Netfilim uses AES-128 encryption to encrypt victim’s files. An RSA-2048 embedded in the ransomware executable will then encrypt the AES encryption key. The encrypted AES key will then be added to every encrypted key. The ransomware also adds a “NEFILIM” string as a file marker to all encrypted files. The encrypted files will have .NEFILIM appended to their file names (for example, a file called 1.doc would be named 1.doc.NEFILIM).
Incidents Caused by this Malware
- Home appliance giant Whirlpool hit in Nefilim ransomware attack December 5, 2020:
- Toll Group Cyber Attack #2 May 5, 2020: