Ransomware families NEMTY, Nefilim and Nephilim continue to evolve and merge, taking on aspects of other successful variants that aim to encrypt and extort.
This is an interesting time to study and follow ransomware trends. In particular, over the last year or two, we have seen an expansion of ‘mainstream’ ransomware even further into the data extortion and theft realm. It is one thing to have files encrypted, but having to treat every ransomware infection as a breach adds multiple new layers of complexity for victims of these campaigns. This is especially complex with GDPR and similar legal and compliance hurdles to now figure in.
Ransomware families like Maze, CLOP, DoppelPaymer, Sekhmet, and Nefilim/Nephilim are examples of threats which, upon infection, result in this complex issue for their victims. While Maze, DopplePayer & REvil tend to get the bulk of media coverage, Nephilim is another family which has very quickly risen to prominence with multiple damaging campaigns that threaten to publish victims’ sensitive information in the event they fail to ‘cooperate’ with the attacker’s demands.
Nefilim emerged in March 2020 and shares a substantial portion of code with another ransomware family, NEMTY. The exact relationship between the actors behind NEMTY and Nefilim/Nephilim is less than clear.
NEMTY launched in August of 2019 as a public affiliate program, and has since gone private. Current data indicates that rather than the same actors being behind both families, it is more likely that those behind Nephilim ‘acquired’ necessary code out of NEMTY in one way or another.
The two primary differences between Nefilim and NEMTY are the payment model, and the lack of a RaaS operation. Nefilim instructs victims to contact the attackers via email, as opposed to directing them to a TOR-based payment portal. To add even more confusion to the family tree, Nefilim appears to have evolved into ‘Nephilim’, and the two are technically similar, differentiated primarily by extension and artifacts in encrypted files.
However, there is also intelligence indicating that NEMTY has continued and forked into a new ‘NEMTY Revenue’ version. This comes after the actors behind NEMTY announced that they would be taking the threat private (no more publicly accessible RaaS operation).
Technically, Nephilim is not dissimilar from other well-known ransomware families. The primary method of delivery is currently vulnerable RDP services. Once the attackers have compromised the environment via RDP, they then proceed to establish persistence, to locate and exfiltrate additional credentials where possible, and then to deliver the ransomware payloads to their intended targets.
Nephilim Encryption Protocols
In the Nephilim samples we have analyzed the actual file encryption is handled via a tag-team of AES-128 and RSA-2048. Note, the original vendor behind Nefilim/Nephilim advertises it as such as well.
Specific files are encrypted using AES-128. At that point, an RSA-2048 public key is used to encrypt the AES encryption key. The public key is subsequently embedded in the ransomware executable payloads. This is one area that differs from pure NEMTY, which is known to have used different key lengths. For example, prior versions of NEMTY have used RSA-8192 as a “master key” for encryption of target configuration data along with the rest of the keys (src: Acronis).
We are also aware of variants of NEMTY that utilize an RSA-1024 public key for processing the AES encryption key. Also, with earlier versions of NEMTY, there was variance across how files of specific size ranges were handled. Later versions of NEMTY (aka NEMTY REVENUE 3.1) utilize AES-128 in counter mode, along with RSA-2048 for encrypting the AES keys.
At this time only the actors behind Nephilim are able to decrypt affected files. That is to say, there are no known flaws or methods to bypass the attackers’ safeguards on the encrypted files.
Nephilim Post-infection Behavior
After infection, encrypted files are given the
.NEPHILIM extension. A similarly named ransom note is deposited in directories containing encrypted files.
In some cases, with Nephilim, the ‘NEPHILIM-DECRYPT.txt’ will only be written to ~AppDataLocalVirtualStore. Location and name of the locally-stored desktop wallpaper varies. In recent Nephilim infections, the alternate desktop image is written to %temp% with the filename ‘god.jpg’.
Strings, Distinguishing Traits
Another hallmark of Nephilim is the use of embedded strings and compiler paths to send “subtle messages”, primarily to researchers and analysts it would seem. For example, the following compiler path can be found in these samples (both compiled on April 7, 2020):
While the sample
from March 2020 contains additional jabs at specific AV vendors.
This sample was also referenced by @malwrhunterteam in a March 13th tweet.
Name & Shame Strategy
Nefilim/Nephilim also threatens to publish sensitive information from the infected environments in the event that the victim refuses to cooperate with the attackers’ demands, as evidenced in this typical Nephilim ransom note.
Attempting to negotiate, or refusal to pay, fall under the category of non-compliance. To date, two companies have been published on Nephilim’s “shaming” websites (clearnet and TOR-based). It is worth noting that initially, all the companies listed on their site were oil and energy companies. However, between April 23 and April 27, 2020, the group has added three additional victims to the site. One of these is another large oil and gas company, and the other two are classified as “Apparel and Fashion” and “Engineering and Construction Services”.
Multiple other familles follow this same practice, which turns “basic” ransomware infections into full (and sometimes catastrophic) data breaches. Other well known families embracing this model are Maze, REvil, DoppelPaymer, CLOP, Sekhmet, and more recently, Ragnar. We note that Nefilim/Nephilim is also one of the families that has “vowed” not to attack medical entities, nonprofits and other “critical” entities during the current pandemic.
Protecting your environment against threats like Nephilim is more critical than ever. In order to prevent loss of data and the consequences of a large-scale data breach, organizations must rely on a modern, well maintained, and properly-tuned and trusted security solution. Prevention is key with these attacks. Even in the event that the encryption/data-loss can be mitigated through decryptors, backups or rollbacks, victims still face the problem of their data being posted publicly. We encourage our customers to analyze and understand the threats and to take swift and appropriate action to prevent incidents occurring in the first place.
SentinelOne Endpoint Protection detects and prevents malicious actions associated with NEMTY, Nefilim, and Nephilim.
Indicators of Compromise
For convenience, we provide both SHA256 and SHA1 hashes below.