Nefilm Ransomware Group Eyes for $1bn+ Revenue Companies

This article has been indexed from E Hacking News – Latest Hacker News and IT Security News

On Tuesday, Trend Micro released a case study analyzing Nefilim, a ransomware gang that the researchers believe is or was once linked with Nemty as a ransomware-as-a-service (RaaS) outfit. 

Nemty first surfaced in 2019 together with Sentinel Labs, Trend Micro claims that Nefilim first surfaced in March 2020. Both actors, named “Water Roc” by the firm, offered RaaS subscription services with a 70/30 split, with margins dropping to 90/10 when high-profile victims were snatched by affiliates. 

According to Trend Micro, Nefilim looks for vulnerabilities in exposed Remote Desktop Services (RDP) services and public proof-of-concept (PoC) exploit code. The two known vulnerabilities, CVE-2019-19781 and CVE-2019-11634 in Citrix gateway devices were patched in 2020. When unpatched services are discovered, however, exploit code is run and first access is gained. Nefilim starts by downloading a Cobalt Strike beacon, Process Hacker (for terminating endpoint security agents), Mimikatz credentials dumper, and other tools. 

Nefilim was also able to exploit CVE-2017-0213, an outdated weakness in Windows Component Object Model (COM) software, in one case reported by the researchers. Even though a patch was released in 2017, the problem remained, allowing the group to raise their powers to administrator levels.