A new ransomware, named Nefilim, has been found and appears to have been active since February 2020. Nefilim shares much of the same code as the Nemty ransomware but has removed the ransomware-as-a-service component and has also changed to using email communications for payment versus the normal Tor payment sites. It isn’t known if this is a new tactic by the Nemty operators or if someone else copied the source code to release a new version. The ransom note threatens that the threat actors will release stolen data if they do not receive payment. It is not yet known how Nefilim is spread, but researchers suspect that threat actors are breaking in through remote desktop servers by stealing or guessing employee passwords to log in to remote access accounts, then installing the ransomware.
With all the news around COVID-19/Coronavirus, the average person is turning to the internet for