The computer virus that robs but the rich: Nefilim ransomware

El virus informático que roba pero a los ricos: Ransomware Nefilim

On the subject of cyberattacks and hacking, it is clear that no one is safe, and anyone can have their computer, mobile phone, etc. hacked, without having anything to do with whether they are rich or poor, laborer or count. But there are criminals who prefer to attack in a big way, and go for the most succulent loot, like those who use the group ransomware Nefilim.

Ransomware, the malware of choice

Ransomware is a type of cyber threat that infects a computer or a network to encrypt them and steal the information they contain, and require payment in exchange for their release, generally in a cryptocurrency. But modern attacks are selective, adaptive, and stealth, using approaches that have already been tested and refined by advanced persistent threat (APT) groups.

According to a report From cybersecurity experts at Trend Micro, modern ransomware actors identify and target valuable data, often exfiltrating it from the victim’s network organization rather than simply encrypting it. This gives them another avenue of extortion: If the victim does not pay the ransom, the attacker may threaten to make private data public. And for companies that have intellectual property data, proprietary information, private employee data, and customer data, this is a serious concern.

Because in your sector, “any data breach will lead to regulatory penalties, lawsuits and reputational damage. “

The Double Extortion

This tactic is called ‘double extortion’, why tothreaten to filter the sensitive data that has been stolen before deploying the ‘ransomware’ in their compromised networks, as reported by Trend Micro in the results of his study on modern ransomware, the techniques they use and the type of organizations they target. According to the report, the attack is no longer usually the work of a single person / group: there are different groups of cybercriminals who are responsible for the different phases of the attacks.

Read Also   NSO scandal: 100 organizations call for spyware to stop selling

“This is the by-product of a recent evolution in cybercriminals’ business operations: ‘hackers’ are now partnering with’ ransomware ‘actors to monetize hacking-related breaches”they explain.

Trend Micro has focused on 16 groups of modern ‘malware’, analyzed between March 2020 and January 2021, of which Conti, Doppelpaymer, Egregor and REvil led the number of exposed victims, and Cl0p had the highest amount of stolen data hosted ‘online’, with 5 TB.

Nephilim, the billion dollar malware

Nefilim is one of the most lucrative ransomware groups; with its focus on organizations with more than $ 1 billion in turnover, it is the one with the highest average income. And it published about 2 TB of data last year. Trend Micro analysts link Nefilim with Nemty, both because of the similarity of the first versions of its code and because its business model, such as ‘Ransomware as a Service’, also resembles that of Nemty.

To gain initial access to victims’ networks, Nefilim actors use exposed RDP services and publicly available exploits. They exploited a vulnerability in the Citrix Application Delivery Controller (CVE-2019-19781), and an Elevation of Privilege (EoP) vulnerability in the Windows Component Object Model (COM) discovered by Google Project Zero, which was later fixed by Microsoft in May 2017.

After gaining initial access, the Nephilim attackers start by ddownload additional tools in a web browser. A significant shock is a Cobalt Strike beacon that is used to establish a remote connection to the environment and execute commands. (Cobalt Strike is a post-exploit penetration tool that allows security testers to attack the network, monitor the compromised system, and exfiltrate interesting data, although its capabilities can be misused by attackers.)

Read Also   After heavy criticism: Mozilla Foundation no longer accepts donations in crypto money

Other downloaded files are: the tool Process Hacker, which is used to terminate endpoint security agents; Y Mimikatz, which is used to dump the credentials.

The attackers move laterally once they gain a foothold in the net, which means that “They will use a compromised system to find other areas that they can access.” To avoid detection, they usually use tools that are integrated or commonly used by administrators as weapons, a tactic known as “live off the land “.

Goals: large corporations

The profile of a Nephilim victim is relatively broad in terms of location and industry, but the targets tend to be companies with revenues in excess of $ 1 billion. Most of the targets are in North and South America, but attacks have also been observed throughout Europe, Asia and Oceania.

Nefilim has been able to keep victim data websites up and running for over a year. The group is also known for publishing the sensitive data of its victims for several weeks and even months, with the aim of scaring future victims into paying the ransom.

Victims of corporations and companies that invoice a minimum of one billion dollars a year, which makes them difficult targets, but enormously attractive for the volume of money and data they handle.