NEFILIM Ransomware

NEFILIM is a newly observed ransomware tool that appears to be a fork of the well-known Nemty 2.5 ransomware-as-a-service. However, unlike Nemty, NEFILIM appears to use basic email communications for affiliate payments.

Threat ID:: CC-3396
Category:: Ransomware
Threat Severity:: Low
Threat Vector:
Published:: 19 March 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - all versions

Threat details

At the time of publication, it is unclear how NEFILIM is delivered, although there are unconfirmed reports indicating it may be distributed via exposed Remote Desktop Services applications.

Once installed, NEFILIM will attempt to encrypt all local, non-system files using an AES-128 algorithm, the key for which is then itself encrypted using RSA-2048 and added to each encrypted file. NEFILIM's operators also claim to extract files before encryption, although there appears to be no evidence of this at the current time.

Remediation steps

Type	Step
	If a device on your network becomes infected with ransomware it will begin encrypting files the logged-in user has permission to modify, which may also include remote files on network locations. The only guaranteed way to recover from a ransomware infection is to restore all affected files from their most recent backup. Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages. To reduce the likelihood of infection by ransomware, NHS Digital advises that: Secure configurations are applied to all devices. Security updates are applied at the earliest opportunity. Tamper protection settings in security products are enabled where available. Obsolete platforms are segregated from the rest of the network. IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments. Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts. Administrative accounts are only used for necessary purposes. Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations. Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible. To limit the impact of a ransomware infection, NHS Digital advises that: Critical data is frequently saved in multiple backup locations. At least one backup is kept offline at any time (separated from live systems). Backups and incident recovery plans are tested to ensure that data can be restored when needed. User account permissions for modifying data are regularly reviewed and restricted to the minimum necessary. Infected systems are disconnected from the network and powered down as soon as practicable. Any user account credentials that may have been compromised should be reset on a clean device. Where infected systems cannot be quarantined with confidence, then an affected organisation should disconnect from national networks to limit propagation. If Remote Desktop Protocol (RDP) is not used, then ensure port 3389 (TCP/UDP) is blocked at your internet firewall. If RDP is used, then: Ensure network level authentication is enabled. Only allow access for authorised RDP users. Enforce strong password policies. Enforce multi-factor authentication. Don't allow RDP access for privileged user accounts. Don’t use generic accounts. Set user accounts with an expiry date. Audit user accounts periodically. Only allow point-to-point connections from specific IP addresses where feasible. Ensure Transport Layer Security (TLS) is up-to-date. Log and monitor all RDP activity and investigate unusual behaviour. Consider only allowing RDP for authorised virtual private network (VPN) connections.

Type

Step

If a device on your network becomes infected with ransomware it will begin encrypting files the logged-in user has permission to modify, which may also include remote files on network locations. The only guaranteed way to recover from a ransomware infection is to restore all affected files from their most recent backup.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

To reduce the likelihood of infection by ransomware, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

To limit the impact of a ransomware infection, NHS Digital advises that:

Critical data is frequently saved in multiple backup locations.
At least one backup is kept offline at any time (separated from live systems).
Backups and incident recovery plans are tested to ensure that data can be restored when needed.
User account permissions for modifying data are regularly reviewed and restricted to the minimum necessary.
Infected systems are disconnected from the network and powered down as soon as practicable.
Any user account credentials that may have been compromised should be reset on a clean device.
Where infected systems cannot be quarantined with confidence, then an affected organisation should disconnect from national networks to limit propagation.

If Remote Desktop Protocol (RDP) is not used, then ensure port 3389 (TCP/UDP) is blocked at your internet firewall. If RDP is used, then:

Ensure network level authentication is enabled.
Only allow access for authorised RDP users.
Enforce strong password policies.
Enforce multi-factor authentication.
Don't allow RDP access for privileged user accounts.
Don’t use generic accounts.
Set user accounts with an expiry date.
Audit user accounts periodically.
Only allow point-to-point connections from specific IP addresses where feasible.
Ensure Transport Layer Security (TLS) is up-to-date.
Log and monitor all RDP activity and investigate unusual behaviour.
Consider only allowing RDP for authorised virtual private network (VPN) connections.

Indicators of compromise

Main indicators

Filenames

NEFILIM-DECRYPT.txt
NEPHILIM-DECRYPT.txt

Extensions

.Nefilim
.NEFILIM
.NEPHILIM

Email Addresses

jamesgonzaleswork1972@protonmail[.]com
pretty_hardjob2881@mail[.]com
dprworkjessiaeye1955@tutanota[.]com

SHA1 File Hashes

0d339d08a546591aab246f3cf799f3e2aaee3889
1f594456d88591d3a88e1cdd4e93c6c4e59b746c
2483dc7273b8004ecc0403fbb25d8972470c4ee4
4595cdd47b63a4ae256ed22590311f388bc7a2d8
6c9ae388fa5d723a458de0d2bea3eb63bc921af7
9770fb41be1af0e8c9e1a69b8f92f2a3a5ca9b1a
bbcb2354ef001f476025635741a6caa00818cbe7
Bd59d7c734ca2f9cbaf7f12bc851f7dce94955d4
c61f2cdb0faf31120e33e023b7b923b01bc97fbf
d87847810db8af546698e47653452dcd089c113e
d87847810db8af546698e47653452dcd089c113e
e53d4b589f5c5ef6afd23299550f70c69bc2fe1c
E94089137a41fd95c790f88cc9b57c2b4d5625ba
e99460b4e8759909d3bd4e385d7e3f9b67aa1242
f246984193c927414e543d936d1fb643a2dff77b

SHA256 File Hashes

08c7dfde13ade4b13350ae290616d7c2f4a87cbeac9a3886e90a175ee40fb641
3080b45bab3f804a297ec6d8f407ae762782fa092164f8ed4e106b1ee7e24953
353ee5805bc5c7a98fb5d522b15743055484dc47144535628d102a4098532cd5
35a0bced28fd345f3ebfb37b6f9a20cc3ab36ab168e079498f3adb25b41e156f
3bac058dbea51f52ce154fed0325fd835f35c1cd521462ce048b41c9b099e1e5
52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea
5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6
5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6
7a73032ece59af3316c4a64490344ee111e4cb06aaf00b4a96c10adfdd655599
7de8ca88e240fb905fc2e8fd5db6c5af82d8e21556f0ae36d055f623128c3377
8be1c54a1a4d07c84b7454e789a26f04a30ca09933b41475423167e232abea2b
b227fa0485e34511627a8a4a7d3f1abb6231517be62d022916273b7a51b80a17
b8066b7ec376bc5928d78693d236dbf47414571df05f818a43fb5f52136e8f2e
B8066b7ec376bc5928d78693d236dbf47414571df05f818a43fb5f52136e8f2e
D4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3
fcc2921020690a58c60eba35df885e575669e9803212f7791d7e1956f9bf8020

Last edited: 29 June 2021 12:01 pm