Nefilim
Nefilim is a ransomware family and ransomware operation, also spelled "Nephilim," that emerged in March 2020 and is described as a successor to the Nemty ransomware family.
Profile source: Mallory opens in a new tabNefilim
Family profile
Nefilim is a ransomware family and ransomware operation, also spelled "Nephilim," that emerged in March 2020 and is described as a successor to the Nemty ransomware family. It operated as an affiliate-based ransomware scheme in which administrators provided affiliates with the malware and supporting resources in exchange for a share of ransom proceeds; multiple reports in the content state affiliates paid or surrendered 20% of ransom revenue to the administrators. The malware was used to encrypt victim networks worldwide and was paired with double-extortion tactics: operators stole data, encrypted systems, and threatened to publish stolen information on "Corporate Leaks" sites if victims did not pay. The operation generated customized ransomware executables, unique decryption keys, and tailored ransom notes for each victim. Reported targeting focused on large, high-revenue corporate victims, especially companies in the United States, Canada, and Australia, with references to thresholds above $100 million and later above $200 million in annual revenue. Victim industries mentioned in the content include aviation, engineering, chemicals, eyewear, insurance, construction, energy/oil and gas transportation, and pet care, with additional victims in the U.S., Germany, the Netherlands, Norway, Switzerland, France, and other countries. The content also notes Nefilim’s use in attacks causing millions of dollars in ransom and recovery losses. Operationally, Nefilim has been associated with fast-flux infrastructure, and Mandiant research cited process kill lists deployed alongside Nefilim samples. Trend Micro reporting in the content states Nefilim drops MegaSync into its normal file path under its normal name, consistent with data-exfiltration support tooling. The content links the operation to Ukrainian national Volodymyr Viktorovich Tymoshchuk, identified in charging documents as an administrator of the LockerGoga, MegaCortex, and Nefilim ransomware operations and currently at large, and to affiliate Artem Aleksandrovych Stryzhak, who pleaded guilty to deploying Nefilim against corporate networks after receiving access to the ransomware code in June 2021.
Ransomware.live
Operational record
MITRE ATT&CK
Nefilim in ATT&CK
6 distinct techniquesReporting
Research mentioning Nefilim
From emerging threat to top-tier ransomware-as-a-service: The evolution of INC ransomware
security researcher 3xp0rt mentioned that “salfetka” is linked to the aliases "rinc" and "farnetwork" which is tied to the Nokoyawa, JSWORM, Nefilim, Karma and Nemty ransomware operations.
Black Basta boss makes it onto Interpol's 'Red Notice' list
Related Articles: ... Ukrainian hacker admits affiliate role in Nefilim ransomware gang
security-affairs-newsletter-round-556-by-pierluigi-paganini-international-edition
Ukrainian hacker pleads guilty to Nefilim Ransomware attacks in U.S.
CTO at NCSC Summary: week ending December 28th
"...conspired with others to deploy the Nefilim ransomware against victim computer networks..."
Breach Roundup: Spotify Metadata Dumped Online
Stryzhak admitted to conspiring to commit computer fraud by deploying Nefilim ransomware against corporate networks and demanding ransom payments, U.S. Department of Justice said Friday. Also spelled "Nephilim," the group emerged in March 2020.
Breach Roundup: Spotify Metadata Dumped Online
Stryzhak admitted to conspiring to commit computer fraud by deploying Nefilim ransomware against corporate networks and demanding ransom payments, U.S. Department of Justice said Friday. Also spelled "Nephilim," the group emerged in March 2020.
INTERPOL Arrests 574 in Africa; Ukrainian Ransomware Affiliate Pleads Guilty
In June 2021, Nefilim administrators gave Stryzhak access to the Nefilim ransomware code in exchange for 20 percent of his ransom proceeds. Stryzhak and others researched potential victims after gaining unauthorized access to their networks, including by using online databases to obtain information about the companies' net worth, size, and contact information.
Ukrainian National Pleads Guilty in Nefilim Ransomware Conspiracy
A Ukrainian national has pleaded guilty in federal court in Brooklyn to conspiracy to commit computer fraud in connection with the deployment of the Nefilim ransomware against corporate computer networks in the United States and other countries.