Nefilim: how top ransomware works

Modern cyber ransomware is becoming more and more dangerous, carrying out cyberattacks at the level of elite APT groups. In reality, they can be even worse, since data encryption, unlike theft, blocks work and causes huge losses. In this post, we will tell you about the new scheme of ransomware using the example of Nefilim, one of the prominent representatives of this family.


In recent years, ransomware operators are increasingly switching to targeted attacks and APT-like monetization schemes. And the point is not only in the desire to earn more, but also in the fact that the growth of investments of potential victims in cybersecurity has begun to yield results: hacking has ceased to be a simple task.

To make penetration possible, an in-depth study of the victims is carried out before the attack begins, after which attackers can much more accurately estimate the range of possible ransom amounts, as well as the amount of investment in acquiring zero-day exploits for local privilege escalation and remote code execution.

Penetration into the system

The principle of the division of labor has found its supporters not only in industrial production and the fast food industry. Malware operators also recruit hackers to control compromised infrastructure and distribute malware over the network.

Announcement on the search for partners to carry out a malicious operation.  Source (hereinafter, unless otherwise noted): Trend Micro
Announcement on the search for partners to carry out a malicious operation. Source (hereinafter, unless otherwise noted): Trend Micro

Usually, the profit is divided in a ratio of 20/80 or 30/70: the smaller part goes to the owners, who control the ransomware and negotiates with the victim, and the greater part goes to the group, which provides access to the network and implements the active phase of the attack. Typically, the group negotiating with the victim receives the entire ransom amount and distributes it among the participants responsible for other stages of the attack.

The main ways to gain access to the network, which are used in ransomware operations:

  • buying compromised accounts – access as a service (AaaS);

  • independent search for vulnerabilities in the victim’s infrastructure and their exploitation;

  • phishing.

Nefilim attacks identified the use of open RDP services and public exploits for a Citrix Application Delivery Controller vulnerability (CVE-2019-19781). After gaining access, the Nefilim attackers downloaded additional tools:

  • Cobalt Strike agent, which is used for remote access and command execution;

  • Process Hacker, used to shutdown endpoint security agents;

  • Mimikatz used to reset credentials.

In one of the analyzed incidents, the attackers first tried to install the unsigned Cobalt Strike agent, which was detected by the antivirus agent running on the server. The failure did not confuse the hackers, and after a few days they returned to the victim’s network with an already signed agent, who was again discovered.

Notably, an elevation of privilege (EoP) vulnerability in the Windows Component Object Model CVE-2017-021328, which was fixed by Microsoft in May 2017, was used to run the tools as an administrator. This once again demonstrates the importance of timely fixing not only critical vulnerabilities that usually receive more media attention, but also any vulnerabilities that could give attackers the opportunity to compromise the infrastructure.

The following table lists the initial access methods that we observed during the Nefilim analysis.

Lateral movement and privilege escalation

Once entrenched in the network, attackers are looking for additional targets to compromise. To avoid detection, tools are built-in or commonly used by administrators – a tactic otherwise known as “living off the land”.

One of the most popular tools within this tactic is PsExec, a utility created by the Sysinternals group to perform legitimate administrative tasks such as running commands on remote servers. Attackers use PsExec to execute a script on remote computers containing a list of commands to stop certain services and processes that block files that are planned to be encrypted. It uses credentials collected either during the lateral movement phase or in the phase prior to the ransomware attack.

Nefilim operators use PsExec to launch taskkill.exe on remote computers, “targeting” processes that can warn the victim about the attacker’s actions. In many cases, PsExec was used to stop the Simple Network Management Protocol (SNMP) service and backup services.

The second equally popular tool is Windows PowerShell… We observed how attackers used the PowerShell command for the Cobalt Strike agent in one of the 2020 attacks. The hackers used the FromBase64String function to decode the Base64 Cobalt Strike shellcode.

Base64 encoded shellcode in PowerShell script
Base64 encoded shellcode in PowerShell script

The third tool used in Nefilim attacks is Mimikatz… This is a utility from the arsenal of pentesters who use it to dump passwords, hashes, Kerberos tickets and other confidential information. Once the password hashes are obtained, they can be cracked offline using hashcat or John the Ripper, and then used for privilege escalation and malicious activity.

Interaction with C&C servers and data theft

Nefilim uses the DNS, HTTP and HTTPS protocols to communicate with the management servers. They deploy Cobalt Strike agents at strategic locations on the network, mainly on servers. The DNS protocol provides the most secrecy, but it is extremely slow to transfer files through it. Therefore, in some cases, attackers used the MegaSync application of the MEGA cloud storage service to steal data, and, if the environment allowed, agents with HTTP / HTTPS protocols. In the spring of 2020, Nefilim operators deployed an FTP server through which they lease their victims’ data. An attacker can connect to the Cobalt Strike agent on port 50050 / TCP.

Screenshot of the Cobalt Strike control interface.  Source:
Screenshot of the Cobalt Strike control interface. Source:

Nefilim operators use at least three different types of bulletproof hosting to host their servers:

  • servers on the Tor network;

  • fast-flux hosting hosting, for example, the clear-web corpleaks site[.]net, where cybercriminals upload information stolen from victims;

  • offshore bulletproof hosting.

Malicious load

The first Nefilim sample found had a compilation date of March 10, 2020, was written in pure C / C ++ using the Windows API, compiled for 32-bit architecture, and signed with a valid Sectigo certificate. It did not use cryptors or packers.

When launched, the malware decrypts the ransomware note using a fixed RC4 key. The note contains three e-mails that can be contacted to discuss the payment of the ransom.

Nefilim extortionate note
Nefilim extortionate note

It is noteworthy that functions from the Microsoft CryptoAPI platform are used to decrypt the note, which Microsoft designated as obsolete several years ago:

  • CryptAcquireContextA

  • CryptCreateHash

  • CryptHashData

  • CryptDeriveKey

Fragment of the decryption code of the extortionate note.  At the beginning of the fragment, using the sub_402166 call, a mutex is created with words from a popular modern Russian-language rap composition
Fragment of the decryption code of the extortionate note. At the beginning of the fragment, using the sub_402166 call, a mutex is created with words from a popular modern Russian-language rap composition

If any of these functions fail, the ransomware exits without encrypting anything. It should be noted that although Microsoft CryptoAPIs are deprecated, they still work on the latest versions of Windows, including Windows 10.

Encrypting files

When run without any arguments, the Nefilim executable prepares to encrypt all writeable logical drives, including A :, B :, C: and D :, Network resources are also encrypted if connected via a drive letter.

For each logical drive, Nefilim decrypts and stores a ransom note named “NEFILIMDECRYPT.txt” in the root of the drive and creates a stream to encrypt the entire contents of the drive.

Before Nefilim starts encrypting files, it checks to see if they match its list of file and directory name exclusions so as not to disrupt the OS:

List of excluded files
List of excluded files

The encryption function is the longest in the Nefilim code. The encryption algorithm looks like this:

  1. Two 128-bit random numbers are generated using the RtIGetRandom / SystemFunction036 function from ADVAPI32.DLL. Since this function is not exported, LoadLibrary and GetProcAddress are used to load it. The second generated number is used as the AES-128 key in the future.

  2. Both numbers are encrypted with the attackers’ public RSA key and written to the end of the target file.

  3. An ASCII string with the name of the malware variant is written to the end of the target file.

  4. The contents of the file are read into a buffer.

  5. The buffer is encrypted using AES-128, the second random number is used as the key.

  6. The contents of the buffer are written to the target file, replacing the original contents.

  7. The generated random numbers and encrypted keys are cleared in memory.

  8. The name of the malware variant is added to the file name as an extension.

  9. The executable file is deleted three seconds after encryption is completed using the cmd.exe / c timeout / t 3 / nobreak && del / s / f command.

    Dynamically loading the RtlGetRandom function
    Dynamically loading the RtlGetRandom function

Features of Nefilim ransomware family

Examining Nefilim gives a good understanding of how modern ransomware works:

  • Nefilim penetrates the network through the use of weak passwords in open RDP services or other external HTTP services;

  • Once the attackers find themselves in the victim’s environment, they behave similarly to the authors of “piece” targeted attacks, performing all operations manually: they roam the network trying to find important systems and confidential data for theft and encryption, while using common network administration tools to avoid detection by automated means of protection – this is the technique of “pasture”;

  • attackers install Cobalt Strike remote access agents on the network. It uses protocols that can pass through firewalls, such as DNS, HTTP, or HTTPS; control servers for interaction with agents are hosted on bulletproof hosting;

  • as soon as cybercriminals find data worth stealing, they begin to drain it, for which they use external hosting services such as; stolen data can be published on websites hidden behind Tor services and fast-flux networks, and stolen information is used at a later stage of extortion;

  • when the data is leaked, the ransomware is launched, which uses strong algorithms that exclude the victim’s self-decryption;

  • Nefilim’s operators target large multi-billion dollar companies located around the world.


The gigantic ransoms paid by the victims of the ransomware are fueling an explosive growth in the malware industry. To stop this dangerous process, companies should focus on adhering to basic safety measures, which are repeated many times in all publications:

  • timely software update of servers, workstations and network equipment;

  • implementation of the principles of zero trust and least privilege;

  • education and training of employees in safe behavior skills;

  • use of XDR-based solutions based on AI for timely detection and blocking of cyber incidents.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *