BOOK AN APPOINTMENT WITH AN IT SPECIALIST TODAY
05 May 2020
Is this a new version of Nefilim Ransomware or something different?
Original release date: May 5, 2020
A possible new variant or maybe a different tactic now being used by the Nefilim Ransomware
As noted originally by the BleepingComputer the ransomware going by the name of Nefilim came to be around the end of February2020. While these threat actors originally deployed a Tor Payment site for all of there decryption payments and tools, they migrated over to email based communications.
What has changed?
It would seem everything has changed with these guys now. While I am not 100% sure this is the Nefilim Ransomware, it would appear that some indications are looking like it.
If this had been identified correctly, and this is in fact Nefilim, then the same we have currently shows a lot of differences.
Let break it down
- This treat actor is now using a website called http://corpleaks.net/ to boast their work.
- Instead of a Ransomware note, a new desktop image is now left in it’s place
- While I am unsure how older versions of the ransomware process worked, currently there is a sync.exe file that is dropped onto the device. This program will scan the workstation and then actually sync the files collected to a remote server.
Further testing needs to be performed in order to confirm this is still Nefilim, a new varient, or a completely different ransomware all together.
As we learn more, we will provide updates.