{
	"id": "146ebb9d-1602-4d3c-b5ab-8aea8226e5db",
	"created_at": "2026-04-06T00:07:07.21168Z",
	"updated_at": "2026-04-10T03:20:44.379139Z",
	"deleted_at": null,
	"sha1_hash": "84f2f4a4077bfeb719ea7a54477037dcffdca667",
	"title": "Nefilim Ransomware Gang Tied to Citrix Gateway Hacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 312631,
	"plain_text": "Nefilim Ransomware Gang Tied to Citrix Gateway Hacks\r\nBy Mathew J. Schwartz\r\nArchived: 2026-04-05 12:59:39 UTC\r\nCybercrime , Fraud Management \u0026 Cybercrime , Governance \u0026 Risk Management\r\nCampaign Targets Unpatched Software and Weak Authentication, Defenders Warn (euroinfosec) • June 22, 2020  \r\n \r\nCERT New Zealand issued an alert\r\nA crime gang seeking \"ransomware attack opportunities\" is targeting organizations that use unpatched or poorly\r\nsecured Citrix remote-access technology, then stealing data, unleashing crypto-locking malware and using the\r\nthreat of exfiltrated data being publicly dumped to try to force payment, New Zealand's national computer\r\nemergency response team warns.\r\nSee Also: OnDemand | Transform API Security with Unmatched Discovery and Defense\r\nIn an alert issued last week, and subsequently amplified by the U.S. Department of Homeland Security's\r\nCybersecurity and Infrastructure Security Agency, CERT NZ says that a \"sophisticated and well-crafted\" attack\r\ncampaign has been hitting unprepared organizations with Nefilim - aka Nephilim - ransomware.\r\n\"We are aware of attackers accessing organizations' networks through remote access systems, such as remote\r\ndesktop protocol and virtual private networks, as a way to create ransomware attack opportunities,\" CERT NZ's\r\nsecurity alert says. \"They are gaining access through weak passwords, organizations not using multifactor\r\nauthentication as an extra layer of security, or a remote access system that isn’t patched.\"\r\nhttps://www.govinfosecurity.com/nephilim-ransomware-gang-tied-to-citrix-gateway-hacks-a-14480\r\nPage 1 of 4\n\nAfter this group of attackers gains access to a network, security researchers say they often practice living-off-the-land tactics, which refers to using legitimate tools to try to better evade detection. Once an attacker gains a\r\nfoothold through the remote access system, they then use tools such as Mimikatz, PsExec and Cobalt Strike to\r\nelevate privileges, move laterally across a network and establish persistence on the network,\" CERT NZ says.\r\nMimikatz is a credential-stealing tool, PsExec is a command-line tool and Cobalt Strike is a legitimate penetration\r\ntesting framework, which is similar to Metasploit. Experts say these tools and tactics are used by a number of\r\nmore sophisticated attackers (see: 10 Ransomware Strains Being Used in Advanced Attacks).\r\nData Exfiltration, Then Ransomware\r\nAfter gaining entry to a network, the attackers in this campaign have been searching for sensitive data and\r\nexfiltrating it, after which they install crypto-locking malware on as many network-connected systems as possible,\r\nCERT NZ says. While this has included Nefilim ransomware, it notes that \"other ransomware can also be used.\"\r\nIn terms of vulnerable software being targeted by hackers, CERT NZ says that weak RDP credentials, and\r\nespecially RDP or other remote-access environments not protected by MFA, are at risk (see: Why Are We So\r\nStupid About RDP Passwords?). But it also notes that \"Citrix remote access technologies have been reported as a\r\ncommon way for attackers to gain access,\" referencing a Citrix vulnerability, CVE-2019-19781, which came to\r\nlight last December and was patched in January amid reports that it was being widely exploited.\r\nOn Thursday, CISA published its own threat advisory about the Nefilim ransomware campaign, linking to the\r\nNew Zealand alert, as well as referencing CISA's best practices for protecting against ransomware.\r\nNefilim: Closed Shop\r\nSecurity experts say that unlike ransomware-as-a-service operations such as REvil, aka Sodinokibi, in which\r\noperators provide ransomware code to affiliates and split profits, Nefilim appears to be run as a closed shop by a\r\nsingle gang.\r\n\"Nefilim emerged in March 2020 and shares a substantial portion of code with another ransomware family,\r\nNemty,\" security firm AlienVault notes. \"Nefilim is another family which has very quickly risen to prominence\r\nwith multiple damaging campaigns that threaten to publish victims’ sensitive information in the event they fail to\r\n‘cooperate’ with the attacker’s demands.\"\r\nExfiltrating data and using it to try to force victims to pay was pioneered by the Maze gang last November. Since\r\nthen, about a dozen other RaaS operators and ransomware gangs have followed suit (see: Crypto-Lock and Tell:\r\nRansomware Gangs Double Down on Leaks).\r\nhttps://www.govinfosecurity.com/nephilim-ransomware-gang-tied-to-citrix-gateway-hacks-a-14480\r\nPage 2 of 4\n\nNefilim ransom note (Source: SentinelLabs)\r\nOne of the most high-profile attacks to date by Nefilim was against Australian shipping giant Toll Group, which\r\nfirst publicized the attack on May 5. Six weeks earlier, Toll Group fell victim to a Mailto - aka Netwalker -\r\nransomware attack, which had disrupted operations for weeks. In both cases, Toll Group refused to pay a ransom.\r\nIn response, Nefilim began leaking stolen Toll Group data and said on its dedicated leaks site that Toll Group had\r\nfailed to fully shore up defenses following the Mailto hit (see: Toll Group Data Leaked Following Second\r\nRansomware Incident).\r\nWatch for Lateral Movement\r\nTo ascertain if an organization has been hit by Nefilim, \"check your remote-access systems for any sign of\r\nunauthorized access,\" CERT NZ advises. \"If any unauthorized access is detected, further investigation will be\r\nrequired to determine any lateral movement across the network.\"\r\nTrend Micro, in an analysis of an attempted attack by the Nefilim gang against one of its customers in March,\r\nnoted that among the various tricks and tactics used by attackers, they relied on PsExec to try to remotely execute\r\ncommands in the victim's network. In addition, attackers attempted to move around the network well in advance\r\nof attempting to deploy ransomware.\r\n\"What can be observed from this incident is that the threat actors behind it are not just relying on Nefilim alone,\"\r\nTrend Micro said in its analysis. \"They might already have exfiltrated the data even before they launched a full-on\r\nransomware attack.\"\r\nThat's why detecting these types of attackers as quickly as possible is imperative, and one way to spot these types\r\nof attacks is to watch not just for attack code, but also \"any evidence of lateral movement and data exfiltration\r\nwithin the environment,\" Trend Micro said. \"An attack’s point of entry may not be where the important data is\r\nfound; therefore, threat actors would need to be able to move around within the environment (host-to-host) to get\r\nto the parts of the system where the juicier data is stored. Being able to identify unusual outbound traffic patterns\r\nfor hosts (host-to-external) is equally important, as this represents potential data exfiltration.\"\r\nhttps://www.govinfosecurity.com/nephilim-ransomware-gang-tied-to-citrix-gateway-hacks-a-14480\r\nPage 3 of 4\n\nData Breach Risk\r\nAs with other ransomware gangs that now practice data exfiltration, Nefilim attackers' focus on stealing data\r\nbefore encrypting systems means that organizations typically don't just need to recover from a ransomware\r\noutbreak, but also ascertain what data was stolen.\r\nPer breach-notification rules in place in numerous countries, including across the U.S. as well as in Europe under\r\nthe EU's General Data Protection Regulation, if certain types of personal or financial information get accessed by\r\nattackers, the organization may need to report the breach to authorities and potentially also send breach\r\nnotifications to affected individuals.\r\nResearchers at SentinelLabs, the research division of SentinelOne, say the Nefilim gang threatens to leak stolen\r\ndata unless victims cooperate, and it historically has viewed any attempt to negotiate down the size of the\r\ndemanded ransom payment as failing to cooperate.\r\n\"While Maze, DoppelPaymer and REvil [aka Sodinokibi] tend to get the bulk of media coverage, Nephilim is\r\nanother family which has very quickly risen to prominence with multiple, damaging campaigns that threaten to\r\npublish victims’ sensitive information in the event they fail to ‘cooperate’ with the attacker’s demands,\"\r\nSentinelLabs notes.\r\nPatch or Perish\r\nThe Nefilim gang isn't the first to try and target vulnerabilities in Citrix gateway devices, which were identified\r\nlast December and patched in January. Upon their release, both the U.K.'s National Cyber Security Agency and\r\nCISA issued alerts to all Citrix users to install security updates to mitigate exploitable flaws.\r\n\"The NCSC and CISA have observed actors scanning for publicly known vulnerabilities in Citrix ... and [we]\r\ncontinue to investigate multiple instances of this vulnerability's exploitation,\" the agencies said in a joint alert\r\nissued in April.\r\nIn May, CISA and the NCSC issued another joint alert, warning that APT attackers were targeting the websites of\r\nmultiple organizations - including in the healthcare sector and other organizations providing essential services - in\r\nsearch of known vulnerabilities in as-yet-unpatched software. \"Actors are known to take advantage of Citrix\r\nvulnerability CVE-2019-19781 and vulnerabilities in virtual private network products from Pulse Secure, Fortinet\r\nand Palo Alto,\" the alert said (see: Alert: APT Groups Targeting COVID-19 Researchers).\r\nU.S. and U.K. security and intelligence agencies issued a similar alert for users of Pulse Secure, Fortinet and Palo\r\nAlto products in October 2019, warning that months after patches had been released to fix easily exploitable flaws\r\nin remote tools, many organizations had yet to apply the security updates and that the flaws were being actively\r\nexploited by both crime gangs and nation-state attackers (see: Unpatched VPN Servers Hit by Apparent Iranian\r\nAPT Groups).\r\nSource: https://www.govinfosecurity.com/nephilim-ransomware-gang-tied-to-citrix-gateway-hacks-a-14480\r\nhttps://www.govinfosecurity.com/nephilim-ransomware-gang-tied-to-citrix-gateway-hacks-a-14480\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.govinfosecurity.com/nephilim-ransomware-gang-tied-to-citrix-gateway-hacks-a-14480"
	],
	"report_names": [
		"nephilim-ransomware-gang-tied-to-citrix-gateway-hacks-a-14480"
	],
	"threat_actors": [],
	"ts_created_at": 1775434027,
	"ts_updated_at": 1775791244,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/84f2f4a4077bfeb719ea7a54477037dcffdca667.pdf",
		"text": "https://archive.orkl.eu/84f2f4a4077bfeb719ea7a54477037dcffdca667.txt",
		"img": "https://archive.orkl.eu/84f2f4a4077bfeb719ea7a54477037dcffdca667.jpg"
	}
}