Skip to content

Nefilim Ransomware Uses RDP to Expose Sensitive Data

New Zealand. Home to fluffy sheep, geothermal pools and a new strain of Nefilim ransomware.

On June 16, CertNZ, the government body tasked with supporting Kiwi organizations affected by cyber incidents, issued an alert regarding a new variant of Nefilim ransomware targeting vulnerabilities in Remote Desktop Protocols.

NEMTY —-> Nefilim—> Nephilim—->????
Nefilim ransomware has been making rounds since March 2020. It seems to be based on an older ransomware variant, called NEMTY, which was first spotted in August 2019. It’s not known how Nefilim acquired the code from NEMTY as it doesn’t seem to be run by the same operators and it has a very different service models; Whereas NEMTY offers an affiliate ransomware-as-a-service model, in which any cybercriminal can rent all the software needed to deploy the attack, Nefilim is private, and only the criminals who created it have access to it.

Also noteworthy, Nefilim demands payment via email, as opposed to paying via a bitcoin account. It also seems that a portion of the variant has morphed into Nephilim, evidenced by the switch in some file extension names from Nefilim to Nephilim.

Whatever you want to call it, it seems the threat is using vulnerabilities in remote access tools to make its way deep inside corporate networks. Once it finds a weakness in the RDP or VPN, according to CertNZ, it uses “mimikatz, psexec, and Cobalt Strike to elevate privileges, move laterally across a network, and establish persistence on the network.”

This is especially troubling because Nefilim/Nephilim doesn’t only encrypt data—it posts the stolen data to their own and other dark web websites. Dumping/selling data is becoming an increasingly common method, also used by Sodinokibi/REvil, Maze, and some other popular variants. This is likely becoming a more popular method as companies beef up their disaster recovery and backup efforts, which has made the imperative of paying up ransom less, well, imperative. In sophisticated attacks like this, operators can get their hands on incredibly sensitive data and unless victims pay up in time, that data can easily be exposed on the internet or sold to the highest bidder.

Nefilim/Nephilim in Action
Back to our friends on the other side of the world; in May, Nefilim hit an Australian shipping company, Toll Group, who had just gotten walloped by a different strain of ransomware just one month prior. Not only did Nefilim steal their data, operators leaked highly damaging information regarding the company’s missteps in the aftermath of the first attack. They posted a portion of the data to their own website, saying, “Toll Group failed to secure their network even after the first attack. We have more than 200 GB of archives of their private data”. According to, “the latest ransomware infection has resulted in a rebuild of core systems, the need to scrub infected servers clean, and the use of backups to restore files — rather than give in to demands for payment.”

In early June, appliance manufacturer Fisher & Paykel was also hit by the ransomware, forcing production to halt while it tried to recover. The stolen data, which was leaked gradually, was uploaded to the darkweb and according to Nefilim operator’s website, “The information will usually be leaked in parts, so the company has a chance to stop the leak before all the information is released.”

Ransomware + COVID-19 = Big Problems
Sounds super scary right? We’re not only talking about encryption, we’re talking exposure. And at the moment researchers have not been able to find any chinks in its armor, meaning no decryption tools, aside from the operators own private key can be applied to it once data has been locked. What’s worse is the fact that it enters via RD protocols, which are more popular than ever thanks to the shift to working from home due to COVID-19. The occurrence of exposed RDP shot up 127% over the course of the pandemic, providing attackers with an easy way to get the sensitive data they’re after. With corporations scrambling to get employees set up from home, misconfigurations occur and security measures are often bypassed, creating a perfect window of opportunity for attackers to enter via insecure RDP.

As beneficial as RDP is, it inherently opens organizations up to risk. To get all the benefits without the risks and zero trust your RDP, consider using it with a Software Defined Perimeter (SDP) solution. SDP seamlessly secures remote access so employees can work from anywhere without exposure to threats like Nefilim/Nephilim.

The occurrence of ransomware variants like Nefilim/Nephilim shine a spotlight on the need to do things right, even under pressure. When it comes to the potential exposure of highly sensitive data, it doesn’t matter why corners get cut; if there’s a way in, attackers will use it.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Safe-T® Group Ltd.
Safe-T Group Ltd. (Nasdaq, TASE: SFET) is a provider of Zero Trust Access solutions which mitigate attacks on enterprises’ business-critical services and sensitive data, while ensuring uninterrupted business continuity. Safe-T’s cloud and on-premises solutions ensure that an organization’s access use cases, whether into the organization or from the organization out to the internet, are secured according to the “validate first, access later” philosophy of Zero Trust. This means that no one is trusted by default from inside or outside the network, and verification is required from everyone trying to gain access to resources on the network or in the cloud.

Safe-T’s wide range of access solutions reduce organizations’ attack surface and improve their ability to defend against modern cyberthreats. As an additional layer of security, our integrated business-grade global proxy solution cloud service enables smooth and efficient traffic flow, interruption-free service, unlimited concurrent connections, instant scaling and simple integration with our services.

With Safe-T’s patented reverse-access technology and proprietary routing technology, organizations of all size and type can secure their data, services and networks against internal and external threats.