THREAT ACTOR: Nefilim ransomware gang
Nefilim is known for attacks on other large and well-known victims in the past.
Nefilim ransomware uses a combination of AES-128 and RSA-2048 algorithms to encrypt the victims’ files. First the files are encrypted using AES-128 encryption and AES encryption key is further encrypted using the RSA-2048 public key. This key is then embedded in the executable file of the ransomware. The file extension name .NEFILIM is appended at the end of each encrypted file name along with a NEFILIM file marker for all encrypted files. This is how the ransomware gets its name.
On successfully encrypting all files, the ransomware plants a ransom note ‘NEFILIM-DECRYPT.txt’ that instructs the victim on how to recover their files. The ransom note contains different contact emails for contacting its operators. It also includes a line that warns victims of leaking their data if the ransom is not paid within seven days.