ransomware attack

Nefilim ransomware analysis

Introduction

In August 2020, the Nefilim ransomware operator invaded the SPIE Group and revealed that they had stolen the company’s sensitive data, including the company’s telecommunications service contracts, legal documents, authorization documents, and so on.

In December 2020, Whirlpool, an American home appliance multinational company, was attacked by Nefilim ransomware. Hackers asked the company to pay a ransom, otherwise the stolen data would be leaked. After negotiating with Whirlpool executives failed, hackers leaked data stolen from Whirlpool, including employee benefits, accommodation requirements, medical information and other related information.

Nefilim became famous for its dual blackmail function and several famous attacks launched in 2020. Nefilim is one of the well-known ransomware variants, and they use double ransomware in their activities. Nefilim was first discovered in March 2020. From the beginning, its attack strategy was to threaten to publish the stolen data of the victims and force them to pay a ransom. In addition to using this strategy, another distinguishing feature of Nefilim is its similarity to Nemiti. In fact, it is considered an evolved version of the earlier ransomware.

Detailed analysis of the initial visit

During the initial visit, the attackers behind Nefilim used various affiliates to spread their malware, and these affiliates used various methods to spread the malicious programs. According to previous attack analysis, Nefilim is largely maliciously injected into the system through exposed RDP. Some affiliates also used other known vulnerabilities for initial access, which has been initially verified. From these initial analyses, we discovered that the used the Citrix vulnerability (CVE-2019-19781) to enter the system.

At the end of 2019, Citrix ADC and Citrix Gateway were exposed to a high-risk remote code execution vulnerability CVE-2019-19781. The most attractive part of this vulnerability is that unauthorized attackers can use it to invade and control Citrix devices and achieve further Access to intranet resources.

People have also seen Nefilim use party tools to collect certificates including Mimikatz, LaZagne, and NirSoft’s NetPass. The stolen certificates are used to attack servers and other high-value devices.

Once in the victim’s system, the ransomware begins to delete and execute its components, such as anti-virus software and penetration tools, and Nefilim itself.

Lateral movement on the web

The uses several legitimate tools to move laterally. For example, it uses PsExec or Management Instrumentation (WMI) to move laterally, delete and execute other components including the ransomware itself. It has been observed that Nefilim uses batch files to terminate certain processes and services. It even uses third-party tools such as PC Hunter, Process Hacker, and Revo Uninstaller to terminate antivirus-related processes, services, and applications. It also uses AdFind, BloodHound, or SMBTool to identify Active Directory or devices connected to the domain.

Details of the data stolen

A notable feature of recent ransomware variants is that their data theft capabilities have become more and more powerful. For Nefilim, it can be observed to copy data from the server or shared directory to the local directory, and use 7-Zip to archive the data, and then it uses MEGAsync to steal the data.

Mitigation measures

Researchers have found that for attacks similar to Nefilim, they spend a lot of time during the initial visit and lateral movement. However, once the lateral movement begins, the will act quickly. They will prioritize moving and stealing data between hosts. Therefore, companies can consider limiting the number of computers that can be used during the lateral movement phase. This involves some solutions, such as using two-factor authentication (2FA) as much as possible, implementing application security lists, and implementing security policies such as least privilege.

As for how to defend the system from Nefilim threats, the best practice is still defense. It is best to work defensively to prevent similar attacks with lateral movement. Organizations should consider the use of canary-based file (Canary file type can quickly identify the occurrence of infection and help suppress ransomware) monitoring, encryption monitoring, and process termination. Other best security measures needed include:

1. Avoid opening unverified emails or clicking on links embedded in them, as these may initiate the ransomware installation process.

2. Use the 3-2-1 rule to backup your important files. 3 backups In addition to the original copy, you should always have two additional backup copies of your important data, whether it is stored on a server, network attached storage, hard drive, in the cloud or elsewhere. This will ensure that no single event will destroy all important data. Two formats: The second law of the 3-2-1 rule states that you should save copies of data in at least two different media or storage types. This may include an internal drive, as well as external media such as disks, tapes, flash memory, and network storage or cloud storage. 1 remote backup: Storing at least one backup in a remote location is a necessary measure to protect data from physical disasters such as fire, flood, or theft. After you have created multiple copies of your important data, it is extremely important to preserve the integrity of the original original, otherwise every copy backed up by the original will have the same defects.

3. Regularly update software, programs and applications to ensure that your applications are up-to-date and have the latest protection measures against new vulnerabilities.

IOCs

5ff20e2b723edb2d0fb27df4fc2c4468
af1b0f2c308c2902a6fd637bd870e2f3
2c886ebceaf14ace2096f8315cc872ae
26c35850483c877ee23f476b38d58deb
86e048d2eae96a817b272a2a7258271c
4ada487646c994a10d36c4d5e75e63af
6196c083282e7fe87d8039336e707e73
e53d4b589f5c5ef6afd23299550f70c69bc2fe1c
ba92c48bbcadc1cfe866a12a919c698e2e06d95f
3d6f37d72b14568df0d70e30baafa42063d38fae
0d339d08a546591aab246f3cf799f3e2aaee3889
b2104da751de1fc8c0d46a068445b0034ec30912
b55577e20b339d5813b252b2d092a931e835a4f2
eea8b6f959c6dd33609ff1552521cbe9dc169872
08c7dfde13ade4b13350ae290616d7c2f4a87cbeac9a3886e90a175ee40fb641
205ddcd3469193139e4b93c8f76ed6bdbbf5108e7bcd51b48753c22ee6202765
5da71f76b9caea411658b43370af339ca20d419670c755b9c1bfc263b78f07f1
7a73032ece59af3316c4a64490344ee111e4cb06aaf00b4a96c10adfdd655599
eacbf729bb96cf2eddac62806a555309d08a705f6084dd98c7cf93503927c34f
f51f128bca4dc6b0aa2355907998758a2e3ac808f14c30eb0b0902f71b04e3d5
fdaefa45c8679a161c6590b8f5bb735c12c9768172f81c930bb68c93a53002f7