A new ransomware, named Nefilim, has been found and appears to have been active since February 2020. Nefilim shares much of the same code as the Nemty ransomware but has removed the ransomware-as-a-service component and has also changed to using email communications for payment versus the normal Tor payment sites. It isn’t known if this is a new tactic by the Nemty operators or if someone else copied the source code to release a new version. The ransom note threatens that the threat actors will release stolen data if they do not receive payment. It is not yet known how Nefilim is spread, but researchers suspect that threat actors are breaking in through remote desktop servers by stealing or guessing employee passwords to log in to remote access accounts, then installing the ransomware.
Analyst Notes
Since Nefilim shares large portions of code with Nemty, some Anti-Virus (AV) programs have already been able to identify this new infection. Keeping AV programs up-to-date is one important step for companies to defend against this threat, although ransomware operators are capable of encrypting each payload before deploying it to evade all anti-virus detections for targeted attacks. Having complete and secure backups are and have always been the primary method of recovering from a ransomware attack. One of the strongest defense mechanisms is to employ a service such as the Binary Defense Security Operations Center that can monitor endpoints 24 hours a day, 7 days a week and defend from attacks. The Binary Defense Counterintelligence team can provide a proactive defense by searching for targeted attacks before they happen. Securing all remote access portals using a corporate Virtual Private Network (VPN) and two-factor authentication is another critically important security control to implement.
To read more: https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/