{
	"id": "8a95a3b6-08b7-450d-81f3-55d7fa84784d",
	"created_at": "2026-04-06T00:11:32.171399Z",
	"updated_at": "2026-04-10T03:20:20.027079Z",
	"deleted_at": null,
	"sha1_hash": "fad87dd853e6d256a71116e07c8fbd8a74e3f26f",
	"title": "An Analysis of the Nefilim Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48451,
	"plain_text": "An Analysis of the Nefilim Ransomware\r\nBy By: Janus Agcaoili, Byron Gelera Feb 23, 2021 Read time: 2 min (611 words)\r\nPublished: 2021-02-23 · Archived: 2026-04-05 18:58:23 UTC\r\nNefilim is among the notable ransomwareopen on a new tab variants that use double extortion tactics in their\r\ncampaigns. First discovered in March 2020news- cybercrime-and-digital-threats, Nefilim threatens to\r\nrelease victims’ stolen data to coerce them into paying the ransom. Aside from its use of this tactic, another notable\r\ncharacteristic of Nefilim is its similarity to Nemty; in fact, it is believed to be an evolved version of the older\r\nransomware.\r\nWe provide a brief analysis of this active ransomware and how to defend systems against it.\r\nTechnical Details\r\nInitial access\r\nFor its initial access, threat actors behind Nefilim make use of various affiliates to spread their malware. These\r\naffiliates use various methods. Based on previous attacks, Nefilim has been largely known to reach systems via\r\nexposed RDPs. Some affiliates also use other known vulnerabilities for initial access. This is supported by various\r\nreports, from which we found the use of the Citrix vulnerability (CVE-2019-19781), an unsecure and brute-force\r\nRDP, to enter a system. \r\nNefilim has also been seen using party tools to gather credentials that include Mimikatz, LaZagne, and NirSoft’s\r\nNetPass. The stolen credentials are used to reach high-value machines like servers.\r\nOnce inside a victim system, the ransomware begins to drop and execute its components such as anti-antivirus,\r\nexfiltration tools, and finally Nefilim itself.\r\nLateral movement on the network\r\nThe attackers make use of several legitimate tools for lateral movement. For example, it uses PsExec or Windows\r\nManagement Instrumentation (WMI) for lateral movement, dropping and executing other components including\r\nthe ransomware itself. Nefilim has been observed to use a batch file for terminating certain processes and services.\r\nIt even uses third-party tools like PC Hunter, Process Hacker, and Revo Uninstaller to terminate antivirus-related\r\nprocesses, services, and applications. It also uses AdFind, BloodHound, or SMBTool to identify active directories\r\nand/or machines that are connected to the domain.\r\nData exfiltration\r\nA notable aspect of recent ransomware variants are their data exfiltration capabilities. As for Nefilim, it has been\r\nobserved to copy data from servers or shared directories to a local directory and to archive these using 7-Zip. It\r\nthen uses MEGAsync to exfiltrate this data.\r\nDefending systems against ransomware\r\nhttps://www.trendmicro.com/en_us/research/21/b/nefilim-ransomware.html\r\nPage 1 of 3\n\nCampaigns that are similar to Nefilim spend a lot of time between the initial breach and the start of serious lateral\r\nmovement. However, as soon as lateral movement begins, threat actors work quickly. They prioritize moving\r\nbetween hosts and exfiltrating data. Therefore, organizations can consider limiting the number of computers that\r\ncan be leveraged during a lateral movement phase. This involves solutions such as utilizing two-factor authentication (2FA) wherever they can, implementing application safelisting, and practicing least privilege\r\nsecurity.  \r\nWith regard to defending systems against the threat of Nefilim, best practices still apply. It is best to work on\r\ndefenses that prevent the lateral movement of similar attacks. Organizations should consider the use of canary file-based monitoring, encryption monitoring, and process killing. Other best practices to review include the following:\r\n \r\nAvoid opening unverified emails or clicking on their embedded links, as these can start the ransomware\r\ninstallation process. \r\n \r\nBack up your important files using the 3-2-1 rule: Create three backup copies on two different file formats,\r\nwith one of the backups in a separate location. \r\n \r\nRegularly update software, programs, and applications to ensure that your apps are current, with the latest\r\nprotections from new vulnerabilities.\r\nIf you believe that your organization has been affected by this campaign, visit this pageopen on a new tab for the\r\navailable Trend Micro solutions that can help detect and mitigate any risks from this campaign.\r\nIndicators of Compromise (IOCs)\r\nSHA256 Detection name\r\n08c7dfde13ade4b13350ae290616d7c2f4a87cbeac9a3886e90a175ee40fb641\r\nRansom.Win32.NEFILIM.Aopen\r\non a new tab\r\n205ddcd3469193139e4b93c8f76ed6bdbbf5108e7bcd51b48753c22ee6202765 Ransom.Win32.NEFILIM.D\r\n5da71f76b9caea411658b43370af339ca20d419670c755b9c1bfc263b78f07f1 Ransom.Win32.NEFILIM.D\r\n7a73032ece59af3316c4a64490344ee111e4cb06aaf00b4a96c10adfdd655599 Ransom.Win32.NEFILIM.C\r\neacbf729bb96cf2eddac62806a555309d08a705f6084dd98c7cf93503927c34f\r\nRansom.Win32.NEFILIM.Gopen\r\non a new tab\r\nee9ea85d37aa3a6bdc49a6edf39403d041f2155d724bd0659e6884746ea3a250 Trojan.Win64.NEFILIM.A\r\nf51f128bca4dc6b0aa2355907998758a2e3ac808f14c30eb0b0902f71b04e3d5 Ransom.Win32.NEFILIM.D\r\nfdaefa45c8679a161c6590b8f5bb735c12c9768172f81c930bb68c93a53002f7 Ransom.Win32.NEFILIM.D\r\nhttps://www.trendmicro.com/en_us/research/21/b/nefilim-ransomware.html\r\nPage 2 of 3\n\nSource: https://www.trendmicro.com/en_us/research/21/b/nefilim-ransomware.html\r\nhttps://www.trendmicro.com/en_us/research/21/b/nefilim-ransomware.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/b/nefilim-ransomware.html"
	],
	"report_names": [
		"nefilim-ransomware.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434292,
	"ts_updated_at": 1775791220,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fad87dd853e6d256a71116e07c8fbd8a74e3f26f.pdf",
		"text": "https://archive.orkl.eu/fad87dd853e6d256a71116e07c8fbd8a74e3f26f.txt",
		"img": "https://archive.orkl.eu/fad87dd853e6d256a71116e07c8fbd8a74e3f26f.jpg"
	}
}