NEFILIM Ransomware Description
The NEFILIM Ransomware is a threat detected in the wild by cybersecurity experts. Ransomware threats are one of the nastiest threats to deal with as a regular user, as these Trojans would sneak into your system, lock down all your data, and demand a payment in return for a software that will help you recover your files. To make matters worse, most users who pay the creators of ransomware threats never receive the decryption key they were promised.
Nefilim first appeared around the end of February. Experts are still unsure as to how it is being distributed, but it is most likely through the use of Remote Desktop Services. Experts also agree that Nefilim appears to share some of the same code as the Nemty 2.5 threat.
The main difference between the two viruses is that Nefilim uses email communications instead of demanding payments through Tor. Nefilim also removes the ransomware-as-a-service (RaaS) model and appears to be a proprietary virus.
Propagation and Encryption
Spam emails are one of the most commonly used infection vectors when it comes to the distribution of ransomware threats. These campaigns usually involve emails that contain a bogus message and a macro-laced attachment, which would infect the target's computer once it is opened. Cybercriminals spreading ransomware threats also tend to rely on malvertising, fake software downloads/updates, torrent trackers, bogus pirated copies of various applications, etc. The NEFILIM Ransomware will wreak havoc once it compromises your system surely. This ransomware threat is likely programmed to apply its encryption algorithm on all files present on your computer. This means that nothing will be spared – images, audio files, documents, archives, spreadsheets, databases, presentations, videos, etc. When the NEFILIM Ransomware is done locking your files, you may notice that this threat has changed their names by appending an additional extension. The NEFILIM Ransomware adds a '. NEFILIM' extension to the names of all the newly locked files. For example, a file named 'blue-blood.mp3' originally will be renamed to 'blue-blood.mp3. NEFILIM.'
The Ransom Note
The NEFILIM Ransomware's ransom message is contained in a file called 'NEFILIM-DECRYPT.txt.' In the ransom note, the attackers claim to have encrypted the user's data with a military-grade encryption algorithm. The creators of the NEFILIM Ransomware provide users with a seven-day deadline to contact them. If the victim does not meet the deadline set, the attackers state that they will begin leaking the user's data online. The authors of the NEFILIM Ransomware ask the user to send them two files, which they will decrypt to prove that they have a working decryption key. The attackers offer three email addresses as a means of communication – ‘firstname.lastname@example.org,' email@example.com' and firstname.lastname@example.org.'
The ransom note reads:
All of your files have been encrypted with military grade algorithms.
We ensure that the only way to retrieve your data is with our software.
We will make sure you retrieve your data swiftly and securely when our demands are met.
Restoration of your data requires a private key which only we possess.
A large amount of your private files have been extracted and is kept in a secure location.
If you do not contact us in seven working days of the breach we will start leaking the data.
After you contact us we will provide you proof that your files have been extracted.
To confirm that our decryption software works email to us 2 files from random computers.
You will receive further instructions after you send us the test files.
This threat wasn’t worth paying much attention to in the past, but times have changed. With all the viral threats out there these days, there’s plenty of evidence that hackers are more than willing to go through with their treats.
We recommend that you keep all the essential information on your computer encrypted and only transfer it using encrypted channels. This helps to prevent data from being stolen or intercepted. You should keep and maintain regular backups of data so you can safely restore files in the event of data loss or a ransomware attack. The more backups you have, the better.
Nefilim encrypts files using the AES-128 encryption algorithm. The encryption key for the files is then encrypted again using an RSA-2048 public key built into the executable file for the ransomware.
The encrypted key is added to files and can only be decrypted with an RSA private key. The threat actors behind the attack keep the only copy of the key. Nefilim also changes the file extension of each file to .NEFILIM. A file called ABC.doc, for example, would become ABC.doc.NEFILIM.
It is advisable to avoid all contact with cybercriminals like the ones responsible for the NEFILIM Ransomware. Cyber crooks keep their promises rarely, and even if you pay the ransom fee demanded, you may never get the decryption key you need to recover your files. Consider downloading and installing a genuine anti-spyware application that will not only remove the NEFILIM Ransomware from your computer securely but also will keep your system and your files safe in the future.