.com/en_us/research/21/f/nefilim-modern-ransomware-attack-story.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/f/nefilim-modern-ransomware-attack-story.html"
	],
	"report_names": [
		"nefilim-modern-ransomware-attack-story.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434478,
	"ts_updated_at": 1775826787,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3c4311111b4689dfcfeafb5897da45e3fb5de009.pdf",
		"text": "https://archive.orkl.eu/3c4311111b4689dfcfeafb5897da45e3fb5de009.txt",
		"img": "https://archive.orkl.eu/3c4311111b4689dfcfeafb5897da45e3fb5de009.jpg"
	}
}