Skip to content
Ransomware group

Nefilim

Nefilim is a ransomware family and ransomware operation, also spelled "Nephilim," that emerged in March 2020 and is described as a successor to the Nemty ransomware family.

Profile source: Mallory opens in a new tab

Nefilim

Family profile

Nefilim is a ransomware family and ransomware operation, also spelled "Nephilim," that emerged in March 2020 and is described as a successor to the Nemty ransomware family. It operated as an affiliate-based ransomware scheme in which administrators provided affiliates with the malware and supporting resources in exchange for a share of ransom proceeds; multiple reports in the content state affiliates paid or surrendered 20% of ransom revenue to the administrators. The malware was used to encrypt victim networks worldwide and was paired with double-extortion tactics: operators stole data, encrypted systems, and threatened to publish stolen information on "Corporate Leaks" sites if victims did not pay. The operation generated customized ransomware executables, unique decryption keys, and tailored ransom notes for each victim. Reported targeting focused on large, high-revenue corporate victims, especially companies in the United States, Canada, and Australia, with references to thresholds above $100 million and later above $200 million in annual revenue. Victim industries mentioned in the content include aviation, engineering, chemicals, eyewear, insurance, construction, energy/oil and gas transportation, and pet care, with additional victims in the U.S., Germany, the Netherlands, Norway, Switzerland, France, and other countries. The content also notes Nefilim’s use in attacks causing millions of dollars in ransom and recovery losses. Operationally, Nefilim has been associated with fast-flux infrastructure, and Mandiant research cited process kill lists deployed alongside Nefilim samples. Trend Micro reporting in the content states Nefilim drops MegaSync into its normal file path under its normal name, consistent with data-exfiltration support tooling. The content links the operation to Ukrainian national Volodymyr Viktorovich Tymoshchuk, identified in charging documents as an administrator of the LockerGoga, MegaCortex, and Nefilim ransomware operations and currently at large, and to affiliate Artem Aleksandrovych Stryzhak, who pleaded guilty to deploying Nefilim against corporate networks after receiving access to the ransomware code in June 2021.

Ransomware.live

Operational record

View group record ↗

MITRE ATT&CK

Nefilim in ATT&CK

6 distinct techniques

Reporting

Research mentioning Nefilim

Jun 17
Acronis

From emerging threat to top-tier ransomware-as-a-service: The evolution of INC ransomware

security researcher 3xp0rt mentioned that “salfetka” is linked to the aliases "rinc" and "farnetwork" which is tied to the Nokoyawa, JSWORM, Nefilim, Karma and Nemty ransomware operations.

Jan 16
Bleeping Computer

Black Basta boss makes it onto Interpol's 'Red Notice' list

Related Articles: ... Ukrainian hacker admits affiliate role in Nefilim ransomware gang

Dec 28
Security Affairs

security-affairs-newsletter-round-556-by-pierluigi-paganini-international-edition

Ukrainian hacker pleads guilty to Nefilim Ransomware attacks in U.S.

Dec 27
Ctoatncsc Substack

CTO at NCSC Summary: week ending December 28th

"...conspired with others to deploy the Nefilim ransomware against victim computer networks..."

Dec 25
Bank Info Security

Breach Roundup: Spotify Metadata Dumped Online

Stryzhak admitted to conspiring to commit computer fraud by deploying Nefilim ransomware against corporate networks and demanding ransom payments, U.S. Department of Justice said Friday. Also spelled "Nephilim," the group emerged in March 2020.

Dec 25
Govinfosecurity

Breach Roundup: Spotify Metadata Dumped Online

Stryzhak admitted to conspiring to commit computer fraud by deploying Nefilim ransomware against corporate networks and demanding ransom payments, U.S. Department of Justice said Friday. Also spelled "Nephilim," the group emerged in March 2020.

Dec 23
The Hacker News

INTERPOL Arrests 574 in Africa; Ukrainian Ransomware Affiliate Pleads Guilty

In June 2021, Nefilim administrators gave Stryzhak access to the Nefilim ransomware code in exchange for 20 percent of his ransom proceeds. Stryzhak and others researched potential victims after gaining unauthorized access to their networks, including by using online databases to obtain information about the companies' net worth, size, and contact information.

Dec 22
Hackread

Ukrainian National Pleads Guilty in Nefilim Ransomware Conspiracy

A Ukrainian national has pleaded guilty in federal court in Brooklyn to conspiracy to commit computer fraud in connection with the deployment of the Nefilim ransomware against corporate computer networks in the United States and other countries.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.