Nefilim was first spotted in March 2020. This was after Nemty affiliate program started on August 2019.
Since Nemty and the first Nefilim shows great similarity in code structure, operation and threat actors. It is believed that Nefilim is the updated version of Nemty, and user Jsworm has started to be inactive.
- The threat actors behind NEFILIM hires a variety of affiliates for their initial access, They offer a 70-30 share for every affiliate. Most affiliate uses compromised RDP to access a network while some are exploiting some known Vulnerability.
- From what was observed or reported:
- Exploit Cirtrix Vulnerability (CVE-2019-19781)
- Valid Accounts, Insecure RDP and Brute-forced RDP leads to RDP, then dropping and executing of other components like the Anti-AV and Exfiltration tools and then finally Nefilim.
Lateral Movement, Discovery and Defense Evasion
- The attackers make use PSExec or WMI for lateral movement, dropping and execution of other components and the ransomware itself. It was observed to use a batch file terminating certain processes and services as well as 3rd party tools like PCHunter, ProcessHacker and RevoUninstaller. It also uses AdFind, BloodHound or SMBTool to identify the Active directories and/or machines connected to the domain.
- 3rd party tools were observed to be used to gather credentials like Mimikatz, Lazagne, and Nirsoft’s net pass viewer (NetPass).
- One attack was observed to use MegaSync to exfiltrate stolen files archived using 7zip
- The ransomware payload itself has not change much since, after execution it proceed with its encryption routine
Current infection flow based on available data and research regarding other variants/incidents related to Nefilim:
|Detection/Policy/Rules||Pattern Branch/Version||Release Date / Last Update|
|Ransom.Win32.NEFILIM.A||15.740.01||March 12, 2020|
|Ransom.Win32.NEFILIM.C||15.751.00||March 18, 2020|
|Ransom.Win32.NEFILIM.AC||16.480.00||January 16, 2021|
|Ransom.Win32.NEFILIM.D||15.753.00||March 19, 2020|
|Ransom.Win32.NEFILIM.L||16.250.00||September 26, 2020|
|Ransom.Win32.NEFILIM.G||15.847.00||May 4, 2020|
|Ransom.Win32.NEFILIM.E||15.852.00||April 22, 2020|
|Ransom.Win32.NEFILIM.A||15.739.00||March 12, 2020|
Predictive Machine Learning
|Pattern Branch/Version||Release Date|
|Malware Behavior Blocking||2020|
|Unauthorized Encryption and Modification||2020|
Solution Map - What should customers do?
|Trend Micro Solution||MAJOR PRODUCTS||LATEST VERSIONS||VIRUS PATTERN||ANTISPAM PATTERN||NETWORK PATTERN||BEHAVIOR MONITORING||PREDICTIVE MACHINE LEARNING||WEB REPUTATION|
|Endpoint Security||Apex One||2019||Update pattern via web console||Not Applicable||Update pattern via web console||Enable Behavior Monitoring and update pattern via web console||Enable Predictive Machine Learning||Enable Web Reputation Service and update pattern via web console|
|OfficeScan||XG (12.0)||Not Applicable|
|Worry-Free Business Security||Standard (10.0)|
|Advanced (10.0)||Update pattern via web console|
|Hybrid Cloud Security||Deep Security||12||Update pattern via web console||Not Applicable||Update pattern via web console||Enable Behavior Monitoring and update pattern via web console||Enable Predictive Machine Learning||Enable Web Reputation Service and update pattern via web console|
|Email and Gateway Security||Deep Discovery Email Inspector||3.5||Update pattern via web console||Update pattern via web console||Update pattern via web console||Not Applicable||Not Applicable||Enable Web Reputation Service and update pattern via web console|
|InterScan Messaging Security||9.1||Not Applicable|
|InterScan Web Security||6.5|
|ScanMail for Microsoft Exchange||14|
|Network Security||Deep Discovery Inspector||5.5||Update pattern via web console||Not Applicable||Update pattern via web console||Not Applicable||Not Applicable||Enable Web Reputation Service and update pattern via web console|
Make sure to always use the latest pattern available to detect the old and new variants of Nefilim Ransomware. Please refer to the KB article on Recommendations on how to best protect your network using Trend Micro products.
Make sure to implement the ransomware protection features and best practices. Please refer to the KB article on Ransomware: Solutions, Best Practice Configuration and Prevention using Trend Micro products.
You may also check the article on Submitting suspicious or undetected virus for file analysis to Technical Support.
For support assistance, please contact Trend Micro Technical Support.