Ransomware attacks are one of the most damaging threats to organizations, both in operational, economic and reputational terms, and in recent years their strategies have evolved to obtain greater benefits and today we will see Nephilim, one of the families The most successful modern ones, mainly because they attack wealthy companies.
Nephilim often targets exposed Remote Desktop Services services and Proof of Concept public exploit code to detect vulnerabilities. These include CVE-2019-19781 and CVE-2019-11634, which are known bugs on Citrix gateway devices that received patches in 2020. However, when unpatched services are found, the exploit code is launched and initial access is obtained and that is why it is so important to keep our equipment updated and thus avoid vulnerabilities that can be used.
Nephilim has also been seen using party tools to collect credentials including NirSoft’s Mimikatz, LaZagne, and NetPass. The stolen credentials are used to reach high-value machines such as servers. Once inside the victim’s system, the ransomware begins to fall and execute its components, such as antivirus, exfiltration tools, and eventually Nephilim itself.
This threat is one of the most lucrative ransomware groups; With its focus on organizations with more than $ 1 billion in turnover, it has the highest median revenue. And it published about 2 TB of data last year. Trend Micro analysts link Nephilim with Nemty, both because of the similarity of the first versions of its code and because its business model, like Ransomware as a Service, also resembles Nemty’s.
This threat is quite complete and that is why it is so successful since it has several tools that help the infection process such as: Legitimate tools for lateral movement such as PsExec or Windows Management Instrumentation for lateral movement, batches to end certain processes and services and even uses third-party tools like PC Hunter, Process Hacker, and Revo Uninstaller to kill antivirus-related processes, services, and applications. It also uses AdFind, BloodHound or SMBTool to identify active directories or machines that are connected to the domain, without a doubt an extensive list of tools that strengthen this threat.
Also check:
Hades ransomware targetting businesses
Zeppelin Ransomware targetting large companies
DoppelPaymer – Ransomware targeting industries
Matanbuchus demonic threat lurking on the Web
