{
	"id": "a220afe5-1c2d-4d5d-aad5-4231160d6da2",
	"created_at": "2026-04-06T00:15:47.135831Z",
	"updated_at": "2026-04-10T13:11:24.613166Z",
	"deleted_at": null,
	"sha1_hash": "718a682071651167b6daccd71046c5ce4fc1db00",
	"title": "Meet NEMTY Successor, Nefilim/Nephilim Ransomware - SentinelLabs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1516756,
	"plain_text": "Meet NEMTY Successor, Nefilim/Nephilim Ransomware -\r\nSentinelLabs\r\nBy Jim Walter\r\nPublished: 2020-05-04 · Archived: 2026-04-05 18:55:42 UTC\r\nRansomware families NEMTY, Nefilim and Nephilim continue to evolve and merge, taking on aspects of other\r\nsuccessful variants that aim to encrypt and extort.\r\nThis is an interesting time to study and follow ransomware trends. In particular, over the last year or two, we have\r\nseen an expansion of ‘mainstream’ ransomware even further into the data extortion and theft realm. It is one thing\r\nto have files encrypted, but having to treat every ransomware infection as a breach adds multiple new layers of\r\ncomplexity for victims of these campaigns. This is especially complex with GDPR and similar legal and\r\ncompliance hurdles to now figure in.\r\nRansomware families like Maze, CLOP, DoppelPaymer, Sekhmet, and Nefilim/Nephilim are examples of threats\r\nwhich, upon infection, result in this complex issue for their victims. While Maze, DopplePayer \u0026 REvil tend to\r\nget the bulk of media coverage, Nephilim is another family which has very quickly risen to prominence with\r\nmultiple damaging campaigns that threaten to publish victims’ sensitive information in the event they fail to\r\n‘cooperate’ with the attacker’s demands.\r\nhttps://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/\r\nPage 1 of 6\n\nOverview\r\nNefilim emerged in March 2020 and shares a substantial portion of code with another ransomware family,\r\nNEMTY. The exact relationship between the actors behind NEMTY and Nefilim/Nephilim is less than clear.\r\nNEMTY launched in August of 2019 as a public affiliate program, and has since gone private. Current data\r\nindicates that rather than the same actors being behind both families, it is more likely that those behind Nephilim\r\n‘acquired’ necessary code out of NEMTY in one way or another.\r\nThe two primary differences between Nefilim and NEMTY are the payment model, and the lack of a RaaS\r\noperation. Nefilim instructs victims to contact the attackers via email, as opposed to directing them to a TOR-based payment portal. To add even more confusion to the family tree, Nefilim appears to have evolved into\r\n‘Nephilim’, and the two are technically similar, differentiated primarily by extension and artifacts in encrypted\r\nfiles.\r\nHowever, there is also intelligence indicating that NEMTY has continued and forked into a new ‘NEMTY\r\nRevenue’ version. This comes after the actors behind NEMTY announced that they would be taking the threat\r\nprivate (no more publicly accessible RaaS operation).\r\nTechnically, Nephilim is not dissimilar from other well-known ransomware families. The primary method of\r\ndelivery is currently vulnerable RDP services. Once the attackers have compromised the environment via RDP,\r\nthey then proceed to establish persistence, to locate and exfiltrate additional credentials where possible, and then\r\nto deliver the ransomware payloads to their intended targets.\r\nNephilim Encryption Protocols\r\nIn the Nephilim samples we have analyzed the actual file encryption is handled via a tag-team of AES-128 and\r\nRSA-2048. Note, the original vendor behind Nefilim/Nephilim advertises it as such as well.\r\nSpecific files are encrypted using AES-128. At that point, an RSA-2048 public key is used to encrypt the AES\r\nencryption key. The public key is subsequently embedded in the ransomware executable payloads. This is one area\r\nthat differs from pure NEMTY, which is known to have used different key lengths. For example, prior versions of\r\nNEMTY have used RSA-8192 as a “master key” for encryption of target configuration data along with the rest of\r\nthe keys (src: Acronis).\r\nhttps://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/\r\nPage 2 of 6\n\nWe are also aware of variants of NEMTY that utilize an RSA-1024 public key for processing the AES encryption\r\nkey. Also, with earlier versions of NEMTY, there was variance across how files of specific size ranges were\r\nhandled. Later versions of NEMTY (aka NEMTY REVENUE 3.1) utilize AES-128 in counter mode, along with\r\nRSA-2048 for encrypting the AES keys. \r\nAt this time only the actors behind Nephilim are able to decrypt affected files. That is to say, there are no known\r\nflaws or methods to bypass the attackers’ safeguards on the encrypted files.\r\nNephilim Post-infection Behavior\r\nAfter infection, encrypted files are given the .Nefilim or .NEPHILIM extension. A similarly named ransom note\r\nis deposited in directories containing encrypted files.\r\nIn some cases, with Nephilim, the ‘NEPHILIM-DECRYPT.txt’ will only be written to\r\n~AppDataLocalVirtualStore. Location and name of the locally-stored desktop wallpaper varies. In recent\r\nNephilim infections, the alternate desktop image is written to %temp% with the filename ‘god.jpg’.\r\nStrings, Distinguishing Traits\r\nAnother hallmark of Nephilim is the use of embedded strings and compiler paths to send “subtle messages”,\r\nprimarily to researchers and analysts it would seem. For example, the following compiler path can be found in\r\nthese samples (both compiled on April 7, 2020):\r\nb8066b7ec376bc5928d78693d236dbf47414571df05f818a43fb5f52136e8f2e\r\nfcc2921020690a58c60eba35df885e575669e9803212f7791d7e1956f9bf8020\r\nWhile the sample\r\nd4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3\r\nfrom March 2020 contains additional jabs at specific AV vendors.\r\nhttps://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/\r\nPage 3 of 6\n\nThis sample was also referenced by @malwrhunterteam in a March 13th tweet.\r\nName \u0026 Shame Strategy\r\nNefilim/Nephilim also threatens to publish sensitive information from the infected environments in the event that\r\nthe victim refuses to cooperate with the attackers’ demands, as evidenced in this typical Nephilim ransom note.\r\nAttempting to negotiate, or refusal to pay, fall under the category of non-compliance. To date, two companies have\r\nbeen published on Nephilim’s “shaming” websites (clearnet and TOR-based). It is worth noting that initially, all\r\nhttps://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/\r\nPage 4 of 6\n\nthe companies listed on their site were oil and energy companies. However, between April 23 and April 27, 2020,\r\nthe group has added three additional victims to the site. One of these is another large oil and gas company, and the\r\nother two are classified as “Apparel and Fashion” and “Engineering and Construction Services”.\r\nMultiple other familles follow this same practice, which turns “basic” ransomware infections into full (and\r\nsometimes catastrophic) data breaches. Other well known families embracing this model are Maze, REvil,\r\nDoppelPaymer, CLOP, Sekhmet, and more recently, Ragnar. We note that Nefilim/Nephilim is also one of the\r\nfamilies that has “vowed” not to attack medical entities, nonprofits and other “critical” entities during the current\r\npandemic.\r\nConclusion\r\nProtecting your environment against threats like Nephilim is more critical than ever. In order to prevent loss of\r\ndata and the consequences of a large-scale data breach, organizations must rely on a modern, well maintained, and\r\nproperly-tuned and trusted security solution. Prevention is key with these attacks. Even in the event that the\r\nencryption/data-loss can be mitigated through decryptors, backups or rollbacks, victims still face the problem of\r\ntheir data being posted publicly. We encourage our customers to analyze and understand the threats and to take\r\nswift and appropriate action to prevent incidents occurring in the first place.\r\nSentinelOne Endpoint Protection detects and prevents malicious actions associated with NEMTY, Nefilim, and\r\nNephilim.\r\nIndicators of Compromise\r\nFor convenience, we provide both SHA256 and SHA1 hashes below.\r\nSHA256\r\n8be1c54a1a4d07c84b7454e789a26f04a30ca09933b41475423167e232abea2b\r\nb8066b7ec376bc5928d78693d236dbf47414571df05f818a43fb5f52136e8f2e\r\n3080b45bab3f804a297ec6d8f407ae762782fa092164f8ed4e106b1ee7e24953\r\n7de8ca88e240fb905fc2e8fd5db6c5af82d8e21556f0ae36d055f623128c3377\r\nb227fa0485e34511627a8a4a7d3f1abb6231517be62d022916273b7a51b80a17\r\n3bac058dbea51f52ce154fed0325fd835f35c1cd521462ce048b41c9b099e1e5\r\n353ee5805bc5c7a98fb5d522b15743055484dc47144535628d102a4098532cd5\r\n5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6\r\n52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea\r\n35a0bced28fd345f3ebfb37b6f9a20cc3ab36ab168e079498f3adb25b41e156f\r\n7a73032ece59af3316c4a64490344ee111e4cb06aaf00b4a96c10adfdd655599\r\n08c7dfde13ade4b13350ae290616d7c2f4a87cbeac9a3886e90a175ee40fb641\r\nD4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3\r\nB8066b7ec376bc5928d78693d236dbf47414571df05f818a43fb5f52136e8f2e\r\nfcc2921020690a58c60eba35df885e575669e9803212f7791d7e1956f9bf8020\r\nhttps://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/\r\nPage 5 of 6\n\nSHA1\r\n4595cdd47b63a4ae256ed22590311f388bc7a2d8\r\n1f594456d88591d3a88e1cdd4e93c6c4e59b746c\r\n6c9ae388fa5d723a458de0d2bea3eb63bc921af7\r\n9770fb41be1af0e8c9e1a69b8f92f2a3a5ca9b1a\r\ne99460b4e8759909d3bd4e385d7e3f9b67aa1242\r\ne53d4b589f5c5ef6afd23299550f70c69bc2fe1c\r\nc61f2cdb0faf31120e33e023b7b923b01bc97fbf\r\n0d339d08a546591aab246f3cf799f3e2aaee3889\r\nbbcb2354ef001f476025635741a6caa00818cbe7\r\n2483dc7273b8004ecc0403fbb25d8972470c4ee4\r\nd87847810db8af546698e47653452dcd089c113e\r\nE94089137a41fd95c790f88cc9b57c2b4d5625ba\r\nBd59d7c734ca2f9cbaf7f12bc851f7dce94955d4\r\nf246984193c927414e543d936d1fb643a2dff77b\r\nd87847810db8af546698e47653452dcd089c113e\r\nSource: https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/\r\nhttps://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/"
	],
	"report_names": [
		"meet-nemty-successor-nefilim-nephilim-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434547,
	"ts_updated_at": 1775826684,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/718a682071651167b6daccd71046c5ce4fc1db00.pdf",
		"text": "https://archive.orkl.eu/718a682071651167b6daccd71046c5ce4fc1db00.txt",
		"img": "https://archive.orkl.eu/718a682071651167b6daccd71046c5ce4fc1db00.jpg"
	}
}