This latest one was discovered by researchers working from SentinelLabs and it has been dubbed Nefilim.
Based on the initial research, it seems to share significant portions of its code base with an older strain, Nemty 2.5.
The two key differences between the two strains are as follows:
- Nefilim’s code does not contain the Ransomware-as-a-Service (RaaS) found in Nemty 2.5
- Nefilim relies on email communication to arrange ransom payment, rather than routing those through the TOR browser.
The researchers spotted Nefilim in the wild at the end of February of this year (2020). At this point, it’s unclear exactly how the malware is being distributed. The best guess at this point is that the malware is being spread via exposed Remote Desktop Services. However, the malware winds up on a target system.
When it does its work and infects the files on the compromised computer, the victim will see the following note:
“A large amount of your private files have been extracted and is kept in a secure location. If you do not contact us in seven working days of the breach we will start leaking the data. After you contact us we will provide you proof that your files have been extracted.”
This tactic is becoming increasingly common, and as we’ve seen in recent months, it’s not an idle threat. Worse is that based on the analysis of the code to this point, Nefilim is secure. That means that at present, there’s no free way to recover your files once they have been encrypted.
While this strain isn’t especially widespread at this point, it’s a legitimate threat. It would be a grave mistake to ignore it.