In August 2020, the Nefilim ransomware operator invaded the SPIE Group and revealed that they had stolen the company’s sensitive data, including the company’s telecommunications service contracts, legal documents, authorization documents, and so on.
In December 2020, Whirlpool, an American home appliance multinational company, was attacked by Nefilim ransomware. Hackers asked the company to pay a ransom, otherwise the stolen data would be leaked. After negotiating with Whirlpool executives failed, hackers leaked data stolen from Whirlpool, including employee benefits, accommodation requirements, medical information and other related information.
Nefilim became famous for its dual blackmail function and several famous attacks launched in 2020. Nefilim is one of the well-known ransomware variants, and they use double ransomware in their activities. Nefilim was first discovered in March 2020. From the beginning, its attack strategy was to threaten to publish the stolen data of the victims and force them to pay a ransom. In addition to using this strategy, another distinguishing feature of Nefilim is its similarity to Nemiti. In fact, it is considered an evolved version of the earlier ransomware.
Detailed analysis of the initial visit
During the initial visit, the attackers behind Nefilim used various affiliates to spread their malware, and these affiliates used various methods to spread the malicious programs. According to previous attack analysis, Nefilim is largely maliciously injected into the system through exposed RDP. Some affiliates also used other known vulnerabilities for initial access, which has been initially verified. From these initial analyses, we discovered that the attacker used the Citrix vulnerability (CVE-2019-19781) to enter the system.
At the end of 2019, Citrix ADC and Citrix Gateway were exposed to a high-risk remote code execution vulnerability CVE-2019-19781. The most attractive part of this vulnerability is that unauthorized attackers can use it to invade and control Citrix devices and achieve further Access to intranet resources.
People have also seen Nefilim use party tools to collect certificates including Mimikatz, LaZagne, and NirSoft’s NetPass. The stolen certificates are used to attack servers and other high-value devices.
Once in the victim’s system, the ransomware begins to delete and execute its components, such as anti-virus software and penetration tools, and Nefilim itself.
Lateral movement on the web
The attacker uses several legitimate tools to move laterally. For example, it uses PsExec or Windows Management Instrumentation (WMI) to move laterally, delete and execute other components including the ransomware itself. It has been observed that Nefilim uses batch files to terminate certain processes and services. It even uses third-party tools such as PC Hunter, Process Hacker, and Revo Uninstaller to terminate antivirus-related processes, services, and applications. It also uses AdFind, BloodHound, or SMBTool to identify Active Directory or devices connected to the domain.
Details of the data stolen
A notable feature of recent ransomware variants is that their data theft capabilities have become more and more powerful. For Nefilim, it can be observed to copy data from the server or shared directory to the local directory, and use 7-Zip to archive the data, and then it uses MEGAsync to steal the data.
Researchers have found that for attacks similar to Nefilim, they spend a lot of time during the initial visit and lateral movement. However, once the lateral movement begins, the attacker will act quickly. They will prioritize moving and stealing data between hosts. Therefore, companies can consider limiting the number of computers that can be used during the lateral movement phase. This involves some solutions, such as using two-factor authentication (2FA) as much as possible, implementing application security lists, and implementing security policies such as least privilege.
As for how to defend the system from Nefilim threats, the best practice is still defense. It is best to work defensively to prevent similar attacks with lateral movement. Organizations should consider the use of canary-based file (Canary file type can quickly identify the occurrence of infection and help suppress ransomware) monitoring, encryption monitoring, and process termination. Other best security measures needed include:
1. Avoid opening unverified emails or clicking on links embedded in them, as these may initiate the ransomware installation process.
2. Use the 3-2-1 rule to backup your important files. 3 backups In addition to the original copy, you should always have two additional backup copies of your important data, whether it is stored on a server, network attached storage, hard drive, in the cloud or elsewhere. This will ensure that no single event will destroy all important data. Two formats: The second law of the 3-2-1 rule states that you should save copies of data in at least two different media or storage types. This may include an internal drive, as well as external media such as disks, tapes, flash memory, and network storage or cloud storage. 1 remote backup: Storing at least one backup in a remote location is a necessary measure to protect data from physical disasters such as fire, flood, or theft. After you have created multiple copies of your important data, it is extremely important to preserve the integrity of the original original, otherwise every copy backed up by the original will have the same defects.
3. Regularly update software, programs and applications to ensure that your applications are up-to-date and have the latest protection measures against new vulnerabilities.