Nefilim is among a new breed of ransomware families that use advanced techniques for a more targeted and virulent attack. It is operated by a group that Trend Micro tracks under the intrusion set “Water Roc”. This group combines advanced techniques with legitimate tools to make them significantly harder to detect and respond before it is too late.This allows them to remain undetected in the system for weeks, navigating across the environment to maximize their damage. Before the attack is even initiated, deep victim profiling is done, allowing them to use victim-specific extortion pricing to tailor the ransom. Along with a new wave of double extortion ransomware families, Nefilim affiliates are particularly vicious when victims don’t immediately pay the ransom, leaking their sensitive data over an extended period of time. They are one of few groups that host leaked victim data long-term, for months to years, using it to deliver a chilling message to future victims.
This article goes in depth using the MITRE ATT&CK framework to show typical Nefilim ransomware operator TTPs (Techniques, Tactics and Procedures) and what the appropriate mitigations are. They often gain initial access through compromising valid accounts of RDP, Citrix, or VPNs, so don’t expose services like RDP to the Internet if possible, and use multi-factor authentication. Have strong password policies, and use a password manager so each account has a unique strong password. Keep software patched to latest versions. Consider blocking the execution of known vulnerable drivers that adversaries may exploit to execute code in kernel mode. Have good endpoint detection with EDR and possibly an MDR service such as Binary Defense to monitor for signs of exploitation and lateral movement. Have multiple backups, including offline backups. Have a rigorous Incident Response plan in place to get back up and running quickly in the event of a ransomware incident. For more detailed mitigation advice, refer to the article.