Sophos Victim to Nefilim Ransomware Attack


Threats have changed how the typical ransomware assault works: Instead of encrypting the data and demanding ransom in return for decryption, certain attacks include data recovery as well. This constitutes a double threat to organizations, who face not only the danger that their sensitive documents may become revealed to the media, but also lose access to essential archives. Few Ransomware operators are also teaming up to exchange software and infrastructure to further accelerate the operation of leakage and extortion. Nefilim has evolved in 2020 to ransomware strains, here if the victims do not pay the ransom. 

Nefilim threatens to reveal information to the public; it has its own leaks platform called Corporate Leaks and is located in the TOR node. The Nefilim ransomware blends data theft with encryption. Nefilim primarily targets unsecured applications like Remote Desktop Protocol (RPD) and virtual desktop systems and leave them vulnerable. It is one of the increasing numbers of ransomware families in addition to Doppel Paymer and others that participate in so-called 'secondary extortion,' including assaults mixing encryption with theft of data and the possibility of media disclosure. 

Recently, in an incident a ransomware attack from Nefilim locked up more than 100 systems stemmed from the unregulated account compromise of an employee who died three months ago. Though the victim company, Sophos, had kept the account active because it was used for several services. Sophos respondents tracked the initial intrusion on a high-level access admin account that had been infiltrated by attackers more than four weeks before launching the ransomware. Sophos further stated that the attackers traveled silently through the network, stole the domain admin keys, and located and filtered hundreds of GB of data before unleashing any malware that exposes the existence of such data.  

“The danger is not just keeping outdated and unmonitored accounts active; it is also giving employees greater access rights than they need. Fewer accounts need to be a domain admin than most people think.” 

A foresee review by Sophos showed that Citrix Storefront 7.15 CU3 built by Sophos was unstable when a crucial security flaw was detected (CVE-2019-11634) and four significant issues were identified (CVE-2019-13608, CVE-2020-8269, CVE-2020-8270, CVE-2020-8283). Storefront is an app store used for workers for installing approved apps. The attackers used Remote Desktop Protocol (RDP) logins to retain remote access to the original manage account for an attack by using the Citrix installation and creating an initial foothold. 

Overall, the operators of Nefilim remained inside the network of the victim for about a month before they released the ransomware themselves. Further, alerts have been set so that if the domain admin account is used or if a new admin account is created, someone knows and required action can be taken.