This is how Nefilim works, the 'ransomware' that attacks the rich
The attacks of 'ransomware'are one of the most damaging threats to organizations, in both operational, economic and reputational terms, and in recent years their strategies have evolved to obtain greater benefits, as is the case with Nephilim, one of the most successful modern families, mainly due to target organizations with a turnover of more than $ 1 billion.
Ransomware is a type of cyber threat that infects a computer or network to encrypt it and steal the information it contains, and for their release they demand a payment in exchange, usually in a cryptocurrency. But modern attacks are selective, adaptive, and stealthy, using approaches that have already been tested and refined by advanced persistent threat groups (APTs), as warned from Trend Micro.
Thus, the actors of modern 'ransomware', such as those behind Nephilim, carry out lateral movements like the APT actors to try to find important systems on the victim's network, which are more likely to contain sensitive data to steal and encrypt.
And they put into practice the so-called double extortion, by which threaten to leak sensitive data that has been stolen before deploying 'ransomware' in its compromised networks, as reported by Trend Micro in the results of its study of modern 'ransomware', the techniques they use and the type of organizations they target.
The company highlights the existence of different groups of cybercriminals that are in charge of the different phases of the attacks. "This is the by-product of a recent evolution in cybercriminals' business operations: hackers are now partnering with 'ransomware' actors to monetize hacking-related breaches," they explain.
They also turn to legitimate tools like AdFind, Cobalt Strike, Mimikatz, Process Hacker, PsExec, and MegaSync to achieve their end goal while remaining hidden. As pointed out by Trend Micro, this can make it difficult for security operations center (SOC) analysts, who examine event logs from different parts of the environment, to get an overview of the big picture and detect attacks.
The study deals in total with 16 groups of modern 'malware', analyzed between March 2020 and January 2021, of which Conti, Doppelpaymer, Egregor and REvil led the number of exposed victims, and Cl0p had the highest amount of stolen data hosted 'online', with 5 TB.
Nefilim is one of the most lucrative ransomware groups; With its focus on organizations with more than $ 1 billion in turnover, it has the highest median revenue. And it published about 2 TB of data last year.
Trend Micro analysts link Nefilim with Nemty, both because of the similarity of the first versions of its code and because its business model, such as 'Ransomware as a Service', also resembles that of Nemty.
The actors behind Nefilim take advantage of exposed remote desktop services and publicly available 'exploits' to access corporate networks, where they begin to download some tools, among which is the Cobalt Strike emulator, which implants beacons with which they can establish a remote connection and run commands. They also use Process Hacker, which replaces the Windows task manager to control computer processes and disable security systems such as antivirus, and Mimikatz, to steal credentials.
To run some tools as an administrator, actors took advantage of a vulnerability in Component Object Model with Elevation of Privilege (CVE-2017-0213), which had already been discovered and patched in 2017, but which had not been fixed on affected machines. Nephilim.
The security company stresses the importance of installing security updates and patches, which are presented as a containment barrier for organizations' systems against known and unknown vulnerabilities, but also point out virtual private network (VPN) services that are exposed to unreliable networks as a risk.
Intrusion prevention systems also establish an additional layer of access security in a computer network, which protects from potential vulnerabilities and saves time until a patch is available.
Trend Micro recommends that organizations conduct periodic scans of systems, hardware, and programs, which can help uncover potential network access. And implement lower-privilege administrative models and robust authentication systems such as those that employ multiple factors.