{
	"id": "64978807-f61a-4361-912b-e1d024e5d63c",
	"created_at": "2026-04-06T00:08:14.674753Z",
	"updated_at": "2026-04-10T03:20:44.993808Z",
	"deleted_at": null,
	"sha1_hash": "8d8b5b33d21340fbf2062b65b9f254fa1e8d1879",
	"title": "Nefilim Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1091510,
	"plain_text": "Nefilim Ransomware\r\nBy Bajrang Mane\r\nPublished: 2021-05-12 · Archived: 2026-04-05 20:30:34 UTC\r\nOver the past year there has been a rise in extortion malware that focuses on stealing sensitive data and threatening to\r\npublish the data unless a ransom is paid. This technique bypasses some of the mitigations put in place, such as backups,\r\nwhich would allow IT organizations to recover data without having to pay such a ransom. One of the more popular\r\nransomware families over the last few months to switch to this extortion tactic was Nefilim.\r\nNefilim ransomware emerged in March 2020 when Nemty operators quit the ransomware as a service model to concentrate\r\ntheir energy on more targeted attacks with more focused resources. The author of the Nemty ransomware also appears to\r\nhave shared Nemty’s source code with others. According to Vitali Kremez and ID Ransomware’s Michael Gillespie, the new\r\nNefilim ransomware appears to be based on Nemty’s code. Sharing many notable similarities with Nemty version 2.5,\r\nNefilim has the capabilities to move laterally within networks.\r\nNefilim targets vulnerabilities such as CVE-2019-11634 and CVE-2019-19781 in Citrix gateway devices, identified in\r\nDecember 2019 and patched in January 2020. The hackers target organizations using the unpatched or poorly secured Citrix\r\nremote-access technology, stealing data and then deploying ransomware.\r\nNefilim attackers exfiltrate sensitive data before encryption. When ransoms are not paid, they have been known to shame\r\nvictims by posting their data on the dark web.\r\nTechnical Details\r\nInitial access\r\nNefilim ransomware is distributed through exposed Remote Desktop Protocol (RDP) setups by brute-forcing them and using\r\nother known vulnerabilities for initial access, i.e. vulnerabilities in Citrix gateway devices. Nefilim places a heavy emphasis\r\non Remote Desktop Protocols.\r\nOnce an attacker gains a foothold on the victim system, the attacker drops and executes its components such as anti-antivirus, exfiltration tools, and finally Nefilim itself.\r\nLateral Movement\r\nAmong the various tactics and techniques used by the attackers, they rely on tools such as PsExec to remotely execute\r\ncommands in their victims’ networks. It has been also seen that Nefilim uses other tools to gather credentials that include\r\nMimikatz, LaZagne, and NirSoft’s NetPass. It uses bat files to stop services/kill processes as shown in below image, and the\r\nstolen credentials are used to reach high-value machines like servers. The hackers work to move around the network before\r\ndeploying their ransomware to find out where juicier data may be stored. They exfiltrate sensitive data before encryption.\r\nSome of the commands that execute by the attacker\r\nStart copy kill.bat \\destinationip\\c$\\windows\\temp\r\nhttps://blog.qualys.com/vulnerabilities-research/2021/05/12/nefilim-ransomware\r\nPage 1 of 7\n\nStart psexec.exe \\destinationip -u domain\\username\\ -p password -d -h -r mstdc -s -accepteula -nobanner c:\\win\r\nStart psexec.exe -accepteula \\destinationip -u domain\\username\\ -p password reg add HKLM\\software\\Microsoft\\Wi\r\nWMIC /node: \\destinationip /username:”domain\\username” /password:”password” process CALL CREATE “cmd.exe /c co\r\nWMIC /node: \\destinationip /username:”domain\\username” /password:”password” process CALL CREATE “cmd.exe /c C\r\nBelow images shows A batch file to stop services/kill processes\r\nFig. 1 Stopping Services\r\nhttps://blog.qualys.com/vulnerabilities-research/2021/05/12/nefilim-ransomware\r\nPage 2 of 7\n\nFig. 2 Killing Process\r\nData exfiltration\r\nIt copies data from servers/shared directories to the local directory and compresses with dropped 7zip binary. It also drops\r\nand installs MegaSync to exfiltrate data.\r\nRansomware Execution\r\nThe Nefilim malware uses AES-128 encryption to lock files and their blackmail payments are made via email. After\r\nencryption, it dropped the ransomware note by named ‘NEFILIM-DECRYPT.txt’. All files are encrypted with the extension\r\nof (.NEFILIM). It appends AES encrypted key at end of the encrypted file. This AES encryption key will then be encrypted\r\nby an RSA-2048 public key that is embedded in the ransomware executable. In addition to the encrypted AES key, the\r\nransomware will also add the “NEFILIM” string as a file marker to all encrypted files.\r\nFig. 3 Crypto API’s in Nefilim IOC\r\nIn the Below image malware create Mutex\r\nhttps://blog.qualys.com/vulnerabilities-research/2021/05/12/nefilim-ransomware\r\nPage 3 of 7\n\nFig. 4 Creating Mutex\r\nSome of the Anti-debugging techniques: Ransomware uses anti-debugging method by calling the IsDebuggerPresent\r\nfunction. This function detects if the calling process is being debugged by a user-mode debugger. It also makes use of API\r\nGetTickCount / QueryPerformanceCounter to get the number of ticks since the last system reboot. It checks for a timestamp\r\nand compare it to another one after a few malicious instructions, in order to check if there was a delay.\r\nFig. 5 Anti debugging API\r\nFig. 6 Anti debugging API\r\nhttps://blog.qualys.com/vulnerabilities-research/2021/05/12/nefilim-ransomware\r\nPage 4 of 7\n\nShell execute: Nefilim delete itself from the target systems after infection with the help of ShellExecute API\r\n\"C:\\Windows\\System32\\cmd.exe\" /c timeout /t 3 /nobreak \u0026\u0026 del \"C:\\Users\\admin\\Download{ransomware_filename}.ex\r\nFig. 7 Self Deletion\r\nHigh-Profile Attacks Taking a Toll\r\nNefilim’s highest-profile ransomware attack to date was against the Australian shipping organization, Toll Group. The attack\r\nwas first published on May 5, 2020. Two months previously, Toll Group was a victim of a Netwalker ransomware attack. In\r\nboth cases, Toll Group refused to pay the ransom. In response, Nefilim leaked sensitive Toll Group data and popularized that\r\nToll Group had failed to employ full cybersecurity protocols even after the Netwalker attack, potentially making the\r\norganization vulnerable to more attacks. This demonstrates how Nefilim will keep the pressure on its victims to pay\r\nransoms.\r\nMitigation or Additional Important Safety Measures\r\nNetwork\r\nKeep strong and unique passwords for login accounts.\r\nDisable RDP if not used. If required change RDP port to a non-standard port.\r\nConfigure firewall in following way,\r\nDeny access to Public IPs to important ports (in this case RDP port 3389)\r\nAllow access to only IP’s which are under your control.\r\nUse VPN to access the network, instead of exposing RDP to the Internet. Possibility implement Two Factor\r\nAuthentication (2FA).\r\nSet lockout policy which hinders credentials guessing.\r\nCreate a separate network folder for each user when managing access to shared network folders.\r\nTake regular data backup\r\nProtect systems from ransomware by periodically backing up important files regularly and keep a recent backup copy\r\noffline. Encrypt your backup.\r\nhttps://blog.qualys.com/vulnerabilities-research/2021/05/12/nefilim-ransomware\r\nPage 5 of 7\n\nIf your computer gets infected with ransomware, your files can be restored from the offline backup once the malware\r\nhas been removed.\r\nAlways use a combination of online and offline backup.\r\nDo not keep offline backups connected to your system as this data could be encrypted when ransomware strike.\r\nKeep software updated\r\nAlways keep your security software (antivirus, firewall, etc.) up to date to protect your computer from new variants\r\nof malware.\r\nRegularly patch and update applications, software, and operating systems to address any exploitable software\r\nvulnerabilities.\r\nDo not download cracked/pirated software as they risk backdoor entry for malware into your computer.\r\nAvoid downloading software from untrusted P2P or torrent sites. In most cases, they are malicious software.\r\nHaving minimum required privileges\r\nDon’t assign Administrator privileges to users. Most importantly, do not stay logged in as an administrator unless it is\r\nstrictly necessary. Also, avoid browsing, opening documents, or other regular work activities while logged in as an\r\nadministrator.\r\nMonitor for Lateral Movement\r\nTo spot these attacks, keep an eye out not only for attack code but also monitor for any evidence of lateral movement\r\nand data exfiltration within the environment. To determine if an organization has been hit by Nefilim, check remote-access systems for any signs of unauthorized access. To identify potential data exfiltration, additionally identify\r\nunusual host outbound traffic patterns.\r\nNefilim TTP Map\r\nInitial\r\nAccess\r\nExecution\r\nDefense\r\nEvasion\r\nCredential\r\nAccess\r\nDiscovery\r\nLateral\r\nMovement\r\nExfiltration Impact\r\nExploit\r\nPublic-Facing\r\nApplication\r\n(T1190)\r\nNative\r\nAPI\r\n(T1106)\r\nFile\r\nDeletion\r\n(T1070.004)\r\nOS\r\nCredential\r\nDumping\r\n(T1003)\r\nSoftware\r\nDiscovery:\r\nSecurity\r\nSoftware\r\nDiscovery\r\n(T1518.001)\r\nLateral\r\nTool\r\nTransfer\r\n(T1570)\r\nExfiltration\r\nOver Web\r\nService:\r\nExfiltration\r\nto Cloud\r\nStorage\r\n(T1567.002)\r\nData\r\nEncrypted\r\nfor\r\nimpact\r\n(T1486)\r\nImpair\r\nDefenses:\r\nDisable or\r\nModify\r\nTools\r\n(T1562:001)\r\nRemote\r\nSystem\r\nDiscovery\r\n(T1018)\r\nInhibit\r\nsystem\r\nRecovery\r\n(T1490)\r\nSystem\r\nInformation\r\nhttps://blog.qualys.com/vulnerabilities-research/2021/05/12/nefilim-ransomware\r\nPage 6 of 7\n\nInitial\r\nAccess\r\nExecution\r\nDefense\r\nEvasion\r\nCredential\r\nAccess\r\nDiscovery\r\nLateral\r\nMovement\r\nExfiltration Impact\r\nDiscovery\r\n(T1082)\r\nFile and\r\nDirectory\r\nDiscovery\r\n(T1083)\r\nIndicators of Compromise (IOCs)\r\nSHA256\r\n8be1c54a1a4d07c84b7454e789a26f04a30ca09933b41475423167e232abea2bb8066b7ec376bc5928d78693d236dbf47414571df05f81\r\nReferences\r\nhttps://www.zdnet.com/article/nemty-ransomware-operation-shuts-down/\r\nhttps://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/\r\nhttps://www.bleepingcomputer.com/news/security/nemty-ransomware-punishes-victims-by-posting-their-stolen-data/\r\nhttps://www.trendmicro.com/vinfo/au/security/news/cybercrime-and-digital-threats/updated-analysis-on-nefilim-ransomware-s-behavior\r\nhttps://www.bankinfosecurity.com/blogs/toll-group-data-leaked-following-second-ransomware-incident-p-2902\r\nhttps://www.tollgroup.com/toll-it-systems-updates\r\nhttps://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks\r\nSource: https://blog.qualys.com/vulnerabilities-research/2021/05/12/nefilim-ransomware\r\nhttps://blog.qualys.com/vulnerabilities-research/2021/05/12/nefilim-ransomware\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.qualys.com/vulnerabilities-research/2021/05/12/nefilim-ransomware"
	],
	"report_names": [
		"nefilim-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434094,
	"ts_updated_at": 1775791244,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8d8b5b33d21340fbf2062b65b9f254fa1e8d1879.pdf",
		"text": "https://archive.orkl.eu/8d8b5b33d21340fbf2062b65b9f254fa1e8d1879.txt",
		"img": "https://archive.orkl.eu/8d8b5b33d21340fbf2062b65b9f254fa1e8d1879.jpg"
	}
}