Table of Contents
In a new research study released Tuesday, Trend Micro analyzes Nefilim, a ransomware group that analysts believe is or was once connected with Nemty through ransomware-as-a-service (RaaS) organizations.
According to Trend Micro, Nefilim was identified by Sentinel Labs together with Nemty in March 2020. As part of RaaS subscriptions, both actors, dubbed “Water Roc,” split the profits 70/30, although the margins dropped to 90/10 as their affiliates captured high-profile victims.
How Nefilim identifies vulnerable systems
The Nefilim vulnerability scanner focuses on Open Remote Desktop Protocol (RDP), and public proof-of-concept exploit codes exposed by overly open RDP services. Citrix gateway devices were patched for the two known vulnerabilities in 2020, CVE-2019-19781 and CVE-2019-11634. The first time a vulnerable service is discovered, exploit code is run and access is gained. The Nefilim security team downloads the Cobalt Strike beacon, Process Hacker (a tool that terminates endpoint security agents), Mimikatz credentials dumper, and other tools first.
Researchers discovered that in one case, Nefilim exploited CVE-2017-0213, a vulnerability in Windows Component Object Model (COM) software. The problem persisted even after a patch was released in 2017, which permitted the group to gain administrator privileges.
The theft of credentials and the use of MEGAsync to steal data are possible ways that ransomware operators exploit corporate networks and move laterally. Afterward, Nefilim ransomware is installed and begins encrypting data. Although the group has different extensions, it has been related to .Nefilim, Merin, and Off-White.
A random AES key is generated for each file queued for encryption. After decrypting a ransom note using the fixed RC4 key, the malware will then include email addresses in the ransom note for victims to contact them about payment.
The researchers stated
“To enable file decryption in case the victim pays the ransom amount, the malware encrypts the generated AES key with a fixed RSA public key and appends it to the encrypted file. To date, only the attackers can decrypt this scheme as they alone own the paired private RSA key.”
Nefilim has been associated with attacks against companies with yearly revenues of $1 billion or more, but smaller businesses have also been affected by the malware’s operators. Europe, Asia, and Oceania constitute the next largest group of victims, followed by the US.
Trend Micro reported
“Modern attackers have moved on from widespread mass-mailed indiscriminate ransomware to a new model that is much more dangerous. Today, corporations are subject to these new APT-level ransomware attacks. In fact, they can be worse than APTs because ransomware often ends up destroying data, whereas information-stealing APTs are almost never destructive. There is a more pressing need to defend organizations against ransomware attacks, and now, the stakes are much higher.”