{
	"id": "ac1058dc-9eb0-45b0-884d-676153b1d308",
	"created_at": "2026-04-06T00:07:31.914133Z",
	"updated_at": "2026-04-10T03:20:51.930327Z",
	"deleted_at": null,
	"sha1_hash": "fd0b52dce7283d4c672e2a669b7ed38197f27ec9",
	"title": "New Nefilim Ransomware Threatens to Release Victims' Data",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 818159,
	"plain_text": "New Nefilim Ransomware Threatens to Release Victims' Data\r\nBy Lawrence Abrams\r\nPublished: 2020-03-17 · Archived: 2026-04-05 12:46:24 UTC\r\nA new ransomware called Nefilim that shares much of the same code as Nemty has started to become active in the wild and\r\nthreatens to release stolen data.\r\nNefilim became active at the end of February 2020 and while it not known for sure how the ransomware is being distributed,\r\nit is most likely through exposed Remote Desktop Services.\r\nHead of SentinelLabs Vitali Kremez and ID Ransomware's Michael Gillespie both told BleepingComputer that Nefilim and\r\nNemty 2.5 share much of the same code.\r\nhttps://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nThe main difference is that Nefilim has removed the Ransomware-as-a-Service (RaaS) component and now relies on email\r\ncommunications for payments rather than a Tor payment site.\r\nIt is not known if this is a fork of their ransomware from the original operators or if new threat actors obtained the source\r\ncode to release a new version.\r\nNefilim threatens to release data\r\nIn the Nefilim ransom note, the attackers state that if a user does not pay the ransom in seven days they will release data that\r\nwas stolen from the network.\r\nA large amount of your private files have been extracted and is kept in a secure location.\r\nIf you do not contact us in seven working days of the breach we will start leaking the data.\r\nAfter you contact us we will provide you proof that your files have been extracted.\r\nIn the past, this would have been seen as an empty threat, but with ransomware infections such as Maze, Sodinokibi,\r\nDoppelPaymer, and Nemty all following through with their threats, it should no longer be ignored.\r\nThe Nefilim encryption process\r\nWhen encrypting files, Nefilim will encrypt a file using AES-128 encryption. This AES encryption key will then be\r\nencrypted by an RSA-2048 public key that is embedded in the ransomware executable.\r\nThis encrypted AES key will then be added to the contents of each encrypted file and can only be decrypted by the RSA\r\nprivate key known to the ransomware developers.\r\nFor each encrypted file, Nefilim will append the .NEFILIM extension to the file name. For example, a file called 1.doc\r\nwould be encrypted and named 1.doc.NEFILIM.\r\nFiles encrypted by the Nefilim Ransomware\r\nIn addition to the encrypted AES key, the ransomware will also add the \"NEFILIM\" string as a file marker to all encrypted\r\nfiles as shown below.\r\nhttps://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/\r\nPage 3 of 6\n\nNEFILIM file marker\r\nWhen done, a ransom note named NEFILIM-DECRYPT.txt will be created throughout the system that contains\r\ninstructions on how to contact the ransomware developers.\r\nThis ransom note contains different contact emails and the threat that they will leak data if a ransom is not paid within seven\r\ndays of the \"breach\".\r\nCaption\r\nUnfortunately, a brief analysis by Gillespie indicates that this ransomware appears to be secure, which means that there is no\r\ncurrent way to recover files for free.\r\nThe ransomware, though, is still being researched and if new weaknesses we will publish updated information.\r\nIOCs\r\nHashes:\r\n5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6\r\nhttps://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/\r\nPage 4 of 6\n\nAssociated files:\r\nNEFILIM-DECRYPT.txt\r\nAssociated emails:\r\njamesgonzaleswork1972@protonmail.com\r\npretty_hardjob2881@mail.com\r\ndprworkjessiaeye1955@tutanota.com\r\nRansom note text:\r\nAll of your files have been encrypted with military grade algorithms.\r\nWe ensure that the only way to retrieve your data is with our software.\r\nWe will make sure you retrieve your data swiftly and securely when our demands are met.\r\nRestoration of your data requires a private key which only we possess.\r\nA large amount of your private files have been extracted and is kept in a secure location.\r\nIf you do not contact us in seven working days of the breach we will start leaking the data.\r\nAfter you contact us we will provide you proof that your files have been extracted.\r\nTo confirm that our decryption software works email to us 2 files from random computers.\r\nYou will receive further instructions after you send us the test files.\r\njamesgonzaleswork1972@protonmail.com\r\npretty_hardjob2881@mail.com\r\ndprworkjessiaeye1955@tutanota.com\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nhttps://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/\r\nPage 5 of 6\n\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/\r\nhttps://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/"
	],
	"report_names": [
		"new-nefilim-ransomware-threatens-to-release-victims-data"
	],
	"threat_actors": [],
	"ts_created_at": 1775434051,
	"ts_updated_at": 1775791251,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fd0b52dce7283d4c672e2a669b7ed38197f27ec9.pdf",
		"text": "https://archive.orkl.eu/fd0b52dce7283d4c672e2a669b7ed38197f27ec9.txt",
		"img": "https://archive.orkl.eu/fd0b52dce7283d4c672e2a669b7ed38197f27ec9.jpg"
	}
}