{
	"id": "ba0e07c7-d108-4521-a89a-82cf7c63ffb0",
	"created_at": "2026-04-06T00:22:33.559653Z",
	"updated_at": "2026-04-10T03:20:49.679005Z",
	"deleted_at": null,
	"sha1_hash": "59cd1f8ba5c50164b14e83126c4e4e50d7ee7746",
	"title": "Nefilim Hackers Publish Oil Firm Data Online and Continue Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 226035,
	"plain_text": "Nefilim Hackers Publish Oil Firm Data Online and Continue\r\nCampaign\r\nBy CBR Staff Writer\r\nPublished: 2020-06-09 · Archived: 2026-04-05 12:45:41 UTC\r\n“Nefilim’s code shares many notable similarities with Nemty 2.5 ransomware\"\r\nA cyber criminal group known for its Nefilim (Netfilim) ransomware is continuing to target energy companies and\r\nhas published an array of sensitive data belonging to India’s largest offshore drilling company Aban Offshore this\r\nweek.\r\nCybersecurity firm Cyble has confirmed the data breach, which contains business sensitive information relating to\r\nthe firm and its contractors, as well as more than 250 employee passport details.\r\nAban Offshore is India’s largest offshore drilling company and has done extensive work with Iranian firms in\r\noperating five offshore rigs. The latest information dump comes as a growing number of firms have been targeted\r\nand held to ransom by the hackers in recent months.\r\nTrend Micro noted in a security blog: “Nefilim’s code shares many notable similarities with Nemty 2.5\r\nransomware; the main difference is the fact that Nefilim has done away with the Ransomware-as-a-Service (RaaS)\r\ncomponent. It also manages payments via email communication rather than through a Tor payment site.”\r\nhttps://techmonitor.ai/techonology/cybersecurity/nefilim-hackers-publish-oil-firm\r\nPage 1 of 3\n\nThe ransomware uses AES-128 encryption to lock a victim’s files. All files are also marked with a ‘Nefilim’ string\r\nto the files so if a file is oil.doc it would be marked as oil.doc.nefilim. In order to decrypt these files the victim\r\nrequires the RSA private key held by the hackers.\r\nNefilim Operator’s Campaign in Full Swing\r\nThe Nefilim ransomware hackers are proving to be a significant threat for companies as they have breached a\r\nnumber of systems and are not hesitant to publish sensitive data online.\r\nYet it’s not just energy firms that are being targeted as Australian-based logistics behemoth Toll Group was also a\r\nvictim of the campaign in May which successfully breached a Toll Group server. The logistic firm turned down\r\nany attempt to engage with the hackers and pay a fee to restore their system.\r\nToll Group stated in May that: “After detecting this attack, we shut down our IT systems to mitigate the risk of\r\nfurther infection. Toll has refused from the outset to engage with the attacker’s ransom demands, which is\r\nconsistent with the advice of cyber security experts and government authorities.”\r\n“Our ongoing investigations have established that the attacker has accessed at least one specific corporate server.\r\nThis server contains information relating to some past and present Toll employees, and details of commercial\r\nagreements with some of our current and former enterprise customers. The server in question is not designed as a\r\nrepository for customer operational data.”\r\nThe hackers subsequently published a cache of the data on the dark web. Toll Groups last public update on the\r\nincident was at the end of May in which they noted that they were still in the process of restoring ‘key online\r\nsystems.’\r\nRansomware is a serious issue for firms and is getting more sophisticated as just last February the UK’s cyber\r\nagency NCSC updated its guidance as it had seen “numerous incidents where ransomware has not only encrypted\r\nthe original data on-disk, but also connected USB and network storage drives holding data backups.”\r\nSo all precautions should be taken to ensure that threat actors don’t get access to networks as the damage could be\r\npermanent.\r\nSee Also: DWP Wraps Up Mammoth “Job Seeker’s” Mainframe to X86 Migration\r\nMore Relevant\r\nclose\r\nSign up to the newsletter: In Brief\r\nYour corporate email address *\r\nVist our Privacy Policy for more information about our services, how we may use, process and share your\r\npersonal data, including information of your rights in respect of your personal data and how you can unsubscribe\r\nhttps://techmonitor.ai/techonology/cybersecurity/nefilim-hackers-publish-oil-firm\r\nPage 2 of 3\n\nfrom future marketing communications. Our services are intended for corporate subscribers and you warrant that\r\nthe email address submitted is your corporate email address.\r\nSource: https://techmonitor.ai/techonology/cybersecurity/nefilim-hackers-publish-oil-firm\r\nhttps://techmonitor.ai/techonology/cybersecurity/nefilim-hackers-publish-oil-firm\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://techmonitor.ai/techonology/cybersecurity/nefilim-hackers-publish-oil-firm"
	],
	"report_names": [
		"nefilim-hackers-publish-oil-firm"
	],
	"threat_actors": [],
	"ts_created_at": 1775434953,
	"ts_updated_at": 1775791249,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/59cd1f8ba5c50164b14e83126c4e4e50d7ee7746.pdf",
		"text": "https://archive.orkl.eu/59cd1f8ba5c50164b14e83126c4e4e50d7ee7746.txt",
		"img": "https://archive.orkl.eu/59cd1f8ba5c50164b14e83126c4e4e50d7ee7746.jpg"
	}
}